Network security group (NSG) service tags for Azure HDInsight
HDInsight service tags for network security groups (NSGs) are groups of IP addresses for health and management services. These groups help minimize complexity for security rule creation. Service tags provide an alternative method for allowing inbound traffic from specific IP addresses without entering each of the management IP addresses in your network security groups.
These service tags are created and managed by the HDInsight service. You can't create your own service tag, or modify an existing tag. Microsoft manages the address prefixes that match to the service tag, and automatically updates the service tag as addresses change.
Getting started with service tags
You have two options for using service tags in your network security groups:
Use a single HDInsight service tag - this option will open your virtual network to all of the IP Addresses that the HDInsight service is using to monitor clusters across all regions. This option is the simplest method, but may not be appropriate if you have restrictive security requirements.
Use multiple regional service tags - this option will open your virtual network to only the IP Addresses that HDInsight is using in that specific region. However, if you're using multiple regions, then you'll need to add multiple service tags to your virtual network.
Use a single global HDInsight service tag
The easiest way to begin using service tags with your HDInsight cluster is to add the global tag
HDInsight to a network security group rule.
From the Azure portal, select your network security group.
Under Settings, select Inbound security rules, and then select + Add.
From the Source drop-down list, select Service Tag.
From the Source service tag drop-down list, select HDInsight.
This tag contains the IP addresses of health and management services for all of the regions where HDInsight is available, and will ensure that your cluster can communicate with the necessary health and management services no matter where it's created.
Use regional HDInsight service tags
If option one won't work because you need more restrictive permissions, then you can allow only the service tags applicable for your region. The applicable service tags may be one, two, or three service tags, depending on the region where your cluster is created.
To find out which service tags to add for your region, read the following sections of the document.
Use a single regional service tag
If you prefer service tag option two, and your cluster is located in one of the regions listed in this table, then you only need to add a single regional service tag to your network security group.
|China||China East 2||HDInsight.ChinaEast2|
|China North 2||HDInsight.ChinaNorth2|
|United States||North Central US||HDInsight.NorthCentralUS|
|West US 2||HDInsight.WestUS2|
|West Central US||HDInsight.WestCentralUS|
|Azure Government||USDoD Central||HDInsight.USDoDCentral|
Use multiple regional service tags
If you prefer service tag option two, and the region where your cluster is created wasn't listed above, then you need to allow multiple regional service tags. The need to use more than one is due to differences in the arrangement of resource providers for the various regions.
The remaining regions are divided into groups based on which regional service tags they use.
If your cluster is created in one of the regions in the table below, allow the service tags
HDInsight.EastUS in addition to the regional service tag listed. Regions in this section require three service tags.
For example, if your cluster is created in the
East US 2 region, then you'll need to add the following service tags to your network security group:
|United States||East US 2||HDInsight.EastUS2|
|NorthCentral US||HDInsight. NorthCentralUS|
|South Central US||HDInsight.SouthCentralUS|
Clusters in the regions of China North and China East, need to allow two service tags:
Clusters in the regions of US Gov Iowa and US Gov Virginia, need to allow two service tags:
Clusters in the regions of Germany Central and Germany Northeast, need to allow two service tags: