Securely Manage my On-prem Server Using Cloud services.

Hello folks,

Lately, I had to replace my home network's edge devicefirewall with one that would allow me to connect to my Azure cloud environment using a site-to-site VPN. I set up an Azure Bastion host to enable remote access to all my servers (Azure Virtual machines and on-prem servers). And set up an end-to-end name resolution structure for on-prem and in-cloud resources.


Now I want to configure the underlying service that will allow me to securely manage all my servers using some cloud services. Namely Azure Arc. I've said before that Azure Arc is a wonderful way of enabling a multitude of cloud services.  And since I already have the site-to-site VPN up and running, I want to ensure that all traffic from my on-prem server ONLY connects to my azure services using that secured connection.

I decided to leverage Azure Private links, It's a service that enables you to access Azure PaaS Services (for example, Azure and ) and Azure hosted services over a private endpoint in your own virtual network. And eliminating the need to route traffic over the internet.

Some of the advantages of using that solution are:

  • Connect privately to Azure Arc without opening public network access.
  • Ensure data from the Azure Arc-enabled machine or server is only accessed through authorized private networks. This also includes data from VM extensions installed on the server that provide post-deployment management and monitoring support.
  • Prevent data exfiltration (data exfiltration is the theft or unauthorized removal/movement of any data from a device) from your private networks by defining specific Azure Arc-enabled servers and other Azure services resources, such as , that connect through your private endpoint.
  • Keep all traffic inside the Microsoft Azure backbone network.


The way this works is Azure Arc Private Link Scope connects private endpoints (and the virtual networks they're contained in) to an Azure resource, in this case, Azure Arc-enabled servers.  Therefore any one of the Azure Arc-enabled servers supported extensions (Windows extensions, Linux Extensions) will use the VPNExpressRoute to connect to the service without going through the internet.


There are a few things I need to ensure before I get started.

  1. Do I have a VPN or ExpressRoute? à CheckPierreRoman_1-1659560504366.png
  2. I created a Resource Group to hold my on-prem servers.
  3. Ensure that whatever firewalls and network security groups you have in your environment are configured to allow outbound 443 (HTTPS) access to and Azure (In case you are wondering this JSON file contains all the public IP address ranges used by and Azure and is updated monthly to reflect any changes.)

Private Link Scope

Now that the pre-requisites are taken care of, I can proceed with creating the Private Link Scope.


Azure Arc resources can only connect to private link scopes in the same region. If you have Azure Arc resources in multiple regions, you will need to create an Azure Arc Private link scope for each region. In my case, I am only in East US but that may change…

During the deployment of the Azure Arc Private Link Scope, I ensure to leave the “Allow public network access” UNCHECKED to force my resources associated with this private link scope to connect to the service using the private endpoint, NOT the public endpoint.


Also, when creating the private endpoint for this scope, I ensured to create private DNS zones for the endpoint.  I created them in my hub network as part of my hub & spoke design.


Once this was created, I added the private Zones to my private resolver ruleset so that the name resolution would follow the same rules as in my last post.  Therefore when looking for any of the URLs that the Arc Agent will be trying to connect to, it will resolve as internal.


As opposed to the public endpoints that it would normally try to connect to.


If you do not have a hybrid name resolution setup you may have to manually configure your DNS server.

Once the private scope, and private endpoint are created, and your DNS has been configured you can now Arc enable your local servers pretty much in the same way you normally do, except that in the portal form, you will need to select “Private endpoint” in the “Connectivity method” section.


That's it! I can now Arc enable my servers on-prem securely by leveraging my VPN or ExpressRoute link


If you have a hybrid environment….   Check out the links in this article.  And please leave feedback in the comments below.

Let me know if there are scenarios for hybrid management that you have questions about.  It really helps make the blog better and more relevant to you.

And, really…  that's why we do it.




This article was originally published by Microsoft's PowerShell Community. You can find the original article here.