NSG service tags for Azure HDInsight
Azure HDInsight service tags for network security groups (NSGs) are groups of IP addresses for health and management services. These groups help minimize complexity for security rule creation. Service tags allow inbound traffic from specific IPs without entering each of the management IP addresses in your NSGs.
The HDInsight service manages these service tags. You can't create your own service tag or modify an existing tag. Microsoft manages the address prefixes that match to the service tag and automatically updates the service tag as addresses change.
If you would like to use a particular region and the service tag is not yet documented on this page, you can use the Service Tag Discovery API to find your service tag. You can also download the service tag JSON file and search for your desired region.
Get started with service tags
You have two options for using service tags in your network security groups:
Use a single global HDInsight service tag: This option opens your virtual network to all IP addresses that the HDInsight service uses to monitor clusters across all regions. This option is the simplest method, but might not be appropriate if you have restrictive security requirements.
Use multiple regional service tags: This option opens your virtual network to only the IP addresses that HDInsight uses in that specific region. However, if you're using multiple regions, you'll need to add multiple service tags to your virtual network.
Use a single global HDInsight service tag
The easiest way to begin using service tags with your HDInsight cluster is to add the global tag
HDInsight to an NSG rule.
From the Azure portal, select your network security group.
Under Settings, select Inbound security rules, and then select + Add.
From the Source drop-down list, select Service Tag.
From the Source service tag drop-down list, select HDInsight.
This tag contains the IP addresses of health and management services for all regions where HDInsight is available. The tag will ensure that your cluster can communicate with the necessary health and management services no matter where it's created.
Use regional HDInsight service tags
If the global tag option won't work because you need more restrictive permissions, you can allow only the service tags applicable for your region. There may be multiple service tags, depending on the region where your cluster is created.
To find out which service tags to add for your region, read the following sections of the article.
Use a single regional service tag
If your cluster is located in a region listed in this table, you only need to add a single regional service tag to your NSG.
|China||China East 2||HDInsight.ChinaEast2|
|China North 2||HDInsight.ChinaNorth2|
|JIO India West||HDInsight.JioIndiaWest|
|South Africa||South Africa North||HDInsight.SouthAfricaNorth|
|Germany||Germany West Central||HDInsight.GermanyWestCentral|
|United States||North Central US||HDInsight.NorthCentralUS|
|West US 2||HDInsight.WestUS2|
|West US 3||HDInsight.WestUS3|
|West Central US||HDInsight.WestCentralUS|
|Azure Government||USDoD Central||HDInsight.USDoDCentral|
Use multiple regional service tags
If the region where your cluster was created isn't listed in the preceding table, you need to allow multiple regional service tags. The need to use more than one is because of differences in the arrangement of resource providers for the various regions.
The remaining regions are divided into groups based on which regional service tags they use.
If your cluster is created in one of the regions in the following table, allow the service tags
HDInsight.EastUS. Also, the regional service tag listed. Regions in this section require three service tags.
For example, if your cluster is created in the
East US 2 region, you'll need to add the following service tags to your network security group:
|United States||East US 2||HDInsight.EastUS2|
|NorthCentral US||HDInsight. NorthCentralUS|
|South Central US||HDInsight.SouthCentralUS|
Clusters in the regions of China North and China East need to allow two service tags:
Clusters in the regions of US Gov Iowa and US Gov Virginia need to allow two service tags:
Clusters in the regions of Germany Central and Germany Northeast need to allow two service tags: