Redaguoti

Bendrinti naudojant


Required outbound traffic for HDInsight on AKS

Note

We will retire Azure HDInsight on AKS on January 31, 2025. Before January 31, 2025, you will need to migrate your workloads to Microsoft Fabric or an equivalent Azure product to avoid abrupt termination of your workloads. The remaining clusters on your subscription will be stopped and removed from the host.

Only basic support will be available until the retirement date.

Important

This feature is currently in preview. The Supplemental Terms of Use for Microsoft Azure Previews include more legal terms that apply to Azure features that are in beta, in preview, or otherwise not yet released into general availability. For information about this specific preview, see Azure HDInsight on AKS preview information. For questions or feature suggestions, please submit a request on AskHDInsight with the details and follow us for more updates on Azure HDInsight Community.

Note

HDInsight on AKS uses Azure CNI Overlay network model by default. For more information, see Azure CNI Overlay networking.

This article outlines the networking information to help manage the network policies at enterprise and make necessary changes to the network security groups (NSGs) for smooth functioning of HDInsight on AKS.

If you use firewall to control outbound traffic to your HDInsight on AKS cluster, you must ensure that your cluster can communicate with critical Azure services. Some of the security rules for these services are region-specific, and some of them apply to all Azure regions.

You need to configure the following network and application security rules in your firewall to allow outbound traffic.

Common traffic

Type Destination Endpoint Protocol Port Azure Firewall Rule Type Use
** ServiceTag AzureCloud.<Region> UDP 1194 Network security rule Tunneled secure communication between the nodes and the control plane.
** ServiceTag AzureCloud.<Region> TCP 9000 Network security rule Tunneled secure communication between the nodes and the control plane.
FQDN Tag AzureKubernetesService HTTPS 443 Application security rule Required by AKS Service.
Service Tag AzureMonitor TCP 443 Network security rule Required for integration with Azure Monitor.
FQDN hiloprodrpacr00.azurecr.io HTTPS 443 Application security rule Downloads metadata info of the docker image for setup of HDInsight on AKS and monitoring.
FQDN *.blob.core.windows.net HTTPS 443 Application security rule Monitoring and setup of HDInsight on AKS.
FQDN graph.microsoft.com HTTPS 443 Application security rule Authentication.
FQDN *.servicebus.windows.net HTTPS 443 Application security rule Monitoring.
FQDN *.table.core.windows.net HTTPS 443 Application security rule Monitoring.
FQDN gcs.prod.monitoring.core.windows.net HTTPS 443 Application security rule Monitoring.
** FQDN API Server FQDN (available once AKS cluster is created) TCP 443 Network security rule Required as the running pods/deployments use it to access the API Server. You can get this information from the AKS cluster running behind the cluster pool. For more information, see how to get API Server FQDN using Azure portal.

Note

** This configiration isn't required if you enable private AKS.

Cluster specific traffic

The below section outlines any specific network traffic, which a cluster shape requires, to help enterprises plan and update the network rules accordingly.

Trino

Type Destination Endpoint Protocol Port Azure Firewall Rule Type Use
FQDN *.dfs.core.windows.net HTTPS 443 Application security rule Required if Hive is enabled. It's user's own Storage account, such as contosottss.dfs.core.windows.net
FQDN *.database.windows.net mysql 1433 Application security rule Required if Hive is enabled. It's user's own SQL server, such as contososqlserver.database.windows.net
Service Tag Sql.<Region> TCP 11000-11999 Network security rule Required if Hive is enabled. It's used in connecting to SQL server. It's recommended to allow outbound communication from the client to all Azure SQL IP addresses in the region on ports in the range of 11000 to 11999. Use the Service Tags for SQL to make this process easier to manage. When using the Redirect connection policy, refer to the Azure IP Ranges and Service Tags – Public Cloud for a list of your region's IP addresses to allow.

Spark

Type Destination Endpoint Protocol Port Azure Firewall Rule Type Use
FQDN *.dfs.core.windows.net HTTPS 443 Application security rule Spark Azure Data Lake Storage Gen2. It's user's Storage account: such as contosottss.dfs.core.windows.net
Service Tag Storage.<Region> TCP 445 Network security rule Use SMB protocol to connect to Azure File
FQDN *.database.windows.net mysql 1433 Application security rule Required if Hive is enabled. It's user's own SQL server, such as contososqlserver.database.windows.net
Service Tag Sql.<Region> TCP 11000-11999 Network security rule Required if Hive is enabled. It's used to connect to SQL server. It's recommended to allow outbound communication from the client to all Azure SQL IP addresses in the region on ports in the range of 11000 to 11999. Use the Service Tags for SQL to make this process easier to manage. When using the Redirect connection policy, refer to the Azure IP Ranges and Service Tags – Public Cloud for a list of your region's IP addresses to allow.
Type Destination Endpoint Protocol Port Azure Firewall Rule Type Use
FQDN *.dfs.core.windows.net HTTPS 443 Application security rule Flink Azure Data Lake Storage Gens. It's user's Storage account: such as contosottss.dfs.core.windows.net

Next steps