Azure Stack datacenter integration - Publish endpoints

Azure Stack sets up virtual IP addresses (VIPs) for its infrastructure roles. These VIPs are allocated from the public IP address pool. Each VIP is secured with an access control list (ACL) in the software-defined network layer. ACLs are also used across the physical switches (TORs and BMC) to further harden the solution. A DNS entry is created for each endpoint in the external DNS zone that specified at deployment time.

The following architectural diagram shows the different network layers and ACLs:

Structural picture

Ports and protocols (inbound)

A set of infrastructure VIPs is required for publishing Azure Stack endpoints to external networks. The Endpoint (VIP) table shows each endpoint, the required port, and protocol. Refer to the specific resource provider deployment documentation for endpoints that require additional resource providers, such as the SQL resource provider.

Internal infrastructure VIPs aren't listed because they're not required for publishing Azure Stack.

Note

User VIPs are dynamic, defined by the users themselves with no control by the Azure Stack operator.

Note

As of the 1811 update, ports in the range of 12495-30015 are no longer required to be open due to the addition of the Extension Host.

Endpoint (VIP) DNS host A record Protocol Ports
AD FS Adfs.<region>.<fqdn> HTTPS 443
Portal (administrator) Adminportal.<region>.<fqdn> HTTPS 443
Adminhosting *.adminhosting.<region>.<fqdn> HTTPS 443
Azure Resource Manager (administrator) Adminmanagement.<region>.<fqdn> HTTPS 443
Portal (user) Portal.<region>.<fqdn> HTTPS 443
Azure Resource Manager (user) Management.<region>.<fqdn> HTTPS 443
Graph Graph.<region>.<fqdn> HTTPS 443
Certificate revocation list Crl.<region>.<fqdn> HTTP 80
DNS *.<region>.<fqdn> TCP & UDP 53
Hosting *.hosting.<region>.<fqdn> HTTPS 443
Key Vault (user) *.vault.<region>.<fqdn> HTTPS 443
Key Vault (administrator) *.adminvault.<region>.<fqdn> HTTPS 443
Storage Queue *.queue.<region>.<fqdn> HTTP
HTTPS
80
443
Storage Table *.table.<region>.<fqdn> HTTP
HTTPS
80
443
Storage Blob *.blob.<region>.<fqdn> HTTP
HTTPS
80
443
SQL Resource Provider sqladapter.dbadapter.<region>.<fqdn> HTTPS 44300-44304
MySQL Resource Provider mysqladapter.dbadapter.<region>.<fqdn> HTTPS 44300-44304
App Service *.appservice.<region>.<fqdn> TCP 80 (HTTP)
443 (HTTPS)
8172 (MSDeploy)
*.scm.appservice.<region>.<fqdn> TCP 443 (HTTPS)
api.appservice.<region>.<fqdn> TCP 443 (HTTPS)
44300 (Azure Resource Manager)
ftp.appservice.<region>.<fqdn> TCP, UDP 21, 1021, 10001-10100 (FTP)
990 (FTPS)
VPN Gateways See the VPN gateway FAQ.

Ports and URLs (outbound)

Azure Stack supports only transparent proxy servers. In a deployment where a transparent proxy uplinks to a traditional proxy server, you must allow the following ports and URLs for outbound communication:

Note

Azure Stack does not support using ExpressRoute to reach the Azure services listed in the following table.

Purpose Destination URL Protocol Ports Source Network
Identity login.windows.net
login.microsoftonline.com
graph.windows.net
https://secure.aadcdn.microsoftonline-p.com
office.com
HTTP
HTTPS
80
443
Public VIP - /27
Public infrastructure Network
Marketplace syndication https://management.azure.com
https://*.blob.core.windows.net
https://*.azureedge.net
https://*.microsoftazurestack.com
HTTPS 443 Public VIP - /27
Patch & Update https://*.azureedge.net
https://aka.ms/azurestackautomaticupdate
HTTPS 443 Public VIP - /27
Registration https://management.azure.com HTTPS 443 Public VIP - /27
Usage https://*.microsoftazurestack.com
https://*.trafficmanager.net
HTTPS 443 Public VIP - /27
Windows Defender *.wdcp.microsoft.com
*.wdcpalt.microsoft.com
*.wd.microsoft.com
*.update.microsoft.com
*.download.microsoft.com
https://www.microsoft.com/pkiops/crl
https://www.microsoft.com/pkiops/certs
https://crl.microsoft.com/pki/crl/products
https://www.microsoft.com/pki/certs
https://secure.aadcdn.microsoftonline-p.com
HTTPS 80
443
Public VIP - /27
Public infrastructure Network
NTP (IP of NTP server provided for deployment) UDP 123 Public VIP - /27
DNS (IP of DNS server provided for deployment) TCP
UDP
53 Public VIP - /27
CRL (URL under CRL Distribution Points on your certificate) HTTP 80 Public VIP - /27
LDAP Active Directory Forest provided for Graph integration TCP
UDP
389 Public VIP - /27
LDAP SSL Active Directory Forest provided for Graph integration TCP 636 Public VIP - /27
LDAP GC Active Directory Forest provided for Graph integration TCP 3268 Public VIP - /27
LDAP GC SSL Active Directory Forest provided for Graph integration TCP 3269 Public VIP - /27
AD FS AD FS metadata endpoint provided for AD FS integration TCP 443 Public VIP - /27

Note

Outbound URLs are load balanced using Azure traffic manager to provide the best possible connectivity based on geographical location. With load balanced URLs, Microsoft can update and change backend endpoints without impacting customers. Microsoft does not share the list of IP addresses for the load balanced URLs. You should use a device that supports filtering by URL rather than by IP.

Next steps

Azure Stack PKI requirements