Azure Arc allows you to connect your Kubernetes cluster to Azure. Connecting a cluster to Azure has many benefits including, Deploying applications, Monitoring, Threat detection and cluster Management.


  1. A Windows PC with WSL2 installed
  2. An Azure account

Install K3s on Windows WSL2

One of the simplest ways to get Linux up and running on your Windows PC is via the Microsoft Store.

  1. Install Ubuntu 22.04 from the Microsoft Store
  2. Launch the app to open a command prompt:
  3. Enable legacy iptables, Kubernetes doesn't support nftables:
$ sudo update-alternatives --set iptables /usr/sbin/iptables-legacy
$ sudo update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
  1. Download K3s:
$ curl -sfL | sh -


This will give an error at the end of installation related to systemd. You can ignore this as you can manually start k3s.

  1. Run the config check to make sure everything is good:
$ k3s check-config
STATUS: pass
  1. Start the k3s server:
$ sudo k3s server
  1. Open a new console and check to make everything is installed and running normally:
$ sudo kubectl cluster-info
Kubernetes control plane is running at
CoreDNS is running at
Metrics-server is running at

$ sudo kubectl get nodes
NAME     STATUS   ROLES                  AGE     VERSION
home     Ready    control-plane,master   2d15h   v1.26.4+k3s1

$ sudo kubectl get pods --all-namespaces
NAMESPACE     NAME                                      READY   STATUS      RESTARTS   AGE
kube-system   local-path-provisioner-76d776f6f9-cxknw   1/1     Running     0          28m
kube-system   helm-install-traefik-crd-hglbh            0/1     Completed   0          28m
kube-system   helm-install-traefik-kljff                0/1     Completed   1          28m
kube-system   svclb-traefik-1bbd6dcd-vwjqc              2/2     Running     0          28m
kube-system   coredns-59b4f5bbd5-d7njz                  1/1     Running     0          28m
kube-system   traefik-56b8c5fb5c-z92nc                  1/1     Running     0          28m
kube-system   metrics-server-7b67f64457-7kmvm           1/1     Running     0          28m

K3s is now up and running, the deployment contains a single node in WSL2.

Configure Port Forwarding

By default, the Kubernetes API server listens on port 6443. To access the cluster from outside WSL2, setup port forwarding.

First get the IP address of the WSL installation by running the following command from the Ubuntu shell. The address returned below is the IP address of my installation, yours will be different.

  1. Get the WSL2 Linux IP address:
$ ip addr show dev eth0 | grep "inet\b" | awk '{print $2}' | cut -d/ -f1
  1. From an administrator Powershell on the host Windows machine, execute the following commands, substituting the IP address you received above for the connectaddress:
> netsh interface portproxy set v4tov4 listenport=6443 listenaddress= connectport=6443 connectaddress=
> netsh advfirewall firewall add rule name=6443 dir=in action=allow protocol=TCP localport=6443"
  1. To display the newly created rule:
> netsh interface portproxy show v4tov4

Listen on ipv4:             Connect to ipv4:

Address         Port        Address         Port
--------------- ----------  --------------- ----------         6443  6443

Install Azure CLI & Extensions

Within the WSL2 Linux container, we will install the Azure CLI and the required extensions that will be used to connect the cluster to Azure Arc.

  1. Install the Azure CLI:
$ curl -sL | sudo bash
  1. Login to Azure by generating a device code and entering this at
$ az login --use-device-code
  1. Install the K8s extension:
$ az extension add --name connectedk8s
  1. Register the Azure Kubernetes providers:
$ az provider register -n Microsoft.Kubernetes
$ az provider register -n Microsoft.KubernetesConfiguration
  1. Monitor the registration to complete, this can take up to 10 minutes:
$ az provider show -n Microsoft.Kubernetes -o table
$ az provider show -n Microsoft.KubernetesConfiguration -o table

Connect the Cluster to Azure

This will install the Azure CLI and the required extensions into the WSL2 Linux container which will then be used to connect the cluster to Azure Arc.

  1. Copy the config file to the .kube user directory:
$ mkdir ~/.kube
$ sudo cp /etc/rancher/k3s/k3s.yaml ~/.kube/config
$ sudo chown $USER ~/.kube/config
  1. Create a resource group and connect the cluster to Azure. This takes around 5 minutes:
$ az group create --name arc --location westus
$ az connectedk8s connect --name WSL-K3S --resource-group Arc
  1. View the Azure Arc agents and make sure they are all running:
$ sudo kubectl get deployments,pods -n azure-arc

NAME                                         READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/flux-logs-agent              1/1     1            1           3m32s
deployment.apps/extension-events-collector   1/1     1            1           3m32s
deployment.apps/cluster-metadata-operator    1/1     1            1           3m32s
deployment.apps/resource-sync-agent          1/1     1            1           3m32s
deployment.apps/metrics-agent                1/1     1            1           3m32s
deployment.apps/clusterconnect-agent         1/1     1            1           3m32s
deployment.apps/controller-manager           1/1     1            1           3m32s
deployment.apps/clusteridentityoperator      1/1     1            1           3m32s
deployment.apps/extension-manager            1/1     1            1           3m32s
deployment.apps/config-agent                 1/1     1            1           3m32s
deployment.apps/kube-aad-proxy               1/1     1            1           3m32s

NAME                                             READY   STATUS    RESTARTS   AGE
pod/flux-logs-agent-6f8f5cbcf7-2qkbc             1/1     Running   0          3m32s
pod/extension-events-collector-f57458c99-4gz2p   2/2     Running   0          3m32s
pod/cluster-metadata-operator-7df6668564-r4jgf   2/2     Running   0          3m31s
pod/resource-sync-agent-6494f7d4ff-pzd5d         2/2     Running   0          3m32s
pod/metrics-agent-bfc8bd9b7-rnbqz                2/2     Running   0          3m32s
pod/clusterconnect-agent-5d4d5fdd9c-qtc8c        3/3     Running   0          3m32s
pod/controller-manager-7f944679cf-fbj6p          2/2     Running   0          3m32s
pod/clusteridentityoperator-676f47d557-rfdtw     2/2     Running   0          3m31s
pod/extension-manager-5b976df5b9-dv7d2           3/3     Running   0          3m32s
pod/config-agent-59b64c97c5-crpl6                2/2     Running   0          3m31s
pod/kube-aad-proxy-6ff4455b89-qf4w9              2/2     Running   0          3m32s

At this point, the Azure Arc resource “WSL-K3S” will now be present in the Azure Portal.

Create Service Token

Creating a service token allows secure connection from Azure to the cluster. Without the token, you will most likely be prompted to sign in when viewing the Azure resource.

  1. Create service account called arc-user:
$ sudo kubectl create serviceaccount arc-user -n default
  1. Grant appropriate permissions on the cluster:
$ sudo kubectl create clusterrolebinding arc-user-binding --clusterrole cluster-admin --serviceaccount default:arc-user
  1. Create service account token for the new account:
sudo kubectl apply -f - <<EOF 
apiVersion: v1
kind: Secret
  name: arc-user-secret
  annotations: arc-user
  1. Get the newly created token:
$ sudo kubectl get secret arc-user-secret -o jsonpath='{$.data.token}' | base64 -d | sed $'s/$/\\n/g'
  1. Go to the WSL-K3S resource in the Azure Portal. Choose the Kubernetes resources | Workloads to view the workloads for the cluster. You will be prompted to enter a Service account bearer token. Enter the token generated above.
  1. You can now view the workloads and other details of the Azure Arc enabled cluster!

Cleaning Up

If you decide that you no longer want to have the cluster connected to Azure Arc, execute the following commands on the WSL2 instance to remove the connection and delete the Azure resource.

$ az connectedk8s delete --name WSL-K3S --resource-group Arc
$ sudo kubectl -n azure-arc delete pods,svc --all