You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/hdinsight/hdinsight-restrict-outbound-traffic.md
+7-4Lines changed: 7 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -56,7 +56,7 @@ On the **Add application rule collection** screen, complete the following steps:
56
56
1. Enter `https:443` under **Protocol:Port** and `login.windows.net` under **Target FQDNS**.
57
57
1. If your cluster is backed by WASB, then add a rule for WASB:
58
58
1. In the **Target FQDNs** section, provide a **Name**, and set **Source addresses** to `*`.
59
-
1. Enter `http:80,https:443` under **Protocol:Port** and the storage account url under **Target FQDNS**. The format will be similar to <storage_account_name.blob.core.windows.net>.
59
+
1. Enter `http:80,https:443` under **Protocol:Port** and the storage account url under **Target FQDNS**. The format will be similar to <storage_account_name.blob.core.windows.net>. To use ONLY https connections make sure ["secure transfer required"](https://docs.microsoft.com/en-us/azure/storage/common/storage-require-secure-transfer) is enabled on the storage account.
60
60
1. Click **Add**.
61
61
62
62
@@ -79,7 +79,7 @@ Create the network rules to correctly configure your HDInsight cluster.
79
79
1. Set **Source Addresses**`*`.
80
80
1. Enter all of the IP addresses for your domain controllers in **Destination addresses** separated by commas.
81
81
1. Set **Destination Ports** to `*`.
82
-
1. If you are using Azure Data Lake Storage, then you can add a network rule in the IP Addresses section to address an SNI issue with ADLS Gen1 and Gen2. This option will route the traffic to firewall which might result in higher costs for large data loads but the traffic will be logged and auditable.
82
+
1. If you are using Azure Data Lake Storage, then you can add a network rule in the IP Addresses section to address an SNI issue with ADLS Gen1 and Gen2. This option will route the traffic to firewall which might result in higher costs for large data loads but the traffic will be logged and auditable in firewall logs.
83
83
1. Determine the IP address for your Data Lake Storage account. You can use a powershell command such as `[System.Net.DNS]::GetHostAddresses("STORAGEACCOUNTNAME.blob.core.windows.net")` to resolve the FQDN to an IP address.
84
84
1. In the next row in the **Rules** section, provide a **Name** and select **TCP** from the **Protocol** dropdown.
85
85
1. Set **Source Addresses**`*`.
@@ -90,7 +90,7 @@ Create the network rules to correctly configure your HDInsight cluster.
90
90
1. Set **Source Addresses**`*`.
91
91
1. Set **Destination addresses** to `*`.
92
92
1. Set **Destination Ports** to `12000`.
93
-
1. Configure a network rule in the Service Tags section for SQL that will allow you to log and audit SQL traffic, unless you configured Service Endpoints for SQL Server on the HDInsight subnet.
93
+
1. Configure a network rule in the Service Tags section for SQL that will allow you to log and audit SQL traffic, unless you configured Service Endpoints for SQL Server on the HDInsight subnet which will bypass the firewall.
94
94
1. In the next row in the **Rules** section, provide a **Name** and select **TCP** from the **Protocol** dropdown.
95
95
1. Set **Source Addresses**`*`.
96
96
1. Set **Destination addresses** to `*`.
@@ -133,7 +133,7 @@ Complete the route table configuration:
133
133
1. On the **Associate subnet** screen, select the virtual network that your cluster was created into and the **HDInsight Subnet** you used for your HDInsight cluster.
134
134
1. Click **OK**.
135
135
136
-
## Edge-node application traffic
136
+
## Edge-node or custom application traffic
137
137
138
138
The above steps will allow the cluster to operate without issues. You still need to configure dependencies to accommodate your custom applications running on the edge-nodes, if applicable.
139
139
@@ -155,6 +155,9 @@ AzureDiagnostics | where msg_s contains "Deny" | where TimeGenerated >= ago(1h)
155
155
156
156
Integrating your Azure Firewall with Azure Monitor logs is useful when first getting an application working when you are not aware of all of the application dependencies. You can learn more about Azure Monitor logs from [Analyze log data in Azure Monitor](../azure-monitor/log-query/log-query-overview.md)
157
157
158
+
## Access to the cluster
159
+
After having the firewall setup successfully, you can use the internal endpoint (https://<clustername>-int.azurehdinsight.net) to access the Ambari from within the VNET. To use the public endpoint (https://<clustername>.azurehdinsight.net) or ssh endpoint (<clustername>-ssh.azurehdinsight.net), make sure you have the right routes in the route table and NSG rules setup to avoid the asymetric routing issue explained [here](https://docs.microsoft.com/en-us/azure/firewall/integrate-lb).
0 commit comments