Firewall requirements for Azure Stack HCI
Applies to: Azure Stack HCI, versions 23H2 and 22H2
This article provides guidance on how to configure firewalls for the Azure Stack HCI operating system. It includes firewall requirements for outbound endpoints and internal rules and ports. The article also provides information on how to use Azure service tags with Microsoft Defender firewall.
This article also describes how to optionally use a highly locked-down firewall configuration to block all traffic to all destinations except those included in your allowlist.
If your network uses a proxy server for internet access, see Configure proxy settings for Azure Stack HCI.
Important
Azure Express Route and Azure Private Link are not supported for Azure Stack HCI, version 23H2 or any of its components as it is not possible to access the public endpoints required for Azure Stack HCI, version 23H2.
Firewall requirements for outbound endpoints
Opening port 443 for outbound network traffic on your organization's firewall meets the connectivity requirements for the Azure Stack HCI operating system to connect with Azure and Microsoft Update. If your outbound firewall is restricted, then we recommend including the URLs and ports described in the Recommended firewall URLs section of this article.
Azure Stack HCI needs to periodically connect to Azure. Access is limited only to:
- Well-known Azure IPs
- Outbound direction
- Port 443 (HTTPS)
Important
Azure Stack HCI doesn't support HTTPS inspection. Make sure that HTTPS inspection is disabled along your networking path for Azure Stack HCI to prevent any connectivity errors.
As shown in the following diagram, Azure Stack HCI can access Azure using more than one firewall potentially.
Required firewall URLs
Starting with Azure Stack HCI, version 23H2, all the clusters automatically enable Azure Resource Bridge and AKS infrastructure and uses the Arc for Servers agent to connect to Azure control plane. Along with the list of HCI specific endpoints on the following table, the Azure Resource Bridge on Azure Stack HCI endpoints, the AKS on Azure Stack HCI endpoints and the Azure Arc-enabled servers endpoints must be included in the allowlist of your firewall.
For a consolidated list of endpoints when deploying in East US, use this list:
For a consolidated list of endpoints when deploying in Western Europe, use this list:
For a consolidated list of endpoints when deploying in Australia East, use this list:
The following table provides a list of required firewall URLs. Make sure to include these URLs in your allowlist.
Note
The Azure Stack HCI firewall rules on this table are the minimum endpoints required for HciSvc system service connectivity, and don't contain wildcards. However, the following table currently contains wildcard URLs, which may be updated into precise endpoints in the future.
| Service | URL | Port | Notes |
|---|---|---|---|
| Azure Stack HCI Updates download | fe3.delivery.mp.microsoft.com | 443 | For updating Azure Stack HCI, version 23H2. |
| Azure Stack HCI Updates download | tlu.dl.delivery.mp.microsoft.com | 80 | For updating Azure Stack HCI, version 23H2. |
| Azure Stack HCI Updates discovery | aka.ms | 443 | For resolving addresses to discover Azure Stack HCI, version 23H2 and Solution Builder Extension Updates. |
| Azure Stack HCI Updates discovery | redirectiontool.trafficmanager.net | 443 | Underlying service that implements usage data tracking for the aka.ms redirection links. |
| Azure Stack HCI | login.microsoftonline.com | 443 | For Active Directory Authority and used for authentication, token fetch, and validation. |
| Azure Stack HCI | graph.windows.net | 443 | For Graph and used for authentication, token fetch, and validation. |
| Azure Stack HCI | management.azure.com | 443 | For Resource Manager and used during initial bootstrapping of the cluster to Azure for registration purposes and to unregister the cluster. |
| Azure Stack HCI | dp.stackhci.azure.com | 443 | For Data plane that pushes up diagnostics data and used in the Azure portal pipeline and pushes billing data. |
| Azure Stack HCI | *.platform.edge.azure.com | 443 | For Data plane used in the licensing and in pushing alerting and billing data. Required only for Azure Stack HCI, version 23H2. |
| Azure Stack HCI | azurestackhci.azurefd.net | 443 | Previous URL for Data plane. This URL was recently changed. If you registered your cluster using this old URL, you must allowlist it as well. |
| Azure Stack HCI | hciarcvmscontainerregistry.azurecr.io | 443 | For Arc VM container registry on Azure Stack HCI. Required only for Azure Stack HCI, version 23H2. |
| Azure Key Vault | *.vault.azure.net/* | 443 | Access to key vault to access Azure Stack HCI deployment secrets. Replace the first * with the name of the key vault you plan to use, and the 2nd * with the secret names. Required only for Azure Stack HCI, version 23H2. |
| Arc For Servers | aka.ms | 443 | For resolving the download script during installation. |
| Arc For Servers | download.microsoft.com | 443 | For downloading the Windows installation package. |
| Arc For Servers | login.windows.net | 443 | For Microsoft Entra ID |
| Arc For Servers | login.microsoftonline.com | 443 | For Microsoft Entra ID |
| Arc For Servers | pas.windows.net | 443 | For Microsoft Entra ID |
| Arc For Servers | management.azure.com | 443 | For Azure Resource Manager to create or delete the Arc Server resource |
| Arc For Servers | guestnotificationservice.azure.com | 443 | For the notification service for extension and connectivity scenarios |
| Arc For Servers | *.his.arc.azure.com | 443 | For metadata and hybrid identity services |
| Arc For Servers | *.guestconfiguration.azure.com | 443 | For extension management and guest configuration services |
| Arc For Servers | *.guestnotificationservice.azure.com | 443 | For notification service for extension and connectivity scenarios |
| Arc For Servers | azgn*.servicebus.windows.net | 443 | For notification service for extension and connectivity scenarios |
| Arc For Servers | *.servicebus.windows.net | 443 | For Windows Admin Center and SSH scenarios |
| Arc For Servers | *.waconazure.com | 443 | For Windows Admin Center connectivity |
| Arc For Servers | *.blob.core.windows.net | 443 | For download source for Azure Arc-enabled servers extensions |
For a comprehensive list of all the firewall URLs, download the firewall URLs spreadsheet.
Recommended firewall URLs
The following table provides a list of recommended firewall URLs. If your outbound firewall is restricted, we recommend including the URLs and ports described in this section to your allowlist.
Note
The Azure Stack HCI firewall rules are the minimum endpoints required for HciSvc system service connectivity, and don't contain wildcards. However, the following table currently contains wildcard URLs, which may be updated into precise endpoints in the future.
| Service | URL | Port | Notes |
|---|---|---|---|
| Azure Benefits on Azure Stack HCI | crl3.digicert.com | 80 | Enables the platform attestation service on Azure Stack HCI to perform a certificate revocation list check to provide assurance that VMs are indeed running on Azure environments. |
| Azure Benefits on Azure Stack HCI | crl4.digicert.com | 80 | Enables the platform attestation service on Azure Stack HCI to perform a certificate revocation list check to provide assurance that VMs are indeed running on Azure environments. |
| Azure Stack HCI | *.powershellgallery.com | 443 | To obtain the Az.StackHCI PowerShell module, which is required for cluster registration. Alternatively, you can download and install the Az.StackHCI PowerShell module manually from PowerShell Gallery. |
| Cluster Cloud Witness | *.blob.core.windows.net | 443 | For firewall access to the Azure blob container, if choosing to use a cloud witness as the cluster witness, which is optional. |
| Microsoft Update | windowsupdate.microsoft.com | 80 | For Microsoft Update, which allows the OS to receive updates. |
| Microsoft Update | download.windowsupdate.com | 80 | For Microsoft Update, which allows the OS to receive updates. |
| Microsoft Update | *.download.windowsupdate.com | 80 | For Microsoft Update, which allows the OS to receive updates. |
| Microsoft Update | download.microsoft.com | 443 | For Microsoft Update, which allows the OS to receive updates. |
| Microsoft Update | wustat.windows.com | 80 | For Microsoft Update, which allows the OS to receive updates. |
| Microsoft Update | ntservicepack.microsoft.com | 80 | For Microsoft Update, which allows the OS to receive updates. |
| Microsoft Update | go.microsoft.com | 80 | For Microsoft Update, which allows the OS to receive updates. |
| Microsoft Update | dl.delivery.mp.microsoft.com | 80, 443 | For Microsoft Update, which allows the OS to receive updates. |
| Microsoft Update | *.delivery.mp.microsoft.com | 80, 443 | For Microsoft Update, which allows the OS to receive updates. |
| Microsoft Update | *.windowsupdate.microsoft.com | 80, 443 | For Microsoft Update, which allows the OS to receive updates. |
| Microsoft Update | *.windowsupdate.com | 80 | For Microsoft Update, which allows the OS to receive updates. |
| Microsoft Update | *.update.microsoft.com | 80, 443 | For Microsoft Update, which allows the OS to receive updates. |
Firewall requirements for additional Azure services
Depending on additional Azure services you enable for Azure Stack HCI, you may need to make additional firewall configuration changes. Refer to the following links for information on firewall requirements for each Azure service:
- Azure Monitor Agent
- Azure portal
- Azure Site Recovery
- Azure Virtual Desktop
- Microsoft Defender
- Microsoft Monitoring Agent (MMA) and Log Analytics Agent
- Qualys
- Remote support
- Windows Admin Center
- Windows Admin Center in Azure portal
Firewall requirements for internal rules and ports
Ensure that the proper network ports are open between all server nodes, both within a site and between sites for stretched clusters (stretched cluster functionality is only available in Azure Stack HCI, version 22H2.). You'll need appropriate firewall rules to allow ICMP, SMB (port 445, plus port 5445 for SMB Direct if using iWARP RDMA), and WS-MAN (port 5985) bi-directional traffic between all servers in the cluster.
When using the Cluster Creation wizard in Windows Admin Center to create the cluster, the wizard automatically opens the appropriate firewall ports on each server in the cluster for Failover Clustering, Hyper-V, and Storage Replica. If you're using a different firewall on each server, open the ports as described in the following sections:
Azure Stack HCI OS management
Ensure that the following firewall rules are configured in your on-premises firewall for Azure Stack HCI OS management, including licensing and billing.
| Rule | Action | Source | Destination | Service | Ports |
|---|---|---|---|---|---|
| Allow inbound/outbound traffic to and from the Azure Stack HCI service on cluster servers | Allow | Cluster servers | Cluster servers | TCP | 30301 |
Windows Admin Center
Ensure that the following firewall rules are configured in your on-premises firewall for Windows Admin Center.
| Rule | Action | Source | Destination | Service | Ports |
|---|---|---|---|---|---|
| Provide access to Azure and Microsoft Update | Allow | Windows Admin Center | Azure Stack HCI | TCP | 445 |
| Use Windows Remote Management (WinRM) 2.0 for HTTP connections to run commands on remote Windows servers |
Allow | Windows Admin Center | Azure Stack HCI | TCP | 5985 |
| Use WinRM 2.0 for HTTPS connections to run commands on remote Windows servers |
Allow | Windows Admin Center | Azure Stack HCI | TCP | 5986 |
Note
While installing Windows Admin Center, if you select the Use WinRM over HTTPS only setting, then port 5986 is required.
Failover Clustering
Ensure that the following firewall rules are configured in your on-premises firewall for Failover Clustering.
| Rule | Action | Source | Destination | Service | Ports |
|---|---|---|---|---|---|
| Allow Failover Cluster validation | Allow | Management system | Cluster servers | TCP | 445 |
| Allow RPC dynamic port allocation | Allow | Management system | Cluster servers | TCP | Minimum of 100 ports above port 5000 |
| Allow Remote Procedure Call (RPC) | Allow | Management system | Cluster servers | TCP | 135 |
| Allow Cluster Administrator | Allow | Management system | Cluster servers | UDP | 137 |
| Allow Cluster Service | Allow | Management system | Cluster servers | UDP | 3343 |
| Allow Cluster Service (Required during a server join operation.) |
Allow | Management system | Cluster servers | TCP | 3343 |
| Allow ICMPv4 and ICMPv6 for Failover Cluster validation |
Allow | Management system | Cluster servers | n/a | n/a |
Note
The management system includes any computer from which you plan to administer the cluster, using tools such as Windows Admin Center, Windows PowerShell, or System Center Virtual Machine Manager.
Hyper-V
Ensure that the following firewall rules are configured in your on-premises firewall for Hyper-V.
| Rule | Action | Source | Destination | Service | Ports |
|---|---|---|---|---|---|
| Allow cluster communication | Allow | Management system | Hyper-V server | TCP | 445 |
| Allow RPC Endpoint Mapper and WMI | Allow | Management system | Hyper-V server | TCP | 135 |
| Allow HTTP connectivity | Allow | Management system | Hyper-V server | TCP | 80 |
| Allow HTTPS connectivity | Allow | Management system | Hyper-V server | TCP | 443 |
| Allow Live Migration | Allow | Management system | Hyper-V server | TCP | 6600 |
| Allow VM Management Service | Allow | Management system | Hyper-V server | TCP | 2179 |
| Allow RPC dynamic port allocation | Allow | Management system | Hyper-V server | TCP | Minimum of 100 ports above port 5000 |
Note
Open up a range of ports above port 5000 to allow RPC dynamic port allocation. Ports below 5000 may already be in use by other applications and could cause conflicts with DCOM applications. Previous experience shows that a minimum of 100 ports should be opened, because several system services rely on these RPC ports to communicate with each other. For more information, see How to configure RPC dynamic port allocation to work with firewalls.
Storage Replica (stretched cluster)
Ensure that the following firewall rules are configured in your on-premises firewall for Storage Replica (stretched cluster).
| Rule | Action | Source | Destination | Service | Ports |
|---|---|---|---|---|---|
| Allow Server Message Block (SMB) protocol |
Allow | Stretched cluster servers | Stretched cluster servers | TCP | 445 |
| Allow Web Services-Management (WS-MAN) |
Allow | Stretched cluster servers | Stretched cluster servers | TCP | 5985 |
| Allow ICMPv4 and ICMPv6 (if using the Test-SRTopologyPowerShell cmdlet) |
Allow | Stretched cluster servers | Stretched cluster servers | n/a | n/a |
Update Microsoft Defender firewall
This section shows how to configure Microsoft Defender firewall to allow IP addresses associated with a service tag to connect with the operating system. A service tag represents a group of IP addresses from a given Azure service. Microsoft manages the IP addresses included in the service tag, and automatically updates the service tag as IP addresses change to keep updates to a minimum. To learn more, see Virtual network service tags.
Download the JSON file from the following resource to the target computer running the operating system: Azure IP Ranges and Service Tags – Public Cloud.
Use the following PowerShell command to open the JSON file:
$json = Get-Content -Path .\ServiceTags_Public_20201012.json | ConvertFrom-JsonGet the list of IP address ranges for a given service tag, such as the
AzureResourceManagerservice tag:$IpList = ($json.values | where Name -Eq "AzureResourceManager").properties.addressPrefixesImport the list of IP addresses to your external corporate firewall, if you're using an allowlist with it.
Create a firewall rule for each server in the cluster to allow outbound 443 (HTTPS) traffic to the list of IP address ranges:
New-NetFirewallRule -DisplayName "Allow Azure Resource Manager" -RemoteAddress $IpList -Direction Outbound -LocalPort 443 -Protocol TCP -Action Allow -Profile Any -Enabled True
Next steps
For more information, see also:
- The Windows Firewall and WinRM 2.0 ports section of Installation and configuration for Windows Remote Management
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for