Ports and Protocols requirement for the Hybrid Cloud Search Service Application
In response to a number of requests for this information we are posting the Ports and Protocols requirements for the Cloud Search Service Application.
Generally we assume outbound internet access is granted to all network resources but of course this is not always true and rarely true for server based applications in corporate datacenters.
The hybrid cloud search service application has five main connection points required for outbound internet access, all operate on HTTPS on Port 443.
The first url is to the provisioning api which is called only when establishing the configuration and deployment of the Cloud SSA for the first time. This endpoint is accessible via public internet as well as Express Route with Microsoft peering.
- Provisioning: https://provisioningapi.microsoftonline.com
The second is the tenant url for connecting to the Office 365 tenancy.This endpoint is accessible via public internet as well as Express Route with Microsoft peering.
- Tenant: https://contoso.sharepoint.com
The third is the Azure ACS (Azure Access Control Services) endpoint to proxy the S2S trust between the on premises farm and Office 365. This endpoint is accessible only via public internet .
Fourth, and the less well known requirement. You need to establish connectivity to the regional Search Content Service (SCS) for pushing the parsed content batches to the Office 365 Search Service. These endpoints are accessible via public internet as well as Express Route with Azure public peering.
You only need to provide access to the SCS endpoints in your region as high availability is provided within the same region just as we do with your content.
The final connection point is only needed when providing outbound hybrid search query federation from the on premises farm to Office 365. In this case you need to allow the servers in the farm that host Query Processing components the ability to connect to the url of your root site in SharePoint Online. Typically this is https://tenantname.sharepoint.com. These endpoints are accessible via public internet as well as Express Route with Azure public peering
Note: For more information regarding the different types of peering mentioned above take a look at this article.