Security Controls For Azure Arc Enabled Servers & SQL Server on Azure Arc

Azure Arc Services

Network Security:

NS-1: Establish network segmentation and protect resources in Virtual Network

For the Azure Connected Machine agent that runs on your server, make sure it can communicate with the Azure Arc service over TCP port 443 (HTTPS). Configure machines to use Transport Layer Security (TLS) 1.2. and above.

NS-2: Connect on-premises or cloud network privately

Use ExpressRoute create private connections between Cloud Resources and on-premises infrastructure. This means you can connect your on-premises or multi-cloud servers with Azure Arc and send all traffic over an Azure ExpressRoute

NS-3: Establish private network access to cloud services

Secure cloud services by establishing a private access point for the resources. You should also disable or restrict access from public network when possible.

When available, use Private Endpoints with Private Link to secure cloud resources in virtual network. When Private Endpoints and Private Link not available, use secure Service Endpoints.