Required outbound traffic for HDInsight on AKS
Note
We will retire Azure HDInsight on AKS on January 31, 2025. Before January 31, 2025, you will need to migrate your workloads to Microsoft Fabric or an equivalent Azure product to avoid abrupt termination of your workloads. The remaining clusters on your subscription will be stopped and removed from the host.
Only basic support will be available until the retirement date.
Important
This feature is currently in preview. The Supplemental Terms of Use for Microsoft Azure Previews include more legal terms that apply to Azure features that are in beta, in preview, or otherwise not yet released into general availability. For information about this specific preview, see Azure HDInsight on AKS preview information. For questions or feature suggestions, please submit a request on AskHDInsight with the details and follow us for more updates on Azure HDInsight Community.
Note
HDInsight on AKS uses Azure CNI Overlay network model by default. For more information, see Azure CNI Overlay networking.
This article outlines the networking information to help manage the network policies at enterprise and make necessary changes to the network security groups (NSGs) for smooth functioning of HDInsight on AKS.
If you use firewall to control outbound traffic to your HDInsight on AKS cluster, you must ensure that your cluster can communicate with critical Azure services. Some of the security rules for these services are region-specific, and some of them apply to all Azure regions.
You need to configure the following network and application security rules in your firewall to allow outbound traffic.
Common traffic
| Type | Destination Endpoint | Protocol | Port | Azure Firewall Rule Type | Use |
|---|---|---|---|---|---|
| ** ServiceTag | AzureCloud.<Region> |
UDP | 1194 | Network security rule | Tunneled secure communication between the nodes and the control plane. |
| ** ServiceTag | AzureCloud.<Region> |
TCP | 9000 | Network security rule | Tunneled secure communication between the nodes and the control plane. |
| FQDN Tag | AzureKubernetesService | HTTPS | 443 | Application security rule | Required by AKS Service. |
| Service Tag | AzureMonitor | TCP | 443 | Network security rule | Required for integration with Azure Monitor. |
| FQDN | hiloprodrpacr00.azurecr.io | HTTPS | 443 | Application security rule | Downloads metadata info of the docker image for setup of HDInsight on AKS and monitoring. |
| FQDN | *.blob.core.windows.net | HTTPS | 443 | Application security rule | Monitoring and setup of HDInsight on AKS. |
| FQDN | graph.microsoft.com | HTTPS | 443 | Application security rule | Authentication. |
| FQDN | *.servicebus.windows.net | HTTPS | 443 | Application security rule | Monitoring. |
| FQDN | *.table.core.windows.net | HTTPS | 443 | Application security rule | Monitoring. |
| FQDN | gcs.prod.monitoring.core.windows.net | HTTPS | 443 | Application security rule | Monitoring. |
| ** FQDN | API Server FQDN (available once AKS cluster is created) | TCP | 443 | Network security rule | Required as the running pods/deployments use it to access the API Server. You can get this information from the AKS cluster running behind the cluster pool. For more information, see how to get API Server FQDN using Azure portal. |
Note
** This configiration isn't required if you enable private AKS.
Cluster specific traffic
The below section outlines any specific network traffic, which a cluster shape requires, to help enterprises plan and update the network rules accordingly.
Trino
| Type | Destination Endpoint | Protocol | Port | Azure Firewall Rule Type | Use |
|---|---|---|---|---|---|
| FQDN | *.dfs.core.windows.net | HTTPS | 443 | Application security rule | Required if Hive is enabled. It's user's own Storage account, such as contosottss.dfs.core.windows.net |
| FQDN | *.database.windows.net | mysql | 1433 | Application security rule | Required if Hive is enabled. It's user's own SQL server, such as contososqlserver.database.windows.net |
| Service Tag | Sql.<Region> |
TCP | 11000-11999 | Network security rule | Required if Hive is enabled. It's used in connecting to SQL server. It's recommended to allow outbound communication from the client to all Azure SQL IP addresses in the region on ports in the range of 11000 to 11999. Use the Service Tags for SQL to make this process easier to manage. When using the Redirect connection policy, refer to the Azure IP Ranges and Service Tags – Public Cloud for a list of your region's IP addresses to allow. |
Spark
| Type | Destination Endpoint | Protocol | Port | Azure Firewall Rule Type | Use |
|---|---|---|---|---|---|
| FQDN | *.dfs.core.windows.net | HTTPS | 443 | Application security rule | Spark Azure Data Lake Storage Gen2. It's user's Storage account: such as contosottss.dfs.core.windows.net |
| Service Tag | Storage.<Region> |
TCP | 445 | Network security rule | Use SMB protocol to connect to Azure File |
| FQDN | *.database.windows.net | mysql | 1433 | Application security rule | Required if Hive is enabled. It's user's own SQL server, such as contososqlserver.database.windows.net |
| Service Tag | Sql.<Region> |
TCP | 11000-11999 | Network security rule | Required if Hive is enabled. It's used to connect to SQL server. It's recommended to allow outbound communication from the client to all Azure SQL IP addresses in the region on ports in the range of 11000 to 11999. Use the Service Tags for SQL to make this process easier to manage. When using the Redirect connection policy, refer to the Azure IP Ranges and Service Tags – Public Cloud for a list of your region's IP addresses to allow. |
Apache Flink
| Type | Destination Endpoint | Protocol | Port | Azure Firewall Rule Type | Use |
|---|---|---|---|---|---|
| FQDN | *.dfs.core.windows.net |
HTTPS | 443 | Application security rule | Flink Azure Data Lake Storage Gens. It's user's Storage account: such as contosottss.dfs.core.windows.net |