You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/iot-edge/production-checklist.md
+5-3Lines changed: 5 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,7 +4,7 @@ description: Learn how to take your Azure IoT Edge solution from development to
4
4
author: PatAltimore
5
5
6
6
ms.author: patricka
7
-
ms.date: 03/01/2021
7
+
ms.date: 07/22/2022
8
8
ms.topic: conceptual
9
9
ms.service: iot-edge
10
10
services: iot-edge
@@ -213,7 +213,7 @@ If your networking setup requires that you explicitly permit connections made fr
213
213
***IoT Edge hub** opens a single persistent AMQP connection or multiple MQTT connections to IoT Hub, possibly over WebSockets.
214
214
***IoT Edge service** makes intermittent HTTPS calls to IoT Hub.
215
215
216
-
In all three cases, the fully-qualified domain name (FQDN) would match the pattern `\*.azure-devices.net`.
216
+
In all three cases, the fullyqualified domain name (FQDN) would match the pattern `\*.azure-devices.net`.
217
217
218
218
Additionally, the **Container engine** makes calls to container registries over HTTPS. To retrieve the IoT Edge runtime container images, the FQDN is `mcr.microsoft.com`. The container engine connects to other registries as configured in the deployment.
219
219
@@ -232,10 +232,12 @@ This checklist is a starting point for firewall rules:
232
232
233
233
<sup>1</sup>Open port 8883 for secure MQTT or port 5671 for secure AMQP. If you can only make connections via port 443 then either of these protocols can be run through a WebSocket tunnel.
234
234
235
-
Since the IP address of an IoT hub can change without notice, always use the FQDN to allow-list configuration. To learn more, see [Understanding the IP address of your IoT hub](../iot-hub/iot-hub-understand-ip-address.md).
235
+
Since the IP address of an IoT hub can change without notice, always use the FQDN to allowlist configuration. To learn more, see [Understanding the IP address of your IoT Hub](../iot-hub/iot-hub-understand-ip-address.md).
236
236
237
237
Some of these firewall rules are inherited from Azure Container Registry. For more information, see [Configure rules to access an Azure container registry behind a firewall](../container-registry/container-registry-firewall-access-rules.md).
238
238
239
+
You can enable dedicated data endpoints in your Azure Container registry to avoid wildcard allowlisting of the *\*.blob.core.windows.net* FQDN. For more information, see [Enable dedicated data endpoints](/azure/container-registry/container-registry-firewall-access-rules#enable-dedicated-data-endpoints).
240
+
239
241
> [!NOTE]
240
242
> To provide a consistent FQDN between the REST and data endpoints, beginning **June 15, 2020** the Microsoft Container Registry data endpoint will change from `*.cdn.mscr.io` to `*.data.mcr.microsoft.com`
241
243
> For more information, see [Microsoft Container Registry client firewall rules configuration](https://github.com/microsoft/containerregistry/blob/master/client-firewall-rules.md)
0 commit comments