This FAQ provides information about Software-Defined Networking (SDN) enabled by Azure Arc on your Azure Local VMs. This feature is available in Azure Local 2506 or later with OS build 26100.xxxx.
Which version of Azure Local supports SDN enabled by Azure Arc?
SDN enabled by Azure Arc is available in Azure Local version 2506 or later running OS version 26100.xxxx.
Will I have downtime for my Azure Local VMs when I enable Network Controller via the PowerShell cmdlet?
Yes. When you enable Network Controller, you experience brief downtime until configuration finishes.
Because this operation is disruptive, plan a maintenance window if you're running in a production environment.
Why am I experiencing network connectivity issues for my unmanaged VMs on Azure Local after I enabled SDN enabled by Azure Arc?
You can experience network connectivity issues if you enable Network Controller and create unmanaged VMs outside Azure interfaces like Azure CLI, Azure portal, Azure PowerShell, and Azure Resource Manager APIs. To fix these issues, run all the steps under the first bullet in VMs created outside of Windows Admin Center.
Why can't I connect to my Azure Local VMs, if I associate an NSG with the VM network interface or its logical network?
If you set up an empty NSG with no security rules on your VM's network interface or the logical network, Azure Local blocks all inbound traffic by default and allows all outbound traffic. Add specific inbound network security rules to let traffic into the VM.
Can I modify Azure Local VM resources such as VMs, virtual switches, and network interfaces directly using Network Controller APIs, Windows Admin Center, or SDN Express PowerShell scripts for my Azure Local VMs?
No. Don't do this, as it's unsupported and can cause your resources to enter bad or unrecoverable states.
Can I configure static network interfaces after the Azure Local VM is provisioned on an Azure Local instance with SDN enabled by Azure Arc?
Yes. However, if you provision multiple static NICs on an Azure Local VM all NICs get the default gateway. Ensure to remove the default gateway from secondary NICs to prevent asymmetric networking, packet loss, and unpredictable networking.
Why am I seeing unexpected traffic drop or blocks for my Azure Local VMs?
If logical networks and VM network interfaces on your Azure Local VMs have NSGs with conflicting allow or deny rules, you can see unexpected traffic drops or blocks.
When an inbound packet arrives, Azure Local checks the logical network NSG first, then the network interface NSG. For outbound traffic, Azure Local checks the network interface NSG first, then the logical network NSG. If the first NSG has a Deny rule and the next has an Allow rule, Azure Local drops the packet.