Azure Automation network configuration details
This page provides networking details that are required for Hybrid Runbook Worker and State Configuration, and for Update Management and Change Tracking and Inventory.
Hybrid Runbook Worker and State Configuration
The following port and URLs are required for the Hybrid Runbook Worker, and for Automation State Configuration to communicate with Azure Automation.
- Port: Only 443 required for outbound internet access
- Global URL:
*.azure-automation.cn
- Agent service:
https://<workspaceId>.agentsvc.azure-automation.cn
Network planning for Hybrid Runbook Worker
If you use a firewall to restrict access to the Internet, you must configure the firewall to permit access. The following port and URLs are required for the Hybrid Runbook Worker, and for Automation State Configuration to communicate with Azure Automation.
Property | Description |
---|---|
Port | 443 for outbound internet access |
If you have an Automation account that's defined for a specific region, you can restrict Hybrid Runbook Worker communication to that regional datacenter. Review the DNS records used by Azure Automation for the required DNS records.
Configuration of private networks for State Configuration
If your nodes are located in a private network, the port and URLs defined above are required. These resources provide network connectivity for the managed node and allow DSC to communicate with Azure Automation.
If you are using DSC resources that communicate between nodes, such as the WaitFor resources, you also need to allow traffic between nodes. See the documentation for each DSC resource to understand these network requirements.
To understand client requirements for TLS 1.2 or higher, see TLS 1.2 or higher for Azure Automation.
Update Management and Change Tracking and Inventory
The addresses in this table are required both for Update Management and for Change Tracking and Inventory. The paragraph following the table also applies to both.
Communication to these addresses uses port 443.
Azure China Cloud |
---|
*.ods.opinsights.azure.cn |
*.oms.opinsights.azure.cn |
*.blob.core.chinacloudapi.cn |
*.azure-automation.cn |
When you create network group security rules or configure Azure Firewall to allow traffic to the Automation service and the Log Analytics workspace, use the service tags GuestAndHybridManagement and AzureMonitor. This simplifies the ongoing management of your network security rules. To obtain the current service tag and range information to include as part of your on-premises firewall configurations, see downloadable JSON files.
Next steps
- Learn about Automation Update Management overview.
- Learn about Hybrid Runbook Worker.
- Learn about Automation State Configuration.