Azure Arc
A Microsoft cloud service that enables deployment of Azure services across hybrid and multicloud environments.
Azure Arc enabled server abnormal network traffic
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 80%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKC%3C/text%3E%3C/svg%3E)
Kenneth Chan - Admin
0
Reputation points
We are observing abnormal outbound traffic generated by Azure Arc Guest Configuration processes on one of our AWS EC2 instances connected via Azure Arc.
From the AWS VPC flow log, it shows a high data volume from NAT Gateway correlates with outbound traffic from gc_service.exe. And the remote IPs involved are 20.209.70.33, 20.60.243.97, 20.209.70.97. From our endpoint monitoring, we figure out gc_service.exe is connected to those three IP.
From the Azure Arc service logs (gc_worker.log), the gc_service.exe and gc_extension_service.exe processes are repeatedly downloading data in short intervals, causing continuous high outbound traffic via our AWS NAT Gateway. This looped behavior results in unusually high "Bytes out to source" traffic in AWS monitoring. (Attached the gc_worker.log)
Please confirm if this is a known issue with the Azure Arc Guest Configuration service. And please advise on whether disabling or updating the Arc Guest Configuration extension will stop the high outbound traffic without affecting Defender’s core protection.
We would like to know what the usage for this Arc service is, as we have the AWS control tower, if Arc service is for compliance report only, we may consider turning it off directly
Azure Arc
{count} votes
-
Kenneth Chan - Admin 0 Reputation points
2025-08-11T15:52:13.1166667+00:00 -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 56.00000000000001%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERJ%3C/text%3E%3C/svg%3E)
Rahul Jorrigala 3,655 Reputation points Microsoft External Staff Moderator2025-08-11T17:09:27.17+00:00 Hello Kenneth Chan - Admin
The Azure Arc Guest Configuration (gc_service.exe and gc_extension_service.exe) causing excessive outbound traffic, especially when:
The assigned policy set is large (e.g., “AzureWindowsBaseline”).
The agent is unable to converge to a compliant state, resulting in repeated compliance checks and large report uploads.
The log shows repeated cycles of DSC “Get” operations and warnings about oversized compliance reports being trimmed and resent
Your log matches this pattern exactly: The Guest Configuration agent is stuck in a loop, generating and uploading large compliance reports every few minutes, which is the root cause of your high outbound traffic.
Disabling or Updating the Extension
Disabling the Guest Configuration extension will immediately stop this traffic. This extension is only required for Azure Policy compliance reporting and does not affect Microsoft Defender for Cloud’s core protection or threat detection.
Updating the extension
Microsoft has released fixes in recent versions of the Arc agent and Guest Configuration extension to address this looped behavior. If you need compliance reporting, update to the latest version.
No impact on Defender
Defender for Cloud uses its own agents (MMA/AMA) and does not depend on Guest Configuration for threat protection.
Usage of Azure Arc Guest Configuration
Purpose: Provides in-guest policy compliance and configuration auditing for hybrid servers (on-prem, AWS, GCP, etc.), reporting compliance status to Azure Policy.
If you only use AWS Control Tower for compliance and do not need Azure Policy reporting, you can safely disable the Guest Configuration extension.
Network Configuration
The log confirms that the agent is uploading compliance reports to Azure endpoints (e.g., https://canadacentral-gas.guestconfiguration.azure.com/...).
If you keep Guest Configuration enabled, ensure only the required endpoints are open and monitor for excessive traffic. If you disable it, this traffic will stop.
Recommendation
If you do not need Azure Policy compliance reporting on AWS EC2:
Disable the Azure Arc Guest Configuration extension on the affected instance(s).
If you need compliance reporting:
Update the Arc agent and Guest Configuration extension to the latest version to resolve the traffic loop.
Please let me know if you face any challenge here, I can help you to resolve this issue further
If the comment was helpful, please click "Upvote"
-
Kenneth Chan - Admin 0 Reputation points
2025-08-11T17:14:37.6933333+00:00 Hi Rahul,
Thanks so much for your detailed explanation
I would like to further ask something about the gc extensionFrom the impacted server, the extension status is not normal
It show updating and creating
May i know how to fix this?
And if i want to disable the gc extension directly
Do i need to use powershell manually? Or i can do it directly on the console side?Thanks
Kenneth -
Rahul Jorrigala 3,655 Reputation points Microsoft External Staff Moderator
2025-08-11T17:42:26.5233333+00:00 Hello Kenneth Chan - Admin
Try the Azure Portal First
Go to the Arc-connected server’s “Extensions + applications” blade in the Azure Portal.
For each extension stuck in “Updating” or “Creating,” try: Uninstall.
If “Uninstall” fails, proceed to PowerShell.
Use PowerShell on the Server
Open an elevated PowerShell prompt on the server.
List all extensions:
azcmagent extension listRemove the stuck extension:
azcmagent extension remove --name "WindowsAgent.SqlServer" azcmagent extension remove --name "MDE.Windows"Restart the Arc agent:
Restart-Service -Name "AzureConnectedMachineAgent" -ForceReference Link
https://learn.microsoft.com/en-us/azure/azure-arc/servers/security-extensions
https://learn.microsoft.com/en-us/azure/azure-arc/servers/manage-vm-extensions
Please let me know if you face any challenge here, I can help you to resolve this issue further
If the comment was helpful, please click "Upvote"
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 31%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVP%3C/text%3E%3C/svg%3E)
Vinod Pittala 6,130 Reputation points Microsoft External Staff Moderator2025-08-12T10:18:04.7366667+00:00 Hello Kenneth Chan - Admin
We haven't heard back from you regarding the advice Rahul Jorrigala provided earlier. Could you please let us know if it was helpful? If you have any questions or encounter any issues, please don't hesitate to reach out. We are committed to resolving your concerns as a priority.
Thanks
Sign in to comment
Sign in to answer