aztk icon indicating copy to clipboard operation
aztk copied to clipboard
verified publisher icon Azure

aztk cluster inside restricted Virtual Network

Open josemathew opened this issue 7 years ago • 2 comments

If we were to create a Virtual Network, and restrict inbound access only from a bastion host, will aztk cluster be able operate without any issues?

For example, for HDInsight to operate ( in a similar scenario ), we have to enable access to port 443 from 4 different IP addresses. ( https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-extend-hadoop-virtual-network#hdinsight-ip-1 )

Does aztk have a similar requirement?

josemathew avatar Feb 27 '18 02:02 josemathew

Jose, thanks for bringing this up. The short answer to this question is yes, there are some requirements here, however, they are not the same as HDInsight's. I am investigating and will be adding documentation on the exact requirements we have here. I'll update you shortly.

jafreck avatar Mar 06 '18 05:03 jafreck

@josemathew Here is some documentation on VNET requirements in Azure Batch (the underlying infrastructure AZTK uses). Critically:

You do not need to specify a NSG (Network Security Group), because Batch allows only Batch IP addresses. 

However, if you do specify an NSG, please ensure that the IP addresses of the Batch service and at least source port 443 is open for inbound traffic. To obtain the Bath service's IP addresses, please contact Azure Support.

In particular, you need to whitelist the Batch Service's IPs for AZTK to remain functional in the scenario you described.

jafreck avatar Mar 07 '18 20:03 jafreck