Publish Azure Stack Hub services in your datacenter
Azure Stack Hub sets up virtual IP addresses (VIPs) for its infrastructure roles. These VIPs are allocated from the public IP address pool. Each VIP is secured with an access control list (ACL) in the software-defined network layer. ACLs are also used across the physical switches (TORs and BMC) to further harden the solution. A DNS entry is created for each endpoint in the external DNS zone that's specified at deployment time. For example, the user portal is assigned the DNS host entry of portal.<region>.<fqdn>.
The following architectural diagram shows the different network layers and ACLs:
Ports and URLs
To make Azure Stack Hub services (like the portals, Azure Resource Manager, DNS, and so on) available to external networks, you must allow inbound traffic to these endpoints for specific URLs, ports, and protocols.
In a deployment where a transparent proxy uplinks to a traditional proxy server or a firewall is protecting the solution, you must allow specific ports and URLs for both inbound and outbound communication. These include ports and URLs for identity, the marketplace, patch and update, registration, and usage data.
SSL traffic interception is not supported and can lead to service failures when accessing endpoints.
Ports and protocols (inbound)
A set of infrastructure VIPs is required for publishing Azure Stack Hub endpoints to external networks. The Endpoint (VIP) table shows each endpoint, the required port, and protocol. Refer to the specific resource provider deployment documentation for endpoints that require additional resource providers, like the SQL resource provider.
Internal infrastructure VIPs aren't listed because they're not required for publishing Azure Stack Hub. User VIPs are dynamic and defined by the users themselves, with no control by the Azure Stack Hub operator.
With the addition of the Extension Host, ports in the range of 12495-30015 aren't required.
| Endpoint (VIP) | DNS host A record | Protocol | Ports |
|---|---|---|---|
| AD FS | Adfs.<region>.<fqdn> | HTTPS | 443 |
| Portal (administrator) | Adminportal.<region>.<fqdn> | HTTPS | 443 |
| Adminhosting | *.adminhosting.<region>.<fqdn> | HTTPS | 443 |
| Azure Resource Manager (administrator) | Adminmanagement.<region>.<fqdn> | HTTPS | 443 |
| Portal (user) | Portal.<region>.<fqdn> | HTTPS | 443 |
| Azure Resource Manager (user) | Management.<region>.<fqdn> | HTTPS | 443 |
| Graph | Graph.<region>.<fqdn> | HTTPS | 443 |
| Certificate revocation list | Crl.<region>.<fqdn> | HTTP | 80 |
| DNS | *.<region>.<fqdn> | TCP & UDP | 53 |
| Hosting | *.hosting.<region>.<fqdn> | HTTPS | 443 |
| Key Vault (user) | *.vault.<region>.<fqdn> | HTTPS | 443 |
| Key Vault (administrator) | *.adminvault.<region>.<fqdn> | HTTPS | 443 |
| Storage Queue | *.queue.<region>.<fqdn> | HTTP HTTPS |
80 443 |
| Storage Table | *.table.<region>.<fqdn> | HTTP HTTPS |
80 443 |
| Storage Blob | *.blob.<region>.<fqdn> | HTTP HTTPS |
80 443 |
| SQL Resource Provider | sqladapter.dbadapter.<region>.<fqdn> | HTTPS | 44300-44304 |
| MySQL Resource Provider | mysqladapter.dbadapter.<region>.<fqdn> | HTTPS | 44300-44304 |
| App Service | *.appservice.<region>.<fqdn> | TCP | 80 (HTTP) 443 (HTTPS) 8172 (MSDeploy) |
| *.scm.appservice.<region>.<fqdn> | TCP | 443 (HTTPS) | |
| api.appservice.<region>.<fqdn> | TCP | 443 (HTTPS) 44300 (Azure Resource Manager) |
|
| ftp.appservice.<region>.<fqdn> | TCP, UDP | 21, 1021, 10001-10100 (FTP) 990 (FTPS) |
|
| VPN Gateways | IP Protocol 50 & UDP | Encapsulation Security Payload (ESP) IPSec & UDP 500 and 4500 |
Ports and URLs (outbound)
Azure Stack Hub supports only transparent proxy servers. In a deployment with a transparent proxy uplink to a traditional proxy server, you must allow the ports and URLs in the following table for outbound communication. For more information on configuring transparent proxy servers, see Transparent proxy for Azure Stack Hub.
SSL traffic interception is not supported and can lead to service failures when accessing endpoints. The maximum supported timeout to communicate with endpoints required for identity is 60s.
Note
Azure Stack Hub doesn't support using ExpressRoute to reach the Azure services listed in the following table because ExpressRoute may not be able to route traffic to all of the endpoints.
| Purpose | Destination URL | Protocol / Ports | Source Network | Requirement |
|---|---|---|---|---|
| Identity Allows Azure Stack Hub to connect to Microsoft Entra ID for User & Service authentication. |
Azurelogin.windows.netlogin.microsoftonline.comgraph.windows.nethttps://secure.aadcdn.microsoftonline-p.comwww.office.comManagementServiceUri = https://management.core.windows.netARMUri = https://management.azure.comhttps://*.msftauth.nethttps://*.msauth.nethttps://*.msocdn.comAzure Government https://login.microsoftonline.us/https://graph.windows.net/Azure China 21Vianet https://login.chinacloudapi.cn/https://graph.chinacloudapi.cn/Azure Germany https://login.microsoftonline.de/https://graph.cloudapi.de/ |
HTTP 80, HTTPS 443 |
Public VIP - /27 Public infrastructure Network |
Mandatory for a connected deployment. |
| Marketplace syndication Allows you to download items to Azure Stack Hub from the Marketplace and make them available to all users using the Azure Stack Hub environment. |
Azurehttps://management.azure.comhttps://*.blob.core.windows.nethttps://*.azureedge.netAzure Government https://management.usgovcloudapi.net/https://*.blob.core.usgovcloudapi.net/Azure China 21Vianet https://management.chinacloudapi.cn/http://*.blob.core.chinacloudapi.cn |
HTTPS 443 | Public VIP - /27 | Not required. Use the disconnected scenario instructions to upload images to Azure Stack Hub. |
| Patch & Update When connected to update endpoints, Azure Stack Hub software updates and hotfixes are displayed as available for download. |
https://*.azureedge.nethttps://aka.ms/azurestackautomaticupdate |
HTTPS 443 | Public VIP - /27 | Not required. Use the disconnected deployment connection instructions to manually download and prepare the update. |
| Registration Allows you to register Azure Stack Hub with Azure to download Azure Marketplace items and set up commerce data reporting back to Microsoft. |
Azurehttps://management.azure.comAzure Government https://management.usgovcloudapi.net/Azure China 21Vianet https://management.chinacloudapi.cn |
HTTPS 443 | Public VIP - /27 | Not required. You can use the disconnected scenario for offline registration. |
| Usage Allows Azure Stack Hub operators to configure their Azure Stack Hub instance to report usage data to Azure. |
Azurehttps://*.trafficmanager.nethttps://*.cloudapp.azure.comAzure Government https://*.usgovtrafficmanager.nethttps://*.cloudapp.usgovcloudapi.netAzure China 21Vianet https://*.trafficmanager.cnhttps://*.cloudapp.chinacloudapi.cn |
HTTPS 443 | Public VIP - /27 | Required for Azure Stack Hub consumption based licensing model. |
| Windows Defender Allows the update resource provider to download antimalware definitions and engine updates multiple times per day. |
*.wdcp.microsoft.com*.wdcpalt.microsoft.com*.wd.microsoft.com*.update.microsoft.com*.download.microsoft.comhttps://secure.aadcdn.microsoftonline-p.com |
HTTPS 80, 443 | Public VIP - /27 Public infrastructure Network |
Not required. You can use the disconnected scenario to update antivirus signature files. |
| NTP Allows Azure Stack Hub to connect to time servers. |
(IP of NTP server provided for deployment) | UDP 123 | Public VIP - /27 | Required |
| DNS Allows Azure Stack Hub to connect to the DNS server forwarder. |
(IP of DNS server provided for deployment) | TCP & UDP 53 | Public VIP - /27 | Required |
| SYSLOG Allows Azure Stack Hub to send syslog message for monitoring or security purposes. |
(IP of SYSLOG server provided for deployment) | TCP 6514, UDP 514 |
Public VIP - /27 | Optional |
| CRL Allows Azure Stack Hub to validate certificates and check for revoked certificates. |
URL under CRL Distribution Points on your certificates | HTTP 80 | Public VIP - /27 | Required |
| CRL Allows Azure Stack Hub to validate certificates and check for revoked certificates. |
http://crl.microsoft.com/pki/crl/productshttp://mscrl.microsoft.com/pki/mscorphttp://www.microsoft.com/pki/certshttp://www.microsoft.com/pki/mscorphttp://www.microsoft.com/pkiops/crlhttp://www.microsoft.com/pkiops/certs |
HTTP 80 | Public VIP - /27 | Not required. Highly recommended security best practice. |
| LDAP Allows Azure Stack Hub to communicate with Microsoft Active Directory on-premises. |
Active Directory Forest provided for Graph integration | TCP & UDP 389 | Public VIP - /27 | Required when Azure Stack Hub is deployed using AD FS. |
| LDAP SSL Allows Azure Stack Hub to communicate encrypted with Microsoft Active Directory on-premises. |
Active Directory Forest provided for Graph integration | TCP 636 | Public VIP - /27 | Required when Azure Stack Hub is deployed using AD FS. |
| LDAP GC Allows Azure Stack Hub to communicate with Microsoft Active Global Catalog Servers. |
Active Directory Forest provided for Graph integration | TCP 3268 | Public VIP - /27 | Required when Azure Stack Hub is deployed using AD FS. |
| LDAP GC SSL Allows Azure Stack Hub to communicate encrypted with Microsoft Active Directory Global Catalog Servers. |
Active Directory Forest provided for Graph integration | TCP 3269 | Public VIP - /27 | Required when Azure Stack Hub is deployed using AD FS. |
| AD FS Allows Azure Stack Hub to communicate with on-premise AD FS. |
AD FS metadata endpoint provided for AD FS integration | TCP 443 | Public VIP - /27 | Optional. The AD FS claims provider trust can be created using a metadata file. |
| Diagnostic log collection Allows Azure Stack Hub to send logs either proactively or manually by an operator to Microsoft support. |
https://*.blob.core.windows.nethttps://azsdiagprdlocalwestus02.blob.core.windows.nethttps://azsdiagprdwestusfrontend.westus.cloudapp.azure.comhttps://azsdiagprdwestusfrontend.westus.cloudapp.azure.com |
HTTPS 443 | Public VIP - /27 | Not required. You can save logs locally. |
| Remote support Allows Microsoft support professionals to solve support case faster by permitting access to the device remotely to performing limited troubleshooting and repair operations. |
https://edgesupprd.trafficmanager.nethttps://edgesupprdwestusfrontend.westus2.cloudapp.azure.comhttps://edgesupprdwesteufrontend.westeurope.cloudapp.azure.comhttps://edgesupprdeastusfrontend.eastus.cloudapp.azure.comhttps://edgesupprdwestcufrontend.westcentralus.cloudapp.azure.comhttps://edgesupprdasiasefrontend.southeastasia.cloudapp.azure.com*.servicebus.windows.net |
HTTPS 443 | Public VIP - /27 | Not required. |
| Telemetry Allows Azure Stack Hub to send telemetry data to Microsoft. |
https://settings-win.data.microsoft.comhttps://login.live.com*.events.data.microsoft.comBeginning with version 2108, the following endpoints are also required: https://*.blob.core.windows.net/https://azsdiagprdwestusfrontend.westus.cloudapp.azure.com/ |
HTTPS 443 | Public VIP - /27 | Required when Azure Stack Hub telemetry is enabled. |
Outbound URLs are load balanced using Azure traffic manager to provide the best possible connectivity based on geographic location. With load balanced URLs, Microsoft can update and change backend endpoints without affecting customers. Microsoft doesn't share the list of IP addresses for the load balanced URLs. Use a device that supports filtering by URL rather than by IP.
Outbound DNS is required at all times; what varies is the source querying the external DNS and what type of identity integration was chosen. During deployment for a connected scenario, the DVM that sits on the BMC network needs outbound access. But after deployment, the DNS service moves to an internal component that will send queries through a Public VIP. At that time, the outbound DNS access through the BMC network can be removed, but the Public VIP access to that DNS server must remain or else authentication will fail.