Firewall requirements for Azure Stack HCI

Applies to: Azure Stack HCI, versions 22H2, 21H2, and 20H2

This article provides guidance on how to configure firewalls for the Azure Stack HCI operating system. It includes firewall requirements for outbound endpoints and internal rules and ports. The article also provides information on how to set up a proxy server and how to use Azure service tags with Microsoft Defender firewall.

Firewall requirements for outbound endpoints

Opening port 443 for outbound network traffic on your organization's firewall meets the connectivity requirements for the operating system to connect with Azure and Microsoft Update. If your outbound firewall is restricted, then we recommend including the URLs and ports described in the Recommended firewall URLs section of this article.

Azure Stack HCI needs to periodically connect to Azure. Access is limited only to:

  • Well-known Azure IPs
  • Outbound direction
  • Port 443 (HTTPS)

This article describes how to optionally use a highly locked-down firewall configuration to block all traffic to all destinations except those included in your allowlist.

As shown in the following diagram, Azure Stack HCI accesses Azure using more than one firewall potentially.

Diagram shows Azure Stack HCI accessing service tag endpoints through Port 443 (HTTPS) of firewalls.

The following sections provide consolidated lists of required and recommended URLs for the Azure Stack HCI core components, which include cluster creation, registration and billing, Microsoft Update, and cloud cluster witness. You can use the JSON tab to directly copy-and-paste the URLs into your allowlist.

The subsequent sections provide additional details about the firewall requirements of Azure Stack HCI core components, followed by firewall requirements for additional Azure services (optional).

Required firewall URLs

The following table provides a list of required firewall URLs. Make sure to include these URLs to your allowlist.

Note

The Azure Stack HCI firewall rules are the minimum endpoints required for HciSvc connectivity, and don't contain wildcards. However, the following table currently contains wildcard URLs, which may be updated into precise endpoints in the future.

Service URL Port Notes
Azure Stack HCI login.microsoftonline.com 443 For Active Directory Authority and used for authentication, token fetch, and validation.
Azure Stack HCI graph.windows.net 443 For Graph and used for authentication, token fetch, and validation.
Azure Stack HCI management.azure.com 443 For Resource Manager and used during initial bootstrapping of the cluster to Azure for registration purposes and to unregister the cluster.
Azure Stack HCI dp.stackhci.azure.com 443 For Dataplane that pushes up diagnostics data and used in the Portal pipeline and pushes billing data.
Azure Stack HCI azurestackhci.azurefd.net 443 Previous URL for Dataplane. This URL was recently changed, customers who registered their cluster using this old URL must allowlist it as well.
Arc For Servers aka.ms 443 For resolving the download script during installation.
Arc For Servers download.microsoft.com 443 For downloading the Windows installation package.
Arc For Servers login.windows.net 443 For Azure Active Directory
Arc For Servers login.microsoftonline.com 443 For Azure Active Directory
Arc For Servers pas.windows.net 443 For Azure Active Directory
Arc For Servers management.azure.com 443 For Azure Resource Manager to create or delete the Arc Server resource
Arc For Servers guestnotificationservice.azure.com 443 For the notification service for extension and connectivity scenarios
Arc For Servers *.his.arc.azure.com 443 For metadata and hybrid identity services
Arc For Servers *.guestconfiguration.azure.com 443 For extension management and guest configuration services
Arc For Servers *.guestnotificationservice.azure.com 443 For notification service for extension and connectivity scenarios
Arc For Servers azgn*.servicebus.windows.net 443 For notification service for extension and connectivity scenarios
Arc For Servers *.servicebus.windows.net 443 For Windows Admin Center and SSH scenarios
Arc For Servers *.waconazure.com 443 For Windows Admin Center connectivity
Arc For Servers *.blob.core.windows.net 443 For download source for Azure Arc-enabled servers extensions

For a comprehensive list of all the firewall URLs, download the firewall URLs spreadsheet.

The following table provides a list of recommended firewall URLs. If your outbound firewall is restricted, we recommend including the URLs and ports described in this section to your allowlist.

Note

The Azure Stack HCI firewall rules are the minimum endpoints required for HciSvc connectivity, and don't contain wildcards. However, the following table currently contains wildcard URLs, which may be updated into precise endpoints in the future.

Service URL Port Notes
Azure Stack HCI *.powershellgallery.com 443 To obtain the Az.StackHCI PowerShell module, which is required for cluster registration. Alternatively, you can download and install the Az.StackHCI PowerShell module manually from PowerShell Gallery.
Cluster Cloud Witness *.blob.core.windows.net 443 For firewall access to the Azure blob container, if choosing to use a cloud witness as the cluster witness, which is optional.
Microsoft Update windowsupdate.microsoft.com 80 For Microsoft Update, which allows the OS to receive updates.
Microsoft Update download.windowsupdate.com 80 For Microsoft Update, which allows the OS to receive updates.
Microsoft Update download.microsoft.com 443 For Microsoft Update, which allows the OS to receive updates.
Microsoft Update wustat.windows.com 80 For Microsoft Update, which allows the OS to receive updates.
Microsoft Update ntservicepack.microsoft.com 80 For Microsoft Update, which allows the OS to receive updates.
Microsoft Update go.microsoft.com 80 For Microsoft Update, which allows the OS to receive updates.
Microsoft Update dl.delivery.mp.microsoft.com 443 For Microsoft Update, which allows the OS to receive updates.
Microsoft Update *.windowsupdate.microsoft.com 80, 443 For Microsoft Update, which allows the OS to receive updates.
Microsoft Update *.update.microsoft.com 80, 443 For Microsoft Update, which allows the OS to receive updates.
Microsoft Update *.windowsupdate.com 80 For Microsoft Update, which allows the OS to receive updates.
Microsoft Update *.download.windowsupdate.com 80 For Microsoft Update, which allows the OS to receive updates.

Firewall requirements for additional Azure services

Depending on additional Azure services you enable on HCI, you may need to make additional firewall configuration changes. Refer to the following links for information on firewall requirements for each Azure service:

Firewall requirements for internal rules and ports

Ensure that the proper network ports are open between all server nodes both within a site and between sites (for stretched clusters). You'll need appropriate firewall rules to allow ICMP, SMB (port 445, plus port 5445 for SMB Direct if using iWARP RDMA), and WS-MAN (port 5985) bi-directional traffic between all servers in the cluster.

When using the Cluster Creation wizard in Windows Admin Center to create the cluster, the wizard automatically opens the appropriate firewall ports on each server in the cluster for Failover Clustering, Hyper-V, and Storage Replica. If you're using a different firewall on each server, open the ports as described in the following sections:

Windows Admin Center

Ensure that the following firewall rules are configured in your on-premises firewall for Windows Admin Center.

Rule Action Source Destination Service Ports
Provide access to Azure and Microsoft Update Allow Windows Admin Center Azure Stack HCI TCP 445
Use Windows Remote Management (WinRM) 2.0
for HTTP connections to run commands
on remote Windows servers
Allow Windows Admin Center Azure Stack HCI TCP 5985
Use WinRM 2.0 for HTTPS connections to run
commands on remote Windows servers
Allow Windows Admin Center Azure Stack HCI TCP 5986

Note

While installing Windows Admin Center, if you select the Use WinRM over HTTPS only setting, then port 5986 is required.

Failover Clustering

Ensure that the following firewall rules are configured in your on-premises firewall for Failover Clustering.

Rule Action Source Destination Service Ports
Allow Failover Cluster validation Allow Management system Cluster servers TCP 445
Allow RPC dynamic port allocation Allow Management system Cluster servers TCP Minimum of 100 ports
above port 5000
Allow Remote Procedure Call (RPC) Allow Management system Cluster servers TCP 135
Allow Cluster Administrator Allow Management system Cluster servers UDP 137
Allow Cluster Service Allow Management system Cluster servers UDP 3343
Allow Cluster Service (Required during
a server join operation.)
Allow Management system Cluster servers TCP 3343
Allow ICMPv4 and ICMPv6
for Failover Cluster validation
Allow Management system Cluster servers n/a n/a

Note

The management system includes any computer from which you plan to administer the cluster, using tools such as Windows Admin Center, Windows PowerShell or System Center Virtual Machine Manager.

Hyper-V

Ensure that the following firewall rules are configured in your on-premises firewall for Hyper-V.

Rule Action Source Destination Service Ports
Allow cluster communication Allow Management system Hyper-V server TCP 445
Allow RPC Endpoint Mapper and WMI Allow Management system Hyper-V server TCP 135
Allow HTTP connectivity Allow Management system Hyper-V server TCP 80
Allow HTTPS connectivity Allow Management system Hyper-V server TCP 443
Allow Live Migration Allow Management system Hyper-V server TCP 6600
Allow VM Management Service Allow Management system Hyper-V server TCP 2179
Allow RPC dynamic port allocation Allow Management system Hyper-V server TCP Minimum of 100 ports
above port 5000

Note

Open up a range of ports above port 5000 to allow RPC dynamic port allocation. Ports below 5000 may already be in use by other applications and could cause conflicts with DCOM applications. Previous experience shows that a minimum of 100 ports should be opened, because several system services rely on these RPC ports to communicate with each other. For more information, see How to configure RPC dynamic port allocation to work with firewalls.

Storage Replica (stretched cluster)

Ensure that the following firewall rules are configured in your on-premises firewall for Storage Replica (stretched cluster).

Rule Action Source Destination Service Ports
Allow Server Message Block
(SMB) protocol
Allow Stretched cluster servers Stretched cluster servers TCP 445
Allow Web Services-Management
(WS-MAN)
Allow Stretched cluster servers Stretched cluster servers TCP 5985
Allow ICMPv4 and ICMPv6
(if using the Test-SRTopology
PowerShell cmdlet)
Allow Stretched cluster servers Stretched cluster servers n/a n/a

Set up a proxy server

Note

Windows Admin Center proxy settings and Azure Stack HCI proxy settings are separate. Changing Azure Stack HCI cluster proxy settings doesn't affect Windows Admin Center outbound traffic, such as connecting to Azure, downloading extensions, and so on. Install the WinInetProxy module to run the commands in this section. For information about the module and how to install it, see PowerShell Gallery | WinInetProxy 0.1.0.

To set up a proxy server for Azure Stack HCI, run the following PowerShell command as an administrator on each server in the cluster:

Set-WinInetProxy -ProxySettingsPerUser 0 -ProxyServer webproxy1.com:9090

Use the ProxySettingsPerUser 0 flag to make the proxy configuration server-wide instead of per user, which is the default.

To remove the proxy configuration, run the PowerShell command Set-WinInetProxy without arguments.

Configure proxy for Microsoft Update and Cluster Cloud Witness

You can configure proxy for Microsoft Update and Cluster Cloud Witness automatically with WinHTTP autoproxy or manually by using the netsh command-line utility.

To manually configure proxy configuration for Microsoft Update and Cluster Cloud Witness, at the command prompt, type:

netsh winhttp set proxy <proxy server name>:<port number>

To remove the proxy configuration for Microsoft Update and Cluster Cloud Witness, at the command prompt, type:

netsh winhttp reset proxy

To view or verify current WinHTTP proxy configuration, at the command prompt, type:

netsh winhttp show proxy

Important

We don't support authenticated proxies due to security concerns associated with storing authenticated user credentials.

Configure proxy for Azure services

Refer to the following articles for information about how to configure proxy server settings for each Azure service:

Update Microsoft Defender firewall

This section shows how to configure Microsoft Defender firewall to allow IP addresses associated with a service tag to connect with the operating system. A service tag represents a group of IP addresses from a given Azure service. Microsoft manages the IP addresses included in the service tag, and automatically updates the service tag as IP addresses change to keep updates to a minimum. To learn more, see Virtual network service tags.

  1. Download the JSON file from the following resource to the target computer running the operating system: Azure IP Ranges and Service Tags – Public Cloud.

  2. Use the following PowerShell command to open the JSON file:

    $json = Get-Content -Path .\ServiceTags_Public_20201012.json | ConvertFrom-Json
    
  3. Get the list of IP address ranges for a given service tag, such as the "AzureResourceManager" service tag:

    $IpList = ($json.values | where Name -Eq "AzureResourceManager").properties.addressPrefixes
    
  4. Import the list of IP addresses to your external corporate firewall, if you're using an allowlist with it.

  5. Create a firewall rule for each server in the cluster to allow outbound 443 (HTTPS) traffic to the list of IP address ranges:

    New-NetFirewallRule -DisplayName "Allow Azure Resource Manager" -RemoteAddress $IpList -Direction Outbound -LocalPort 443 -Protocol TCP -Action Allow -Profile Any -Enabled True
    

Next steps

For more information, see also: