Azure Arc enabled server abnormal network traffic

Kenneth Chan - Admin 0 Reputation points
2025-08-11T15:51:49.42+00:00

We are observing abnormal outbound traffic generated by Azure Arc Guest Configuration processes on one of our AWS EC2 instances connected via Azure Arc.

From the AWS VPC flow log, it shows a high data volume from NAT Gateway correlates with outbound traffic from gc_service.exe. And the remote IPs involved are 20.209.70.33, 20.60.243.97, 20.209.70.97. From our endpoint monitoring, we figure out gc_service.exe is connected to those three IP.

From the Azure Arc service logs (gc_worker.log), the gc_service.exe and gc_extension_service.exe processes are repeatedly downloading data in short intervals, causing continuous high outbound traffic via our AWS NAT Gateway. This looped behavior results in unusually high "Bytes out to source" traffic in AWS monitoring. (Attached the gc_worker.log)

Please confirm if this is a known issue with the Azure Arc Guest Configuration service. And please advise on whether disabling or updating the Arc Guest Configuration extension will stop the high outbound traffic without affecting Defender’s core protection.

We would like to know what the usage for this Arc service is, as we have the AWS control tower, if Arc service is for compliance report only, we may consider turning it off directly

Azure Arc
Azure Arc
A Microsoft cloud service that enables deployment of Azure services across hybrid and multicloud environments.
{count} votes

2 answers

Sort by: Most helpful
  1. Rahul Jorrigala 4,320 Reputation points Microsoft External Staff Moderator
    2025-08-11T17:09:27.17+00:00

    Hello Kenneth Chan - Admin

    The Azure Arc Guest Configuration (gc_service.exe and gc_extension_service.exe) causing excessive outbound traffic, especially when:

    The assigned policy set is large (e.g., “AzureWindowsBaseline”).

    The agent is unable to converge to a compliant state, resulting in repeated compliance checks and large report uploads.

    The log shows repeated cycles of DSC “Get” operations and warnings about oversized compliance reports being trimmed and resent

    Your log matches this pattern exactly: The Guest Configuration agent is stuck in a loop, generating and uploading large compliance reports every few minutes, which is the root cause of your high outbound traffic.

    Disabling or Updating the Extension

    Disabling the Guest Configuration extension will immediately stop this traffic. This extension is only required for Azure Policy compliance reporting and does not affect Microsoft Defender for Cloud’s core protection or threat detection.

    Updating the extension

    Microsoft has released fixes in recent versions of the Arc agent and Guest Configuration extension to address this looped behavior. If you need compliance reporting, update to the latest version.

    No impact on Defender

    Defender for Cloud uses its own agents (MMA/AMA) and does not depend on Guest Configuration for threat protection.

    Usage of Azure Arc Guest Configuration

    Purpose: Provides in-guest policy compliance and configuration auditing for hybrid servers (on-prem, AWS, GCP, etc.), reporting compliance status to Azure Policy.

    If you only use AWS Control Tower for compliance and do not need Azure Policy reporting, you can safely disable the Guest Configuration extension.

    Network Configuration

    The log confirms that the agent is uploading compliance reports to Azure endpoints (e.g., https://canadacentral-gas.guestconfiguration.azure.com/...).

    If you keep Guest Configuration enabled, ensure only the required endpoints are open and monitor for excessive traffic. If you disable it, this traffic will stop.

    Recommendation

    If you do not need Azure Policy compliance reporting on AWS EC2:

    Disable the Azure Arc Guest Configuration extension on the affected instance(s).

    If you need compliance reporting:

    Update the Arc agent and Guest Configuration extension to the latest version to resolve the traffic loop.

    Please let me know if you face any challenge here, I can help you to resolve this issue further

    If the comment was helpful, please click "Upvote"

    1 person found this answer helpful.
    0 comments No comments

  2. Rahul Jorrigala 4,320 Reputation points Microsoft External Staff Moderator
    2025-08-12T17:13:12.31+00:00

    Hello Kenneth Chan - Admin

    MDE.Windows Extension (Microsoft Defender for Endpoint)

    The MDE.Windows extension is used to onboard non-Azure machines (via Azure Arc) into Microsoft Defender for Endpoint (MDE). This enables advanced threat protection, endpoint detection and response (EDR), and integration with Microsoft Defender for Cloud .

    Key Functions:

    • Installs the Defender for Endpoint agent.
    • Enables telemetry and threat detection on hybrid/on-prem machines.
    • Can be deployed manually or automatically via Defender for Servers.

    Important Notes:

    • If this extension is not installed, the machine will not be onboarded to Defender for Endpoint.
    • Removing it will disable endpoint protection and stop telemetry from being sent to Microsoft Defender for Cloud.

    WindowsAgent.SqlServer Extension (SQL Server on Azure Arc)

    This extension enables SQL Server management and licensing for Arc-enabled machines. It allows SQL Server instances running on-premises or in other clouds to be treated as Azure resources.

    Key Functions:

    • Enables Pay-As-You-Go (PAYG) or Azure Hybrid Benefit (AHB) licensing.
    • Supports features like:
      • Automated backups
      • Availability groups
      • Best practices assessments
      • Database migration
      • Billing and compliance tracking

    Licensing Impact:

    • If you remove the machine from Azure Arc, or uninstall the SQL Server extension, the following may occur:
      • Licensing settings (PAYG/AHB) will be lost.
      • Billing may stop, and you may revert to traditional licensing.
      • Azure features like automated backups and assessments will be disabled.
      • Telemetry and compliance tracking will cease.

    Recommendation:

    If you're using Azure Arc for SQL Server licensing, ensure you have a fallback licensing plan before removing the extension or disconnecting the machine.

    https://learn.microsoft.com/en-us/sql/sql-server/azure-arc/manage-license-billing?view=sql-server-ver17

    https://learn.microsoft.com/en-us/sql/sql-server/azure-arc/manage-configuration?view=sql-server-ver17

    https://learn.microsoft.com/en-us/sql/sql-server/azure-arc/configure-windows-accounts-agent?view=sql-server-ver17

    Please let me know if you face any challenge here, I can help you to resolve this issue further

    If the comment was helpful, please click "Upvote"

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.