You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/hdinsight/hdinsight-restrict-outbound-traffic.md
+1-55Lines changed: 1 addition & 55 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -183,61 +183,7 @@ After having the firewall set up successfully, you can use the internal endpoint
183
183
184
184
To use the public endpoint (`https://CLUSTERNAME.azurehdinsight.net`) or ssh endpoint (`CLUSTERNAME-ssh.azurehdinsight.net`), make sure you have the right routes in the route table and NSG rules to avoid the asymmetric routing issue explained [here](../firewall/integrate-lb.md). Specifically in this case, you need to allow the client IP address in the Inbound NSG rules and also add it to the user-defined route table with the next hop set as `internet`. If the routing isn't set up correctly, you'll see a timeout error.
185
185
186
-
## Configure another network virtual appliance
187
-
188
-
> [!Important]
189
-
> The following information is **only** required if you wish to configure a network virtual appliance (NVA) other than Azure Firewall.
190
-
191
-
The previous instructions help you configure Azure Firewall for restricting outbound traffic from your HDInsight cluster. Azure Firewall is automatically configured to allow traffic for many of the common important scenarios. Using another network virtual appliance will require you to configure a number of additional features. Keep the following factors in mind as you configure your network virtual appliance:
192
-
193
-
* Service Endpoint capable services should be configured with service endpoints.
194
-
* IP Address dependencies are for non-HTTP/S traffic (both TCP and UDP traffic).
195
-
* FQDN HTTP/HTTPS endpoints can be placed in your NVA device.
196
-
* Wildcard HTTP/HTTPS endpoints are dependencies that can vary based on a number of qualifiers.
197
-
* Assign the route table that you create to your HDInsight subnet.
198
-
199
-
### Service endpoint capable dependencies
200
-
201
-
|**Endpoint**|
202
-
|---|
203
-
| Azure SQL |
204
-
| Azure Storage |
205
-
| Azure Active Directory |
206
-
207
-
#### IP address dependencies
208
-
209
-
|**Endpoint**|**Details**|
210
-
|---|---|
211
-
|\*:123 | NTP clock check. Traffic is checked at multiple endpoints on port 123 |
212
-
| IPs published [here](hdinsight-management-ip-addresses.md)| These IPs are HDInsight service |
213
-
| AAD-DS private IPs for ESP clusters |
214
-
|\*:16800 for KMS Windows Activation |
215
-
|\*12000 for Log Analytics |
216
-
217
-
#### FQDN HTTP/HTTPS dependencies
218
-
219
-
> [!Important]
220
-
> The list below only gives a few of the most important FQDNs. You can get additional FQDNs (mostly Azure Storage and Azure Service Bus) for configuring your NVA [in this file](https://github.com/Azure-Samples/hdinsight-fqdn-lists/blob/master/HDInsightFQDNTags.json).
title: Configure network virtual appliance in Azure HDInsight
3
+
description: Learn how to configure a number of additional features for your network virtual appliance in Azure HDInsight.
4
+
author: hrasheed-msft
5
+
ms.author: hrasheed
6
+
ms.reviewer: jasonh
7
+
ms.service: hdinsight
8
+
ms.topic: conceptual
9
+
ms.date: 05/06/2020
10
+
---
11
+
12
+
# Configure network virtual appliance in Azure HDInsight
13
+
14
+
> [!Important]
15
+
> The following information is **only** required if you wish to configure a network virtual appliance (NVA) other than Azure Firewall.
16
+
17
+
Azure Firewall is automatically configured to allow traffic for many of the common important scenarios. Using another network virtual appliance will require you to configure a number of additional features. Keep the following factors in mind as you configure your network virtual appliance:
18
+
19
+
* Service Endpoint capable services should be configured with service endpoints.
20
+
* IP Address dependencies are for non-HTTP/S traffic (both TCP and UDP traffic).
21
+
* FQDN HTTP/HTTPS endpoints can be placed in your NVA device.
22
+
* Wildcard HTTP/HTTPS endpoints are dependencies that can vary based on a number of qualifiers.
23
+
* Assign the route table that you create to your HDInsight subnet.
24
+
25
+
## Service endpoint capable dependencies
26
+
27
+
|**Endpoint**|
28
+
|---|
29
+
| Azure SQL |
30
+
| Azure Storage |
31
+
| Azure Active Directory |
32
+
33
+
### IP address dependencies
34
+
35
+
|**Endpoint**|**Details**|
36
+
|---|---|
37
+
|\*:123 | NTP clock check. Traffic is checked at multiple endpoints on port 123 |
38
+
| IPs published [here](hdinsight-management-ip-addresses.md)| These IPs are HDInsight service |
39
+
| AAD-DS private IPs for ESP clusters |
40
+
|\*:16800 for KMS Windows Activation |
41
+
|\*12000 for Log Analytics |
42
+
43
+
### FQDN HTTP/HTTPS dependencies
44
+
45
+
> [!Important]
46
+
> The list below only gives a few of the most important FQDNs. You can get additional FQDNs (mostly Azure Storage and Azure Service Bus) for configuring your NVA [in this file](https://github.com/Azure-Samples/hdinsight-fqdn-lists/blob/master/HDInsightFQDNTags.json).
47
+
48
+
|**Endpoint**|
49
+
|---|
50
+
| azure.archive.ubuntu.com:80 |
51
+
| security.ubuntu.com:80 |
52
+
| ocsp.msocsp.com:80 |
53
+
| ocsp.digicert.com:80 |
54
+
| wawsinfraprodbay063.blob.core.windows.net:443 |
55
+
| registry-1.docker.io:443 |
56
+
| auth.docker.io:443 |
57
+
| production.cloudflare.docker.com:443 |
58
+
| download.docker.com:443 |
59
+
| us.archive.ubuntu.com:80 |
60
+
| download.mono-project.com:80 |
61
+
| packages.treasuredata.com:80 |
62
+
| security.ubuntu.com:80 |
63
+
| azure.archive.ubuntu.com:80 |
64
+
| ocsp.msocsp.com:80 |
65
+
| ocsp.digicert.com:80 |
66
+
67
+
## Next steps
68
+
69
+
*[Use firewall to restrict outbound traffic](./hdinsight-restrict-outbound-traffic.md)
0 commit comments