Required outbound network rules

The Azure Managed Instance for Apache Casandra service requires certain network rules to properly manage the service. By ensuring you have the proper rules exposed, you can keep your service secure and prevent operational issues.

Virtual network service tags

If you are using Azure Firewall to restrict outbound access, we highly recommend using virtual network service tags. Below are the tags required to make Azure Managed Instance for Apache Cassandra function properly.

Destination Service Tag Protocol Port Use
Storage HTTPS 443 Required for secure communication between the nodes and Azure Storage for Control Plane communication and configuration.
AzureKeyVault HTTPS 443 Required for secure communication between the nodes and Azure Key Vault. Certificates and keys are used to secure communication inside the cluster.
EventHub HTTPS 443 Required to forward logs to Azure
AzureMonitor HTTPS 443 Required to forward metrics to Azure
AzureActiveDirectory HTTPS 443 Required for Azure Active Directory authentication.
AzureResourceManager HTTPS 443 Required to gather information about and manage Cassandra nodes (for example, reboot)
AzureFrontDoor.Firstparty HTTPS 443 Required for logging operations.
GuestAndHybridManagement HTTPS 443 Required to gather information about and manage Cassandra nodes (for example, reboot)
ApiManagement HTTPS 443 Required to gather information about and manage Cassandra nodes (for example, reboot)

Note

In addition to the above, you will also need to add the following address prefixes, as a service tag does not exist for the relevant service: 104.40.0.0/13 13.104.0.0/14 40.64.0.0/10

User-defined routes

If you are using a 3rd party Firewall to restrict outbound access, we highly recommend configuring user-defined routes (UDRs) for Microsoft address prefixes, rather than attempting to allow connectivity through your own Firewall. See sample bash script to add the required address prefixes in user-defined routes.

Azure Global required network rules

The required network rules and IP address dependencies are:

Destination Endpoint Protocol Port Use
snovap<region>.blob.core.windows.net:443
Or
ServiceTag - Azure Storage
HTTPS 443 Required for secure communication between the nodes and Azure Storage for Control Plane communication and configuration.
*.store.core.windows.net:443
Or
ServiceTag - Azure Storage
HTTPS 443 Required for secure communication between the nodes and Azure Storage for Control Plane communication and configuration.
*.blob.core.windows.net:443
Or
ServiceTag - Azure Storage
HTTPS 443 Required for secure communication between the nodes and Azure Storage to store backups. Backup feature is being revised and storage name will follow a pattern by GA
vmc-p-<region>.vault.azure.net:443
Or
ServiceTag - Azure KeyVault
HTTPS 443 Required for secure communication between the nodes and Azure Key Vault. Certificates and keys are used to secure communication inside the cluster.
management.azure.com:443
Or
ServiceTag - Azure Virtual Machine Scale Sets/Azure Management API
HTTPS 443 Required to gather information about and manage Cassandra nodes (for example, reboot)
*.servicebus.windows.net:443
Or
ServiceTag - Azure EventHub
HTTPS 443 Required to forward logs to Azure
jarvis-west.dc.ad.msft.net:443
Or
ServiceTag - Azure Monitor
HTTPS 443 Required to forward metrics Azure
login.microsoftonline.com:443
Or
ServiceTag - Azure AD
HTTPS 443 Required for Azure Active Directory authentication.
packages.microsoft.com HTTPS 443 Required for updates to Azure security scanner definition and signatures
azure.microsoft.com HTTPS 443 Required to get information about virtual machine scale sets
<region>-dsms.dsms.core.windows.net HTTPS 443 Certificate for logging
gcs.prod.monitoring.core.windows.net HTTPS 443 Logging endpoint needed for logging
global.prod.microsoftmetrics.com HTTPS 443 Needed for metrics
shavsalinuxscanpkg.blob.core.windows.net HTTPS 443 Needed to download/update security scanner
crl.microsoft.com HTTPS 443 Needed to access public Microsoft certificates
global-dsms.dsms.core.windows.net HTTPS 443 Needed to access public Microsoft certificates

DNS access

The system uses DNS names to reach the Azure services described in this article so that it can use load balancers. Therefore, the virtual network must run a DNS server that can resolve those addresses. The virtual machines in the virtual network honor the name server that is communicated through the DHCP protocol. In most cases, Azure automatically sets up a DNS server for the virtual network. If this doesn't occur in your scenario, the DNS names that are described in this article are a good guide to get started.

Internal port usage

The following ports are only accessible within the VNET (or peered vnets./express routes). Managed Instance for Apache Cassandra instances do not have a public IP and should not be made accessible on the Internet.

Port Use
8443 Internal
9443 Internal
7001 Gossip - Used by Cassandra nodes to talk to each other
9042 Cassandra -Used by clients to connect to Cassandra
7199 Internal

Next steps

In this article, you learned about network rules to properly manage the service. Learn more about Azure Managed Instance for Apache Cassandra with the following articles: