Generally Available: Azure Arc-enabled servers support for private endpoints
The Azure Arc team is excited to announce that Azure Arc-enabled servers’ support for private endpoints is now generally available! With private endpoints, you can send traffic from the Azure Connected Machine Agent to Azure over a site-to-site VPN or Express Route circuit instead of the public internet or proxy server. This can help you reduce network exposure and improve security while still allowing you to use Azure Arc to secure, monitor and govern your servers running outside of Azure.
How does it work?
Private endpoints allow you to connect an Azure service to an Azure virtual network using private IP addresses. Servers and other resources in that virtual network can then communicate with the Azure service using the private IP address and instead of sending data over the internet.
Azure Arc uses a Private Link Scope resource to associate a private endpoint with the non-Azure servers that will use the private endpoint. You’ll also need to set up a site-to-site VPN or Express Route circuit to connect your Azure virtual network with the network where your non-Azure servers are connected.
Once configured, the Connected Machine agent on your Arc-enabled servers will send all metadata updates, extension operations, and guest configuration package downloads over the private endpoint. Network traffic between extensions you’ve installed and the Azure services that support them will also route through the internet unless you’ve configured private endpoints for each of those services. Additionally, the Connected Machine agent will still require access to Azure Active Directory and Azure Resource Manager over the internet.
Network architecture diagram of Azure Arc-enabled servers private endpoints
Learn more and get started
You can learn more about private endpoints for Azure Arc-enabled servers in our documentation, which covers the concepts, prerequisites, and setup instructions for new and existing servers. There is also an Azure Arc Jumpstart scenario for private endpoints where you can set up a sandbox environment in Azure to learn more about private endpoints and practice working with them without affecting any of your production infrastructure. And lastly, our Azure Arc landing zone accelerator covers network topology and connectivity best practices, as you scale from testing to production workloads
Published on:
Learn moreRelated posts
Building on Vercel’s eve + Azure Cosmos DB: An Agent That Remembers
Most “AI agent” demos forget everything the moment the process exits. That’s fine for a toy project, but useless for anythin...
Copilot Studio – Environment-level agent telemetry export to Azure Application Insights (Preview)
We are announcing the ability for administrators to export Copilot Studio agent telemetry at the environment level to Azure Application Insigh...
See our new Azure Cosmos DB Design Patterns
Design patterns are where good data modeling lives or dies. In a NoSQL database like Azure Cosmos DB, the difference between a schema that sca...
Need a different partition key in Azure Cosmos DB? Pick the right approach
Once you create a container, its partition key is fixed at creation, and you can’t change it in place. However, if your original key starts ca...
Azure SDK Release (June 2026)
Azure SDK releases every month. In this post, you'll find this month's highlights and release notes. The post Azure SDK Release (June 2026) ap...
Fundamentals of Azure DevOps with SQL projects
Building automated pipelines with your SQL database projects enables you to build a rich CI/CD ecosystem to ensure that your application is be...
Upcoming Change: NTLM Removal in Git (libcurl) – Impact to Azure DevOps Server Customers
Overview In September 2026, NTLM support will be removed from libcurl, which is used by Git for HTTP(S) operations. As a result, Git operation...
What’s new across Microsoft SQL in 2026 so far (SQL Server, Azure SQL, and SQL database in Fabric)
We’re halfway through 2026, and Microsoft SQL has not slowed down. Since SQLCon/FabCon in March (where we released a ton of things, and those ...