| title | description | author | ms.service | ms.topic | ms.date | ms.author | ms.custom |
|---|---|---|---|---|---|---|---|
Required outbound network rules for Azure Managed Instance for Apache Cassandra |
Learn what are the required outbound network rules and FQDNs for Azure Managed Instance for Apache Cassandra |
rothja |
managed-instance-apache-cassandra |
how-to |
11/02/2021 |
jroth |
ignite-fall-2021 |
The Azure Managed Instance for Apache Casandra service requires certain network rules to properly manage the service. By ensuring you have the proper rules exposed, you can keep your service secure and prevent operational issues.
If you are using Azure Firewall to restrict outbound access, we highly recommend using virtual network service tags. Below are the tags required to make Azure Managed Instance for Apache Cassandra function properly.
| Destination Service Tag | Protocol | Port | Use |
|---|---|---|---|
| Storage | HTTPS | 443 | Required for secure communication between the nodes and Azure Storage for Control Plane communication and configuration. |
| AzureKeyVault | HTTPS | 443 | Required for secure communication between the nodes and Azure Key Vault. Certificates and keys are used to secure communication inside the cluster. |
| EventHub | HTTPS | 443 | Required to forward logs to Azure |
| AzureMonitor | HTTPS | 443 | Required to forward metrics to Azure |
| AzureActiveDirectory | HTTPS | 443 | Required for Azure Active Directory authentication. |
| AzureResourceManager | HTTPS | 443 | Required to gather information about and manage Cassandra nodes (for example, reboot) |
| AzureFrontDoor.Firstparty | HTTPS | 443 | Required for logging operations. |
| GuestAndHybridManagement | HTTPS | 443 | Required to gather information about and manage Cassandra nodes (for example, reboot) |
| ApiManagement | HTTPS | 443 | Required to gather information about and manage Cassandra nodes (for example, reboot) |
Note
In addition to the above, you will also need to add the following address prefixes, as a service tag does not exist for the relevant service: 104.40.0.0/13 13.104.0.0/14 40.64.0.0/10
If you are using a 3rd party Firewall to restrict outbound access, we highly recommend configuring user-defined routes (UDRs) for Microsoft address prefixes, rather than attempting to allow connectivity through your own Firewall. See sample bash script to add the required address prefixes in user-defined routes.
The required network rules and IP address dependencies are:
| Destination Endpoint | Protocol | Port | Use |
|---|---|---|---|
| snovap<region>.blob.core.windows.net:443 Or ServiceTag - Azure Storage |
HTTPS | 443 | Required for secure communication between the nodes and Azure Storage for Control Plane communication and configuration. |
| *.store.core.windows.net:443 Or ServiceTag - Azure Storage |
HTTPS | 443 | Required for secure communication between the nodes and Azure Storage for Control Plane communication and configuration. |
| *.blob.core.windows.net:443 Or ServiceTag - Azure Storage |
HTTPS | 443 | Required for secure communication between the nodes and Azure Storage to store backups. Backup feature is being revised and storage name will follow a pattern by GA |
| vmc-p-<region>.vault.azure.net:443 Or ServiceTag - Azure KeyVault |
HTTPS | 443 | Required for secure communication between the nodes and Azure Key Vault. Certificates and keys are used to secure communication inside the cluster. |
| management.azure.com:443 Or ServiceTag - Azure Virtual Machine Scale Sets/Azure Management API |
HTTPS | 443 | Required to gather information about and manage Cassandra nodes (for example, reboot) |
| *.servicebus.windows.net:443 Or ServiceTag - Azure EventHub |
HTTPS | 443 | Required to forward logs to Azure |
| jarvis-west.dc.ad.msft.net:443 Or ServiceTag - Azure Monitor |
HTTPS | 443 | Required to forward metrics Azure |
| login.microsoftonline.com:443 Or ServiceTag - Azure AD |
HTTPS | 443 | Required for Azure Active Directory authentication. |
| packages.microsoft.com | HTTPS | 443 | Required for updates to Azure security scanner definition and signatures |
| azure.microsoft.com | HTTPS | 443 | Required to get information about virtual machine scale sets |
| <region>-dsms.dsms.core.windows.net | HTTPS | 443 | Certificate for logging |
| gcs.prod.monitoring.core.windows.net | HTTPS | 443 | Logging endpoint needed for logging |
| global.prod.microsoftmetrics.com | HTTPS | 443 | Needed for metrics |
| shavsalinuxscanpkg.blob.core.windows.net | HTTPS | 443 | Needed to download/update security scanner |
| crl.microsoft.com | HTTPS | 443 | Needed to access public Microsoft certificates |
| global-dsms.dsms.core.windows.net | HTTPS | 443 | Needed to access public Microsoft certificates |
The system uses DNS names to reach the Azure services described in this article so that it can use load balancers. Therefore, the virtual network must run a DNS server that can resolve those addresses. The virtual machines in the virtual network honor the name server that is communicated through the DHCP protocol. In most cases, Azure automatically sets up a DNS server for the virtual network. If this doesn't occur in your scenario, the DNS names that are described in this article are a good guide to get started.
The following ports are only accessible within the VNET (or peered vnets./express routes). Managed Instance for Apache Cassandra instances do not have a public IP and should not be made accessible on the Internet.
| Port | Use |
|---|---|
| 8443 | Internal |
| 9443 | Internal |
| 7001 | Gossip - Used by Cassandra nodes to talk to each other |
| 9042 | Cassandra -Used by clients to connect to Cassandra |
| 7199 | Internal |
In this article, you learned about network rules to properly manage the service. Learn more about Azure Managed Instance for Apache Cassandra with the following articles: