System requirements for Azure Stack Edge Pro with GPU
This article describes the important system requirements for your Microsoft Azure Stack Edge Pro GPU solution and for the clients connecting to Azure Stack Edge Pro. We recommend that you review the information carefully before you deploy your Azure Stack Edge Pro. You can refer back to this information as necessary during the deployment and subsequent operation.
The system requirements for the Azure Stack Edge Pro include:
- Software requirements for hosts - describes the supported platforms, browsers for the local configuration UI, SMB clients, and any additional requirements for the clients that access the device.
- Networking requirements for the device - provides information about any networking requirements for the operation of the physical device.
Supported OS for clients connected to device
Here's a list of the supported operating systems for clients or hosts connected to your device. These operating system versions were tested in-house.
Operating system/platform | Versions |
---|---|
Windows Server | 2016 2019 |
Windows | 10 |
SUSE Linux | Enterprise Server 12 (x86_64) |
Ubuntu | 16.04.3 LTS |
macOS | 10.14.1 |
Supported protocols for clients accessing device
Here are the supported protocols for clients accessing your device.
Protocol | Versions | Notes |
---|---|---|
SMB | 2.X, 3.X | SMB 1 isn't supported. |
NFS | 3.0, 4.1 | Mac OS is not supported with NFS v4.1. |
Supported Azure Storage accounts
Here is a list of the supported storage accounts for your device.
Storage account | Notes |
---|---|
Classic | Standard |
General Purpose | Standard; both V1 and V2 are supported. Both hot and cool tiers are supported. |
Supported Edge storage accounts
The following Edge storage accounts are supported with REST interface of the device. The Edge storage accounts are created on the device. For more information, see Edge storage accounts.
Type | Storage account | Comments |
---|---|---|
Standard | GPv1: Block Blob |
*Page blobs and Azure Files are currently not supported.
Supported local Azure Resource Manager storage accounts
These storage accounts are created via the device local APIs when you are connecting to local Azure Resource Manager. The following storage accounts are supported:
Type | Storage account | Comments |
---|---|---|
Standard | GPv1: Block Blob, Page Blob | SKU type is Standard_LRS |
Premium | GPv1: Block Blob, Page Blob | SKU type is Premium_LRS |
Supported storage types
Here is a list of the supported storage types for the device.
File format | Notes |
---|---|
Azure block blob | |
Azure page blob | |
Azure Files |
Supported browsers for local web UI
Here is a list of the browsers supported for the local web UI for the virtual device.
Browser | Versions | Additional requirements/notes |
---|---|---|
Google Chrome | Latest version | |
Microsoft Edge | Latest version | |
Internet Explorer | Latest version | If enhanced security features are enabled, you may not be able to access local web UI pages. Disable enhanced security, and restart your browser. |
FireFox | Latest version | |
Safari on Mac | Latest version |
Networking port requirements
Port requirements for Azure Stack Edge Pro
The following table lists the ports that need to be opened in your firewall to allow for SMB, cloud, or management traffic. In this table, in or inbound refers to the direction from which incoming client requests access to your device. Out or outbound refers to the direction in which your Azure Stack Edge Pro device sends data externally, beyond the deployment, for example, outbound to the internet.
Port no. | In or out | Port scope | Required | Notes |
---|---|---|---|---|
TCP 80 (HTTP) | Out | WAN | Yes | Outbound port is used for internet access to retrieve updates. The outbound web proxy is user configurable. |
TCP 443 (HTTPS) | Out | WAN | Yes | Outbound port is used for accessing data in the cloud. The outbound web proxy is user configurable. |
UDP 123 (NTP) | Out | WAN | In some cases See notes |
This port is required only if you're using an internet-based NTP server. |
UDP 53 (DNS) | Out | WAN | In some cases See notes |
This port is required only if you're using an internet-based DNS server. We recommend using a local DNS server. |
TCP 5985 (WinRM) | Out/In | LAN | In some cases See notes |
This port is required to connect to the device via remote PowerShell over HTTP. |
TCP 5986 (WinRM) | Out/In | LAN | In some cases See notes |
This port is required to connect to the device via remote PowerShell over HTTPS. |
UDP 67 (DHCP) | Out | LAN | In some cases See notes |
This port is required only if you're using a local DHCP server. |
TCP 80 (HTTP) | Out/In | LAN | Yes | This port is the inbound port for local UI on the device for local management. Accessing the local UI over HTTP will automatically redirect to HTTPS. |
TCP 443 (HTTPS) | Out/In | LAN | Yes | This port is the inbound port for local UI on the device for local management. This port is also used to connect Azure Resource Manager to the device local APIs, to connect Blob storage via REST APIs, and to the Security token service (STS) to authenticate via access and refresh tokens. |
TCP 445 (SMB) | In | LAN | In some cases See notes |
This port is required only if you are connecting via SMB. |
TCP 2049 (NFS) | In | LAN | In some cases See notes |
This port is required only if you are connecting via NFS. |
Port requirements for IoT Edge
Azure IoT Edge allows outbound communication from an on-premises Edge device to Azure cloud using supported IoT Hub protocols. Inbound communication is only required for specific scenarios where Azure IoT Hub needs to push down messages to the Azure IoT Edge device (for example, Cloud To Device messaging).
Use the following table for port configuration for the servers hosting Azure IoT Edge runtime:
Port no. | In or out | Port scope | Required | Guidance |
---|---|---|---|---|
TCP 443 (HTTPS) | Out | WAN | Yes | Outbound open for IoT Edge provisioning. This configuration is required when using manual scripts or Azure IoT Device Provisioning Service (DPS). |
For complete information, go to Firewall and port configuration rules for IoT Edge deployment.
Port requirements for Kubernetes on Azure Stack Edge
Port no. | In or out | Port scope | Required | Guidance |
---|---|---|---|---|
TCP 31000 (HTTPS) | In | LAN | In some cases. See notes. |
This port is required only if you are connecting to the Kubernetes dashboard to monitor your device. |
TCP 6443 (HTTPS) | In | LAN | In some cases. See notes. |
This port is required by Kubernetes API server only if you are using kubectl to access your device. |
Important
If your datacenter firewall is restricting or filtering traffic based on source IPs or MAC addresses, make sure that the compute IPs (Kubernetes node IPs) and MAC addresses are in the allowed list. The MAC addresses can be specified by running the Set-HcsMacAddressPool
cmdlet on the PowerShell interface of the device.
URL patterns for firewall rules
Network administrators can often configure advanced firewall rules based on the URL patterns to filter the inbound and the outbound traffic. Your Azure Stack Edge Pro device and the service depend on other Microsoft applications such as Azure Service Bus, Microsoft Entra Access Control, storage accounts, and Microsoft Update servers. The URL patterns associated with these applications can be used to configure firewall rules. It is important to understand that the URL patterns associated with these applications can change. These changes require the network administrator to monitor and update firewall rules for your Azure Stack Edge Pro as and when needed.
We recommend that you set your firewall rules for outbound traffic, based on Azure Stack Edge Pro fixed IP addresses, liberally in most cases. However, you can use the information below to set advanced firewall rules that are needed to create secure environments.
Note
- The device (source) IPs should always be set to all the cloud-enabled network interfaces.
- The destination IPs should be set to Azure datacenter IP ranges.
URL patterns for gateway feature
URL pattern | Component or functionality |
---|---|
https://login.microsoftonline.com https://login.microsoftonline.net https://pod01-edg1.eus.databoxedge.azure.com/ https://pod01-edg1.wus2.databoxedge.azure.com/ https://pod01-edg1.sea.databoxedge.azure.com/ https://pod01-edg1.we.databoxedge.azure.com/ https://*.databoxedge.azure.com/*1 https://euspod01edg1sbcnpu53n.servicebus.windows.net/ https://wus2pod01edg1sbcnqh26z.servicebus.windows.net/ https://seapod01edg1sbcnkw22o.servicebus.windows.net/ https://wepod01edg1sbcnhk23j.servicebus.windows.net/ https://*.servicebus.windows.net/*2 1,2Use the wildcard URL to refer to multiple Azure regions with a single URL, or use a specific URL to refer to an individual Azure region. |
Azure Stack Edge service Azure Service Bus Authentication Service - Microsoft Entra ID |
http://crl.microsoft.com/pki/* http://www.microsoft.com/pki/* |
Certificate revocation |
https://*.core.windows.net/* https://*.data.microsoft.com http://*.msftncsi.com http://www.msftconnecttest.com/connecttest.txt https://www.bing.com/ https://management.azure.com/ https://seapod1edg1monsa01kw22o.table.core.windows.net/ https://euspod01edg1monsa01pu53n.table.core.windows.net/ https://wus2pod1edg1monsa01qh26z.table.core.windows.net/ https://wepod01edg1monsa01hk23j.table.core.windows.net/ |
Azure storage accounts and monitoring |
http://windowsupdate.microsoft.com http://*.windowsupdate.microsoft.com https://*.windowsupdate.microsoft.com http://*.update.microsoft.com https://*.update.microsoft.com http://*.windowsupdate.com http://download.microsoft.com http://*.download.windowsupdate.com http://wustat.windows.com http://ntservicepack.microsoft.com http://*.ws.microsoft.com https://*.ws.microsoft.com http://*.mp.microsoft.com |
Microsoft Update servers |
http://*.deploy.akamaitechnologies.com | Akamai CDN |
https://azureprofilerfrontdoor.cloudapp.net https://*.trafficmanager.net/* |
Azure Traffic Manager |
http://*.data.microsoft.com | Telemetry service in Windows, see the update for customer experience and diagnostic telemetry |
http://<vault-name>.vault.azure.net:443 |
Key Vault |
https://azstrpprod.trafficmanager.net/* |
Remote Management |
http://www.msftconnecttest.com/connecttest.txt https://www.bing.com/ |
Required for a web proxy test, this URL is used to validate web connectivity before applying the configuration. |
URL patterns for compute feature
URL pattern | Component or functionality |
---|---|
https://mcr.microsoft.com https://*.cdn.mscr.io |
Microsoft container registry (required) |
https://*.azurecr.io | Personal and third-party container registries (optional) |
https://*.azure-devices.net | IoT Hub access (required) |
https://*.docker.com | StorageClass (required) |
URL patterns for monitoring
Add the following URL patterns for Azure Monitor if you're using the containerized version of the Log Analytics agent for Linux.
URL pattern | Port | Component or functionality |
---|---|---|
https://*ods.opinsights.azure.com | 443 | Data ingestion |
https://*.oms.opinsights.azure.com | 443 | Operations Management Suite (OMS) onboarding |
https://*.dc.services.visualstudio.com | 443 | Agent telemetry that uses Azure Public Cloud Application Insights |
For more information, see Network firewall requirements for monitoring container insights.
URL patterns for gateway for Azure Government
URL pattern | Component or functionality |
---|---|
https://*.databoxedge.azure.us/* https://*.servicebus.usgovcloudapi.net/* https://login.microsoftonline.us |
Azure Data Box Edge/ Azure Data Box Gateway service Azure Service Bus Authentication Service |
http://*.backup.windowsazure.us | Device activation |
http://crl.microsoft.com/pki/* http://www.microsoft.com/pki/* |
Certificate revocation |
https://*.core.usgovcloudapi.net/* https://*.data.microsoft.com http://*.msftncsi.com http://www.msftconnecttest.com/connecttest.txt |
Azure storage accounts and monitoring |
http://windowsupdate.microsoft.com http://*.windowsupdate.microsoft.com https://*.windowsupdate.microsoft.com http://*.update.microsoft.com https://*.update.microsoft.com http://*.windowsupdate.com http://download.microsoft.com http://*.download.windowsupdate.com http://wustat.windows.com http://ntservicepack.microsoft.com http://*.ws.microsoft.com https://*.ws.microsoft.com http://*.mp.microsoft.com |
Microsoft Update servers |
http://*.deploy.akamaitechnologies.com | Akamai CDN |
https://*.partners.extranet.microsoft.com/* | Support package |
http://*.data.microsoft.com | Telemetry service in Windows, see the update for customer experience and diagnostic telemetry |
https://(vault-name).vault.usgovcloudapi.net:443 | Key Vault |
https://azstrpffprod.usgovtrafficmanager.net/* | Remote Management |
URL patterns for compute for Azure Government
URL pattern | Component or functionality |
---|---|
https://mcr.microsoft.com https://*.cdn.mscr.com |
Microsoft container registry (required) |
https://*.azure-devices.us | IoT Hub access (required) |
https://*.azurecr.us | Personal and third-party container registries (optional) |
URL patterns for monitoring for Azure Government
Add the following URL patterns for Azure Monitor if you're using the containerized version of the Log Analytics agent for Linux.
URL pattern | Port | Component or functionality |
---|---|---|
https://*ods.opinsights.azure.us | 443 | Data ingestion |
https://*.oms.opinsights.azure.us | 443 | Operations Management Suite (OMS) onboarding |
https://*.dc.services.visualstudio.com | 443 | Agent telemetry that uses Azure Public Cloud Application Insights |
Internet bandwidth
The devices are designed to continue to operate when your internet connection is slow or gets interrupted. In normal operating conditions, we recommend that you use:
- A minimum of 10-Mbps download bandwidth to ensure the device stays updated.
- A minimum of 20-Mbps dedicated upload and download bandwidth to transfer files.
- A minimum of 100-Mbps is required for the internet connection on AP5GC networks.
Use WAN throttling to limit your WAN throughput to 64 Mbps or higher.
Compute sizing considerations
Use your experience while developing and testing your solution to ensure there is enough capacity on your Azure Stack Edge Pro device and you get the optimal performance from your device.
Factors you should consider include:
Container specifics - Think about the following.
- What is your container footprint? How much memory, storage, and CPU is your container consuming?
- How many containers are in your workload? You could have a lot of lightweight containers versus a few resource-intensive ones.
- What are the resources allocated to these containers versus what are the resources they are consuming (the footprint)?
- How many layers do your containers share? Container images are a bundle of files organized into a stack of layers. For your container image, determine how many layers and their respective sizes to calculate resource consumption.
- Are there unused containers? A stopped container still takes up disk space.
- In which language are your containers written?
Size of the data processed - How much data will your containers be processing? Will this data consume disk space or the data will be processed in the memory?
Expected performance - What are the desired performance characteristics of your solution?
To understand and refine the performance of your solution, you could use:
- The compute metrics available in the Azure portal. Go to your Azure Stack Edge resource and then go to Monitoring > Metrics. Look at the Edge compute - Memory usage and Edge compute - Percentage CPU to understand the available resources and how are the resources getting consumed.
- To monitor and troubleshoot compute modules, go to Debug Kubernetes issues.
Finally, make sure that you validate your solution on your dataset and quantify the performance on Azure Stack Edge Pro before deploying in production.