Azure Automation network configuration details

This page provides networking details that are required for Hybrid Runbook Worker and State Configuration, and for Update Management and Change Tracking and Inventory.

Hybrid Runbook Worker and State Configuration

The following port and URLs are required for the Hybrid Runbook Worker, and for Automation State Configuration to communicate with Azure Automation.

  • Port: Only 443 required for outbound internet access
  • Global URL: *
  • Global URL of US Gov Virginia: *
  • Agent service: https://<workspaceId>

Network planning for Hybrid Runbook Worker

For either a system or user Hybrid Runbook Worker to connect to and register with Azure Automation, it must have access to the port number and URLs described in this section. The worker must also have access to the ports and URLs required for the Log Analytics agent to connect to the Azure Monitor Log Analytics workspace.

If you have an Automation account that's defined for a specific region, you can restrict Hybrid Runbook Worker communication to that regional datacenter. Review the DNS records used by Azure Automation for the required DNS records.

Configuration of private networks for State Configuration

If your nodes are located in a private network, the port and URLs defined above are required. These resources provide network connectivity for the managed node and allow DSC to communicate with Azure Automation.

If you are using DSC resources that communicate between nodes, such as the WaitFor* resources, you also need to allow traffic between nodes. See the documentation for each DSC resource to understand these network requirements.

To understand client requirements for TLS 1.2, see TLS 1.2 for Azure Automation.

Update Management and Change Tracking and Inventory

The addresses in this table are required both for Update Management and for Change Tracking and Inventory. The paragraph following the table also applies to both.

Communication to these addresses uses port 443.

Azure Public Azure Government
* *
* *
* *
* *

When you create network group security rules or configure Azure Firewall to allow traffic to the Automation service and the Log Analytics workspace, use the service tags GuestAndHybridManagement and AzureMonitor. This simplifies the ongoing management of your network security rules. To connect to the Automation service from your Azure VMs securely and privately, review Use Azure Private Link. To obtain the current service tag and range information to include as part of your on-premises firewall configurations, see downloadable JSON files.

Next steps