Azure Sphere OS networking requirements
Important
This is the Azure Sphere (Legacy) documentation. Azure Sphere (Legacy) is retiring on 27 September 2027, and users must migrate to Azure Sphere (Integrated) by this time. Use the Version selector located above the TOC to view the Azure Sphere (Integrated) documentation.
The Azure Sphere OS and services communicate with devices, Azure IoT Hub, and other services using various endpoints, ports, and protocols. Some are required only by certain features and others are expected only on the local network. This topic lists the internet and public endpoints with which Azure Sphere devices must communicate for basic operation.
Azure Sphere tools use the 192.168.35.n subnet for a serial line IP connection to the device over the Service UART. Currently, you cannot change this.
Note
Azure Sphere firewall blocks all outgoing and incoming connections by default. To open a connection to a host for an application, specify the host name in the AllowedConnections field.
| Protocol | Port | URLs or IP addresses | Purpose |
|---|---|---|---|
| MQTT over TCP | 8883 | global.azure-devices-provisioning.net | Device provisioning and communication with Azure IoT Hub |
| MQTT over TCP | 443 (WebSocket) | global.azure-devices-provisioning.net | Device provisioning and communication with Azure IoT Hub |
| HTTP over TCP | 80 | www.msftconnecttest.com, prod.update.sphere.azure.net |
Internet connection checks, certificate file downloads, and similar tasks |
| HTTPS over TCP | 443 | anse.azurewatson.microsoft.com, prod.device.core.sphere.azure.net, prod.deviceauth.sphere.azure.net, prod.dinsights.core.sphere.azure.net, prod.releases.sphere.azure.net, prod.core.sphere.azure.net, prodmsimg.blob.core.windows.net, prodptimg.blob.core.windows.net, prodmsimg-secondary.blob.core.windows.net, prodptimg-secondary.blob.core.windows.net, sphereblobeus.azurewatson.microsoft.com, sphereblobweus.azurewatson.microsoft.com, sphere.sb.dl.delivery.mp.microsoft.com | Communication with web services and Azure Sphere Security service (see Restricting network access to Azure Sphere Security Services) |
| UDP | 53 | Communication with domain name servers (DNS) | |
| UDP | 123 | prod.time.sphere.azure.net, time.sphere.azure.net, time-a-g.nist.gov | Communication with NTP server |
Note
NTP is an optional feature that is enabled by default on Azure Sphere devices. However, you can disable it if not required. You can also configure your application to connect to an NTP server other than the default server. For more information, see Manage system time and the RTC in high-level applications.
High-level applications can also use additional networking resources. In particular, applications that use an Azure IoT Hub require ports 8883 and 443 to communicate with their hub at the domain names created during Azure IoT setup. The Azure IoT Hub documentation lists other Azure IoT Hub port and protocol requirements.
Azure Sphere devices can also be configured to connect with and communicate through a proxy server. For more information, see Connect Azure Sphere through a proxy server.