AKS Arc Deployment Tool | Sovereign Private Cloud & AI

Step 1: Choose Your Environment & Workload

Industry & Compliance

Select your industry to view applicable regulatory frameworks and data sovereignty requirements

🏭

Manufacturing

ISO 27001, IEC 62443, TISAX

OT/IT Security Supply Chain

🛒

Retail

PCI-DSS, GDPR, CCPA

Payment Security Customer Data

⚡

Energy & Resources

NERC CIP, IEC 62351, NIST CSF

Critical Infrastructure SCADA/ICS

🏥

Healthcare

HIPAA, HITRUST, FDA 21 CFR Part 11

PHI Protection Medical Devices

🏦

Financial Services

PCI-DSS, SOX, SOC 2, GLBA

Transaction Security Regulatory

🏛️

Government

FedRAMP, CJIS, NIST 800-171

Data Sovereignty Critical Infra

🔧

General / Other

No specific industry requirements

Standard Security

Deployment Stage

Select your target environment to automatically configure appropriate settings

📘 AKS Arc Architecture — Sovereign by Design:

Control Plane VMs: Run Kubernetes control components locally on your infrastructure — your data never leaves your premises.
Node Pool VMs: Run containerized AI/ML workloads, Foundry Local models, and sovereign applications with full data residency.
Azure Arc: Provides cloud management while keeping the data plane entirely on-premises — only metadata flows to Azure.

✅ Compliant with data residency laws • ✅ Air-gap capable via Arc Gateway • ✅ Foundry Local & SLM ready

🧪

POC / Dev

Minimal resources for testing

1 control plane VM • 2-3 node pool VMs

= 3-4 total VMs

~$247/mo

🚀

Pilot / Test

Basic HA for pre-production

3 control plane VMs • 3-10 node pool VMs

= 6-13 total VMs

~$1,834/mo

⚡

Production

Full HA with auto-scaling

3 control plane VMs • 3-100 node pool VMs

= 6-103 total VMs

~$4,291/mo

🎯 Select Your Sovereign AI Workload

Run AI models and applications entirely on-premises — your data never leaves your infrastructure

Azure Arc Extensions Sovereign AI & Edge Solutions

ARC EXT

🎥

Video Indexer Arc

Video & audio AI analysis on edge

64+ cores • 256GB RAM • GPU optional

Manufacturing • Retail • Energy

ARC EXT

💬

Edge RAG Arc

Sovereign AI chat & document search — Foundry Local compatible

64+ cores • 256GB RAM • GPU/CPU

Manufacturing • Retail • Energy

ARC EXT

🏭

Azure IoT Operations

Unified edge data plane for OT/IT

8+ cores • 16GB RAM • MQTT/OPC UA

Manufacturing • Energy • Industrial IoT

Generic Workloads Standard Kubernetes applications

📹

Video Analytics

Camera feeds, video processing

32 vCPU • 128 GB RAM • GPU

🤖

AI Inference

ML model serving and inference

16 vCPU • 64 GB RAM • GPU

⚙️

General Purpose

Web apps and microservices

8 vCPU • 32 GB RAM

🔧

Custom

Define your own requirements

Custom configuration

Step 2: Configure Your Deployment

📋 Azure Local Prerequisites

AKS Arc requires: Logical Network (IPs), Custom Location, Storage (CSV volumes)

💰 Estimated Cost: $0/mo

Live calculation based on your config

▼

🔌 Arc Extensions Included (Auto-deployed with cluster)

📋 Generated: 1 cluster template + 3 extension templates + 1 policy assignment template

📋 Basic Cluster Settings

Essential identifiers and Azure Local connection details

Cluster Name *

Resource Group *

Azure Region *

Custom Location (Azure Local) * Name of your Azure Local Custom Location (or full ARM resource ID)

Logical Network * Name of your Azure Local logical network (or full ARM resource ID)

SSH Public Key (Optional) SSH public key for accessing cluster nodes (for troubleshooting and management)

⚙️ Advanced Configuration (click tab to configure)

⚙️ Cluster Sizing & VM Selection (Optional - defaults from Production) ▼

Review and adjust if needed

Control Plane VMs * Manages Kubernetes API, scheduling, and cluster state (etcd)

Worker Node Pool VMs * Runs your containerized applications and workloads

Worker Node VM Size * VM size for worker nodes (select based on workload requirements)

Control Plane VM Size * VM size for control plane nodes (typically smaller than workers)

📊 Total Cluster VMs: 6 (3 control plane + 3 workers)

🔧 Advanced: Workload-Based Resource Calculations

These settings calculate VM sizes based on total workload requirements (legacy method). VM selection above provides more direct control.

CPU Cores

Memory (GB)

Require GPU

GPU Count

🌐 Network Configuration ⓘ Network Security for AKS Arc:
• Use Calico network policies to control pod-to-pod traffic (defense in depth)
• Private cluster mode restricts API server to private network only
• Network segregation prevents lateral movement during attacks
• Follows NSA/CISA and CIS Kubernetes hardening guidelines
Click to read full documentation → ▼

⚠️ IP Address Planning: Reserve static IPs from your logical network:

Node VMs: 1 IP per node (e.g., 5 nodes = 5 IPs)
Upgrade Operations: 1 IP per cluster for rolling upgrades
Control Plane VIP: 1 IP per cluster (Kubernetes API Server)
Load Balancer: Separate IP pool outside logical network range for MetalLB/services

Example: 5-node cluster = 7 IPs minimum (5 nodes + 1 upgrade + 1 control plane)

Network Plugin (CNI) ✅ AKS Arc uses Calico CNI with VXLAN overlay mode (pods use virtualized IPs)

Pod Network CIDR IP range for pod addresses (default: 10.244.0.0/16). Customizable via --pod-cidr parameter. Must not overlap with logical network.

Service Network CIDR ⚠️ Service CIDR is not customizable in AKS Arc (fixed: 10.96.0.0/12). Used for ClusterIP, NodePort, LoadBalancer services.

Control Plane IP (Optional) Kubernetes API Server VIP. Leave blank to auto-assign from logical network. Must be within logical network address prefix if specified.

Load Balancer *

Enable Network Policies - Control pod-to-pod traffic (Recommended)

Private Cluster - API server accessible only from private network

💾 Storage Configuration ⓘ Storage Security for AKS Arc:
• BitLocker encryption at rest on Azure Local CSV volumes
• Secrets stored in Kubernetes encrypted via etcd encryption
• Volume snapshots for backup/recovery (roadmap feature)
• Follows NIST SP 800-190 container security guidelines
Click to read full documentation → ▼

🔐 Identity & Access Control ⓘ Identity Security for AKS Arc:
• Entra ID integration unifies cloud and edge authentication
• Workload Identity provides pod-level managed identities
• RBAC enforces least-privilege access controls
• Pod Security Standards prevent privilege escalation
• Aligns with Microsoft Zero Trust security framework
Click to read full documentation → ▼

Identity Provider *

RBAC Mode *

Workload Identity - Pod-level managed identities for Azure access

Pod Security Standards - Enforce baseline security policies

🌐 Arc Gateway & Network Connectivity ▼

Enable Arc Gateway (Recommended) - Simplify network configuration and reduce firewall rules

Arc Gateway Resource ID * Your Arc Gateway must be created before deployment. Use the resource ID from Azure portal or CLI.

Arc Gateway URL * The unique gateway endpoint provided after resource creation (format: {your-id}.gw.arc.azure.com)

Azure CLI Command:

# Install Arc Gateway extension
az extension add -n arcgateway

# Create Arc Gateway resource
az arcgateway create \
  --name "my-arc-gateway" \
  --resource-group "my-rg" \
  --location "westeurope" \
  --gateway-type public \
  --allowed-features * \
  --subscription "my-subscription"

# Get gateway URL after creation
az arcgateway list --resource-group "my-rg" --query "[].{Name:name, URL:gatewayUrl}" -o table

Azure PowerShell Command:

# Install Arc Gateway module
Install-Module -Name Az.ArcGateway -Force

# Create Arc Gateway resource
New-AzArcGateway `
  -Name "my-arc-gateway" `
  -ResourceGroupName "my-rg" `
  -Location "westeurope" `
  -GatewayType "public" `
  -AllowedFeatures "*" `
  -SubscriptionId "my-subscription"

# Get gateway URL
Get-AzArcGateway -ResourceGroupName "my-rg" | Select-Object Name, GatewayUrl

📖 How Arc Gateway Works:

Azure Local Cluster IP (Port 40343): AKS control plane and worker VMs proxy through infrastructure cluster
Arc Proxy: Runs on each Azure Local node, securely tunnels HTTPS to Azure
Allowed Traffic: Routed through gateway tunnel; non-allowed traffic goes to enterprise firewall
Traffic Types: OS, Arc Resource Bridge, AKS clusters, Azure Local VMs all use gateway

🔥 Firewall Requirements ▼

Azure Region for Endpoint List * Region-specific endpoints vary. Select your deployment region to see accurate requirements.

📊 Monitoring & Observability ⓘ Monitoring Best Practices:
• Azure Monitor Container Insights provides centralized logging
• Kubernetes audit logs track API server access (compliance)
• Log retention 90+ days for PCI DSS/HIPAA requirements
• Prometheus/Grafana for custom metrics and alerting
Click to read full documentation → ▼

🔒 Security & Compliance (Optional) ⓘ Advanced Security Options:
• Defender for Containers: Real-time threat detection, CVE scanning
• Azure Policy: Enforce Pod Security Standards and compliance
• Supports PCI DSS, HIPAA, ISO 27001, SOC 2, FedRAMP frameworks
• Based on Microsoft Threat Matrix for Kubernetes
Click to read full documentation → ▼

ℹ️ Extension-based Security: Defender for Containers and Azure Policy are now configured in the "Arc Extensions" section above. Additional security options below are for cluster-level configuration.

Configure additional security and compliance settings for your cluster.

✓ Azure Policy (Always Included)

✅ FREE - Auto-enabled

Enforce organizational standards and compliance at scale with built-in and custom policies.

📋 Policy Capabilities

CIS Kubernetes Benchmark: Auto-assigned for security best practices
Pod Security Standards: Enforce restricted, baseline, or privileged profiles
Resource governance: Control CPU/memory limits, image repositories, and namespaces
Compliance reporting: Dashboard showing policy violations and compliance posture

🎯 Pre-configured Policies

Kubernetes cluster containers should only use allowed images
Kubernetes cluster pods should use specified labels
Ensure containers have resource limits
Privileged containers should be avoided

Cost Example: 8 vCore cluster = ~$55/month (~$660/year) | Value: Replaces $15K-50K/year vulnerability scanning + SIEM tools

Azure Policy for Kubernetes

✅ FREE - No additional cost

Automated policy-as-code enforcement with built-in regulatory frameworks and real-time compliance reporting. Essential for production Kubernetes governance.

⚙️ Governance Capabilities

Pod Security Standards (PSS): Enforces baseline, restricted, and privileged policies
100+ built-in policies: Image sources, resource limits, service mesh, network policies
Custom policy authoring: Rego-based constraints for organization-specific requirements
Deny/Audit/Disabled modes: Flexible enforcement for dev vs production
Real-time compliance: Continuous assessment with Azure Resource Graph queries

📋 Compliance & Regulatory Benefits

PCI DSS 4.0: Requirement 2.2 (secure configurations), 6.5.1 (least privilege)
HIPAA: §164.308(a)(4)(ii)(A) access authorization, §164.312(a)(1) unique user IDs
ISO 27001: A.9.4.1 (access restriction), A.13.1.3 (network segregation)
SOC 2: CC6.6 (logical access controls), CC6.7 (restricted privileged access)
FedRAMP: AC-3 (access enforcement), CM-7 (least functionality)

💼 Audit & Documentation

Audit logs: Complete policy evaluation history in Azure Activity Log
Compliance dashboard: Resource compliance percentage by policy
Remediation tasks: Automated or manual fix deployment for non-compliant resources
Export capabilities: CSV/JSON exports for auditor evidence packages

✅ Strongly Recommended: Azure Policy is FREE and provides essential compliance controls required by most regulatory frameworks. Enable for all production clusters.

🎯 Extension Configuration

Configure settings for Arc extensions that will be installed on the cluster configured above

Step 3: Review Your Deployment Plan

🔒 Security & Compliance Score

-- /100

Calculating...

Based on 8 security checks

Step 1: Choose Your Environment & Workload

Industry & Compliance

Manufacturing

Retail

Energy & Resources

Healthcare

Financial Services

Government

General / Other

📋 Regulatory Frameworks

Deployment Stage

POC / Dev

Pilot / Test

Production

🎯 Select Your Sovereign AI Workload

Azure Arc Extensions Sovereign AI & Edge Solutions

Video Indexer Arc

Edge RAG Arc

Azure IoT Operations

Generic Workloads Standard Kubernetes applications

Video Analytics

AI Inference

General Purpose

Custom

Requirements

Use Cases

Step 2: Configure Your Deployment

📋 Azure Local Prerequisites

💰 Estimated Cost: $0/mo

🔌 Arc Extensions Included (Auto-deployed with cluster)

📋 Basic Cluster Settings

⚙️ Cluster Sizing & VM Selection (Optional - defaults from Production) ▼

Review and adjust if needed

🌐 Arc Gateway & Network Connectivity ▼

Azure CLI Command:

Azure PowerShell Command:

🔥 Firewall Requirements ▼

⚠️ AKS on Separated Subnet - Additional Firewall Rules Required

Required Bidirectional Ports (AKS Subnet ↔ Infrastructure Subnet):

📋 Policy Capabilities

🎯 Pre-configured Policies

⚙️ Governance Capabilities

📋 Compliance & Regulatory Benefits

💼 Audit & Documentation

🎯 Extension Configuration

📦 Edge RAG Configuration

Step 3: Review Your Deployment Plan

🔒 Security & Compliance Score

Network Architecture & Traffic Flows

🔵 OS Traffic Bypass

🟡 HTTP via Enterprise Proxy

🟢 HTTPS via Arc Proxy

🔴 Third-Party HTTPS

🟣 Arc Resource Bridge

🔷 AKS Clusters

📖 Key Ports & Protocols

📦 Export & Deployment Options

Deploy to Azure

🚀 Proof of Concept (POC) Guide

Infrastructure as Code Templates

Compliance & Audit Documentation

📑 Full Compliance Report

📦 Complete Audit Package

✅ Framework-Specific Checklists