Security Controls For Azure Arc Enabled Servers & SQL Server on Azure Arc
NS-1: Establish network segmentation and protect resources in Virtual Network
For the Azure Connected Machine agent that runs on your server, make sure it can communicate with the Azure Arc service over TCP port 443 (HTTPS). Configure machines to use Transport Layer Security (TLS) 1.2. and above.
NS-2: Connect on-premises or cloud network privately
Use ExpressRoute create private connections between Cloud Resources and on-premises infrastructure. This means you can connect your on-premises or multi-cloud servers with Azure Arc and send all traffic over an Azure ExpressRoute
NS-3: Establish private network access to cloud services
Secure cloud services by establishing a private access point for the resources. You should also disable or restrict access from public network when possible.
When available, use Private Endpoints with Private Link to secure cloud resources in virtual network. When Private Endpoints and Private Link not available, use secure Service Endpoints.
With Azure Arc-enabled servers, use a Private Link Scope model to allow multiple servers or machines to communicate with their Azure Arc resources using a single private endpoint.
Azure Arc Private Link Scope connects private endpoints (and the virtual networks they’re contained in) to an Azure resource, in this case Azure Arc-enabled servers.
Other extensions like Azure Monitor, Automation, Azure Key Vault and Azure Blob storage will be connected via public endpoints if you don't create private endpoint for these services.
Use Azure Private DNS Zones and Ensure DNS Resolution with Private Link
NS-4: Use Network Service Tags
Using Azure virtual network service tags, define network access controls on NSGs or Azure Firewall that are configured for your Azure Arc-enabled server resources.