What is Azure Arc?

Azure Arc extends the Azure management plane to any infrastructure — on-premises data centers, edge locations, and other cloud providers. By projecting non-Azure resources into Azure Resource Manager, Arc enables organizations to apply consistent governance, security policies, and operational practices across their entire hybrid environment using familiar Azure tools.

Azure Arc-enabled Servers

Install the Connected Machine agent on any Windows or Linux server to manage it through Azure. Once enrolled, Arc-enabled servers support Azure Policy (guest configuration audits), Microsoft Defender for Cloud (vulnerability scanning), Azure Monitor (log collection and alerts), and Update Management Center — all without migrating the workload to Azure. Over 20,000 organizations use Arc-enabled servers for consistent compliance across hybrid estates.

Azure Arc-enabled Kubernetes

Connect any CNCF-conformant Kubernetes cluster — Amazon EKS, Google GKE, Rancher, OpenShift, or bare-metal K3s — to Azure. Arc extensions deploy GitOps configurations (Flux v2), Open Service Mesh, Defender sensor agents, and monitoring infrastructure automatically. Centralized governance through Azure Policy for Kubernetes ensures consistent pod security standards and namespace quotas across all clusters.

Azure Arc-enabled Data Services

Run Azure SQL Managed Instance and Azure Database for PostgreSQL on any Kubernetes cluster. These Arc-enabled data services deliver the same managed experience as their Azure counterparts — automated patching, point-in-time restore, elastic scaling — while keeping data resident in your chosen location for sovereignty and latency requirements. Billing flows through your Azure subscription with pay-as-you-go or reserved capacity options.

Governance and Security

Azure Policy at Scale

Assign Azure Policy definitions to Arc-enabled resources just as you would to native Azure resources. Guest configuration policies audit operating system settings (password complexity, TLS versions, installed software), while Kubernetes policies enforce pod security standards, image registries, and resource limits.

Microsoft Defender Integration

Defender for Cloud provides unified security posture management across Arc-enrolled servers and Kubernetes clusters. Vulnerability assessments, adaptive application controls, and just-in-time VM access extend seamlessly to on-premises workloads.

Real-World Use Cases

• Regulated industries: Banks and healthcare providers use Arc to apply Azure governance and compliance tools to on-premises SQL databases that cannot move to the cloud due to data residency laws.
• Retail edge: Arc manages Kubernetes clusters at thousands of store locations, deploying application updates via GitOps without manual intervention.
• Multi-cloud strategy: Organizations running workloads on AWS and GCP project those resources into Azure Arc for a single management plane across all clouds.

FAQ

Does Azure Arc require moving data to Azure?

No. Data stays wherever your workloads run. Arc only projects metadata into Azure for management — the actual compute and storage remain in your environment.

Is there a cost for Azure Arc itself?

The Arc control plane for servers and Kubernetes is free. You pay for Azure services consumed through Arc — Defender, Monitor, Policy guest configuration audits, and Arc-enabled data services.

Key Features and Capabilities

The following are the core capabilities that make this technology essential for modern cloud infrastructure:

Arc-Enabled Servers

Extend Azure management to on-premises and multi-cloud VMs with Azure Policy, Update Manager, Defender for Cloud, and Azure Monitor all from Azure portal

Arc-Enabled Kubernetes

Connect any conformant Kubernetes cluster (EKS, GKE, on-prem) to Azure for GitOps deployment, policy enforcement, and Azure service extensions

Arc Data Services

Run Azure SQL Managed Instance and PostgreSQL Hyperscale on any infrastructure with Azure billing, elastic scaling, and automated patching

Arc-Enabled App Services

Deploy Azure App Service, Functions, Logic Apps, and Event Grid to Arc-enabled Kubernetes clusters in your own datacenters or edge locations

Azure Stack HCI Integration

Run Azure virtual machines on-premises with Arc management, creating genuine hybrid infrastructure with consistent Azure VM lifecycle management

Real-World Use Cases

Organizations across industries are leveraging this technology in production environments:

Multi-Cloud Governance

A company manages 500 AWS EC2 instances and 200 on-premises VMs through Azure Arc, applying consistent security policies and monitoring from a single portal

Edge Computing

A retail chain deploys Arc-enabled Kubernetes at 200 store locations, running point-of-sale and inventory services with GitOps managed from central Azure

Sovereign Data Processing

A government agency runs Arc SQL Managed Instance in their classified datacenters with Azure Portal management, maintaining data within sovereign boundaries

Hybrid Database

A manufacturer runs PostgreSQL Hyperscale on-premises for latency-sensitive factory systems with Azure-based management, backup, and disaster recovery

Best Practices and Recommendations

Based on enterprise deployments and production experience, these recommendations will help you maximize value:

• Install Azure Connected Machine agent on all non-Azure servers first — it takes 5 minutes per server and immediately enables Azure Policy and Defender scanning
• Use Azure Policy with Arc for consistent governance: enforce tagging, require Defender for Cloud, mandate specific configurations across all environments
• Deploy GitOps (Flux) configurations to Arc-enabled Kubernetes clusters for declarative, auditable app deployment without direct cluster access
• Enable Microsoft Defender for Cloud on all Arc-enabled resources — hybrid security posture management identifies and remediates vulnerabilities consistently
• Use Azure Automanage with Arc for automated OS patching, backup, monitoring, and DSC configuration of non-Azure Windows and Linux servers
• Plan network connectivity: Arc requires outbound HTTPS (443) to specific Azure endpoints — configure proxy settings for restricted environments

Frequently Asked Questions

Does Azure Arc require internet connectivity?

Arc agents require periodic outbound HTTPS connectivity to Azure endpoints for management, policy, and telemetry. Fully disconnected scenarios are supported through Azure Arc with periodic sync mode. For restricted networks, configure proxy settings and firewall rules for required endpoints.

How much does Azure Arc cost?

Arc control plane management is free — connecting servers, Kubernetes clusters, and applying Azure Policy costs nothing. You pay for Azure services consumed: Defender for Cloud ($15/server/month), Azure Monitor logs ($2.76/GB), and Arc Data Services (per-vCore pricing equivalent to Azure). Server management with Azure Policy is completely free.

Can I use Azure Arc with air-gapped environments?

Yes, through Azure Arc disconnected mode. The Arc agent operates independently between connectivity windows, applying cached policies and queuing telemetry. For fully air-gapped scenarios, Azure Stack HCI with Arc provides the most comprehensive on-premises Azure experience.