Required outbound network rules
The Azure Managed Instance for Apache Cassandra service requires certain network rules to properly manage the service. By ensuring you have the proper rules exposed, you can keep your service secure and prevent operational issues.
Warning
We recommend exercising caution when applying changes to firewall rules for an existing cluster. For example, if rules are not applied correctly, they might not be applied to existing connections, so it may appear that firewall changes have not caused any problems. However, automatic updates of the Cassandra Managed Instance nodes may subsequently fail. We recommend monitoring connectivity after any major firewall updates for some time to ensure there are no issues.
Virtual network service tags
Tip
If you use VPN then you don't need to open any other connection.
If you're using Azure Firewall to restrict outbound access, we highly recommend using virtual network service tags. The tags in the table are required to make Azure SQL Managed Instance for Apache Cassandra function properly.
Destination Service Tag | Protocol | Port | Use |
---|---|---|---|
Storage | HTTPS | 443 | Required for secure communication between the nodes and Azure Storage for Control Plane communication and configuration. |
AzureKeyVault | HTTPS | 443 | Required for secure communication between the nodes and Azure Key Vault. Certificates and keys are used to secure communication inside the cluster. |
EventHub | HTTPS | 443 | Required to forward logs to Azure |
AzureMonitor | HTTPS | 443 | Required to forward metrics to Azure |
AzureActiveDirectory | HTTPS | 443 | Required for Microsoft Entra authentication. |
AzureResourceManager | HTTPS | 443 | Required to gather information about and manage Cassandra nodes (for example, reboot) |
AzureFrontDoor.Firstparty | HTTPS | 443 | Required for logging operations. |
GuestAndHybridManagement | HTTPS | 443 | Required to gather information about and manage Cassandra nodes (for example, reboot) |
ApiManagement | HTTPS | 443 | Required to gather information about and manage Cassandra nodes (for example, reboot) |
Note
In addition to the tags table, you will also need to add the following address prefixes, as a service tag does not exist for the relevant service: 104.40.0.0/13 13.104.0.0/14 40.64.0.0/10
User-defined routes
If you're using a non-Microsoft Firewall to restrict outbound access, we highly recommend configuring user-defined routes (UDRs) for Microsoft address prefixes, rather than attempting to allow connectivity through your own Firewall. See sample bash script to add the required address prefixes in user-defined routes.
Azure Global required network rules
The required network rules and IP address dependencies are:
Destination Endpoint | Protocol | Port | Use |
---|---|---|---|
snovap<region>.blob.core.windows.net:443 Or ServiceTag - Azure Storage |
HTTPS | 443 | Required for secure communication between the nodes and Azure Storage for Control Plane communication and configuration. |
*.store.core.windows.net:443 Or ServiceTag - Azure Storage |
HTTPS | 443 | Required for secure communication between the nodes and Azure Storage for Control Plane communication and configuration. |
*.blob.core.windows.net:443 Or ServiceTag - Azure Storage |
HTTPS | 443 | Required for secure communication between the nodes and Azure Storage to store backups. Backup feature is being revised and a pattern for storage name follows by GA |
vmc-p-<region>.vault.azure.net:443 Or ServiceTag - Azure KeyVault |
HTTPS | 443 | Required for secure communication between the nodes and Azure Key Vault. Certificates and keys are used to secure communication inside the cluster. |
management.azure.com:443 Or ServiceTag - Azure Virtual Machine Scale Sets/Azure Management API |
HTTPS | 443 | Required to gather information about and manage Cassandra nodes (for example, reboot) |
*.servicebus.windows.net:443 Or ServiceTag - Azure EventHub |
HTTPS | 443 | Required to forward logs to Azure |
jarvis-west.dc.ad.msft.net:443 Or ServiceTag - Azure Monitor |
HTTPS | 443 | Required to forward metrics Azure |
login.microsoftonline.com:443 Or ServiceTag - Microsoft Entra ID |
HTTPS | 443 | Required for Microsoft Entra authentication. |
packages.microsoft.com | HTTPS | 443 | Required for updates to Azure security scanner definition and signatures |
azure.microsoft.com | HTTPS | 443 | Required to get information about virtual machine scale sets |
<region>-dsms.dsms.core.windows.net | HTTPS | 443 | Certificate for logging |
gcs.prod.monitoring.core.windows.net | HTTPS | 443 | Logging endpoint needed for logging |
global.prod.microsoftmetrics.com | HTTPS | 443 | Needed for metrics |
shavsalinuxscanpkg.blob.core.windows.net | HTTPS | 443 | Needed to download/update security scanner |
crl.microsoft.com | HTTPS | 443 | Needed to access public Microsoft certificates |
global-dsms.dsms.core.windows.net | HTTPS | 443 | Needed to access public Microsoft certificates |
DNS access
The system uses DNS names to reach the Azure services described in this article so that it can use load balancers. Therefore, the virtual network must run a DNS server that can resolve those addresses. The virtual machines in the virtual network honor the name server that is communicated through the DHCP protocol. In most cases, Azure automatically sets up a DNS server for the virtual network. If this doesn't occur in your scenario, the DNS names that are described in this article are a good guide to get started.
Internal port usage
The following ports are only accessible within the virtual network (or peered vnets./express routes). Azure Managed Instances for Apache Cassandra don't have a public IP and shouldn't be made accessible on the Internet.
Port | Use |
---|---|
8443 | Internal |
9443 | Internal |
7001 | Gossip - Used by Cassandra nodes to talk to each other |
9042 | Cassandra -Used by clients to connect to Cassandra |
7199 | Internal |
Next steps
In this article, you learned about network rules to properly manage the service. Learn more about Azure SQL Managed Instance for Apache Cassandra with the following articles:
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for