Azure Arc for SQL Server PAYG: Installation, Connectivity Requirements and Operational Best Practices

Int his topic, we shall discus “Azure Arc for SQL Server PAYG: Installation, Connectivity Requirements and Operational Best Practices”. As organizations increasingly adopt hybrid and multi-cloud strategies, Azure Arc-enabled SQL Server with Pay-As-You-Go (PAYG) offers a flexible way to extend Azure governance, security, and billing capabilities to on-premises and non-Azure environments. Pleaae see How to Assign a Public IP to Azure Virtual Machine (VM).

This guide provides a practical, operations-focused walkthrough of deploying the Azure Arc Connected Machine Agent and enabling SQL Server PAYG, with particular emphasis on network prerequisites, outbound connectivity, firewall considerations, and critical factors that often determine the success or failure of onboarding.

Rather than focusing only on installation steps, this document highlights the infrastructure and network dependencies required to ensure a stable and secure integration with Azure services. Special attention is given to enterprise environments with restricted outbound access, where proper endpoint whitelisting and proxy configuration are essential.

By following this guide, IT professionals and cloud engineers will be able to streamline deployment, avoid common connectivity issues, and align with best practices for managing SQL Server instances through Azure Arc.

Azure Arc Agent Installation: Prerequisites and Connectivity Requirements

To correctly install the Azure Arc Connected Machine Agent (Azure Arc for Servers), the main prerequisites revolve around outbound HTTPS connectivity (port 443) to specific Azure endpoints. Without these network requirements in place, onboarding and ongoing management will fail.
Below is a practical, operations-focused summary.

Please see How to Upgrade Veeam ONE to 13.0.2.6723 to Address Security Fixes, how to Fix Vulnerable Veeam Backup and Replication 13.0.1.2067 and Earlier, and how to upgrade Veeam One from v12 to v13.

General Prerequisites

Below are the prerequisites and connectivity requirmeents for the supported OS (Windows Server / various Linux distributions).

• Local administrative privileges
• Outbound internet access over TCP 443
• TLS 1.2 enabled
• Proper time synchronization (NTP)
• Required Outbound Endpoints (Port 443): These are the key FQDNs that must be reachable.
• Always verify the official documentation as endpoints may change over time.

Core Azure Arc

Below are the prerequisites for Azure Arc

• management.azure.com
• login.microsoftonline.com
• guestconfiguration.azure.com
• agentserviceapi.azure-automation.net

Azure Resource Manager & Identity

• his.arc.azure.com
• guestconfiguration.azure.com
• arc.azure.net

Agent Download and Updates

download.microsoft.com
packages.microsoft.com (Linux)

• Important Notes on Proxy / Firewall

If using a proxy:

It must support HTTPS pass-through (avoid aggressive SSL inspection)
It can be configured during installation using the –proxy parameter

If applying network filtering:

Prefer allowing wildcard domain: *.azure.com where possible
In restrictive environments, explicitly whitelist the required domains listed above

• Required Ports

Direction Port Protocol Notes Outbound 443 HTTPS Mandatory Inbound

Connectivity Verification

You can quickly test connectivity from the server. For Windows, run the command below for test

Test-NetConnection management.azure.com -Port 443

For Linux, run the command below

curl -I https://management.azure.com

Please see How to set up a Print Server on Windows Servers, how to Enable or Disable Control Panel and Windows Settings App, and How to Change the Log File Directory location in IIS.

Operational Considerations

The agent establishes persistent outbound connections
No inbound ports are required → ideal for DMZ environments
If using Azure Arc with Defender or Monitor:

Additional endpoints are required (e.g., Log Analytics, etc.)

• Practical Tip
  If you’re working in a restricted enterprise environment:

Start with the minimal whitelist above
Monitor proxy/firewall logs for blocked requests
Gradually expand access only where needed (least privilege approach)

Extra

If needed, I can also help you with:

• A complete production-ready whitelist
• An automated pre-check script to validate connectivity before installation

<#
.SYNOPSIS
    Prerequisite validation script for Azure Arc Connected Machine Agent on Windows.
#>
Write-Host "=== Azure Arc Prerequisite Check ===" -ForegroundColor Cyan
# 1. Check PowerShell version (Required 5.1 or higher)
$psVersion = $PSVersionTable.PSVersion.Major
if ($psVersion -ge 5) {
    Write-Host "[OK] PowerShell version $psVersion is supported." -ForegroundColor Green
} else {
    Write-Host "[ERROR] PowerShell 5.1 or higher is required. Found: $psVersion" -ForegroundColor Red
}
# 2. Check .NET Framework (Required 4.6 or higher)
$netVersion = (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full" -ErrorAction SilentlyContinue).Release
if ($netVersion -ge 394254) {
    Write-Host "[OK] .NET Framework 4.6.1 or higher is installed." -ForegroundColor Green
} else {
    Write-Host "[ERROR] .NET Framework 4.6 or higher not detected." -ForegroundColor Red
}
# 3. Check Supported Operating System
$os = Get-CimInstance Win32_OperatingSystem
$osInfo = "$($os.Caption) - $($os.Version)"
if ($os.Version -ge "10.0") {
    Write-Host "[OK] Supported operating system: $osInfo" -ForegroundColor Green
} else {
    Write-Host "[WARNING] OS version not compliant or only partially supported. Windows Server 2012 R2 or higher is required." -ForegroundColor Yellow
}
# 4. Check internet connectivity and Azure Arc services (Port 443)
Write-Host "`n[INFO] Testing connectivity to Azure Arc endpoints..." -ForegroundColor Gray
$endpoints = @(
    "management.azure.com",
    "login.microsoftonline.com",
    "pas.windows.net",
    "arc.azure.net",
    "download.microsoft.com",
    "packages.microsoft.com " #Linux
)
foreach ($endpoint in $endpoints) {
    try {
        Test-NetConnection -ComputerName $endpoint -Port 443 -InformationLevel Quiet | Out-Null
        Write-Host "[OK] Connectivity to $endpoint on port 443 succeeded." -ForegroundColor Green
    } catch {
        Write-Host "[ERROR] Unable to reach $endpoint on port 443. Check firewall/proxy." -ForegroundColor Red
    }
}

Generate and run the Azure Arc Agent installation script in “Authenticate Manually” mode

If MSSQL is installed on an MS Cluster, first proceed with the agent installation on the PASSIVE node and then on the ACTIVE node.Generate script for “Authenticate machine manually.”

Fill in the required fields.

Download your scipts.

Generate the script using “Authenticate machine automatically” mode.

Create new Azure Arc Service Principal.

Open the generated servicePrincipal.txt file and copy the Service Principal (SP) and its secret.

Download the script, open it, add the Service Principal and the secret to the script, and then save it.

Run the script on the target server.

For the “Manually Authenticate” mode, at the end of the script an administrative account will be required to complete the onboarding of the server to the Azure Arc service.

The minimum required role is: Azure Connected Machine Onboarding

Please see how to Prevent OS Reinstallation: Change from legacy BIOS to UEFI, and Create a web page to visualize the output of BitLocker Recovery.

Post-installation checks

The binary is typically located at:
C:\Program Files\AzureConnectedMachineAgent\azcmagent.exe

where azcmagent

If azcmagent show does not work:
check that the himds service is running:

Get-Service himds

You can verify it with:

C:\Program Files\AzureConnectedMachineAgent\azcmagent.exe show

Check the proxy configuration on the agent

Proxy Requirements (Critical)

The proxy must allow:

• HTTPS pass-through (no aggressive SSL inspection)
• Outbound access to:
  • management.azure.com
  • login.microsoftonline.com
  • *.azure.com

Common issue

A proxy with SSL inspection enabled can break the TLS handshake, causing the SQL extension to fail.

Check what it is currently using:

azcmagent config list

Look for:

• proxy.url
• proxy.bypass

If empty → the agent is not using a proxy.

Configure proxy for Azure Arc Agent

Windows

• Set the proxy on Windows

netsh winhttp set proxy http://your-Ip-Proxy:8080

netsh winhttp show proxy

Set the proxy on the Azure Arc Agent

azcmagent config set proxy.url "http://user:password@proxy:port"
azcmagent config set proxy.url http:/your-Ip-Proxy:port
azcmagent config set proxy.url http://your-Ip-Proxy:8080

Linux

sudo azcmagent config set proxy.url "http://proxy:port"

Service Management and Restart

Restart-Service himds
Restart-Service ExtensionService

Alternatively on Linux:

sudo systemctl restart himds

Immediately stop the Azure Arc Agent

Stop-Service himds

Verification:

Get-Service himds

Verification on the Azure side: Registered Server and Registered SQL Instance

Check Extension Succeded installation

Check MSSQL instance

After installing the agent on servers/VMs hosting SQL Server, proceed with registering the PAYG (Pay-As-You-Go) licenses.

Select PAYG and save

I hope you found this guide very useful for “Azure Arc for SQL Server PAYG: Installation, Connectivity Requirements and Operational Best Practices”. Please feel free to leave a comment below.