Apologize, I was gathering information internally. By default, Inbound TCP traffic on port 22 (Linux nodes) or port 3389 (Windows nodes) will be permitted for remote access. For certain types of multi-instance tasks on Linux (such as MPI), you will need to also allow SSH port 22 traffic for IPs in the subnet containing the Batch compute nodes. To be able to run a parallel computation on a network of computers via MPI, one has to be able to log in to any of the machines without having to enter a password. This can be achieved easily using secure shell key authentication. This may be blocked per subnet-level NSG rules.
Allowing traffic on these ports is not strictly required for the pool compute nodes to be usable.
SSH/RDP are only needed if you wish to make use of those functionalities. It can be useful to have in the case any advanced debugging is needed (i.e. getting OS logs), but other than that it only effects whether the node can be SSH’d to.
If there is need to restrict or disable these default external access settings. You can modify these settings by using the Batch APIs to set the PoolEndpointConfiguration property. You can configure or disable remote access to compute nodes in an Azure Batch pool.
Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.