HDInsight 管理 IP 地址HDInsight management IP addresses

本文列出了 Azure HDInsight 运行状况和管理服务使用的 IP 地址。This article lists the IP addresses used by Azure HDInsight health and management services. 如果使用网络安全组 (NSG) 或用户定义的路由 (UDR),则可能需要将其中一些 IP 地址添加到入站网络流量的允许列表中。If you use network security groups (NSGs) or user-defined routes (UDRs) you may need to add some of these IP addresses to the allow list for inbound network traffic.

简介Introduction

重要

在大多数情况下,现在可以对网络安全组使用 服务标记,而不是手动添加 IP 地址。In most cases, you can now use service tags for network security groups, instead of manually adding IP addresses. 我们不会为新的 Azure 区域发布 IP 地址,这些区域仅具有已发布的服务标记。IP addresses will not be published for new Azure regions, and they will only have published service tags. 管理 IP 地址的静态 IP 地址最终将被弃用。The static IP addresses for management IP addresses will eventually be deprecated.

如果使用网络安全组 (NSG) 或用户定义的路由 (UDR) 来控制流向 HDInsight 群集的入站流量,则必须确保群集能够与关键的 Azure 运行状况和管理服务通信。If you use network security groups (NSGs) or user-defined routes (UDRs) to control inbound traffic to your HDInsight cluster, you must ensure that your cluster can communicate with critical Azure health and management services. 这些服务的有些 IP 地址特定于区域,而有些则适用于所有 Azure 区域。Some of the IP addresses for these services are region-specific, and some of them apply to all Azure regions. 如果使用的不是自定义 DNS,则可能还需要允许来自 Azure DNS 服务的流量。You may also need to allow traffic from the Azure DNS service if you aren't using custom DNS.

如果需要此处未列出的区域的 IP 地址,则可以使用服务标记发现 API 查找所在区域的 IP 地址。If you need IP addresses for a region not listed here, you can use the Service Tag Discovery API to find IP addresses for your region. 如果无法使用该 API,请下载服务标记 JSON 文件并搜索所需的区域。If you are unable to use the API, download the service tag JSON file and search for your desired region.

HDInsight 通过群集创建和扩展来验证这些规则,以防止进一步的错误。HDInsight does validation for these rules with cluster creation and scaling to prevent further errors. 如果验证未通过,则创建和扩展将失败。If validation doesn't pass, creation and scaling fail. 以下部分介绍了必须允许的特定 IP 地址。The following sections discuss the specific IP addresses that must be allowed.

Azure DNS 服务Azure DNS service

如果使用的是 Azure 提供的 DNS 服务,则对于 TCP 和 UDP,允许通过端口 53 访问 168.63.129.16。If you're using the Azure-provided DNS service, allow access to 168.63.129.16 on port 53 for both TCP and UDP. 有关详细信息,请参阅 VM 和角色实例的名称解析文档。For more information, see the Name resolution for VMs and Role instances document. 如果使用的是自定义 DNS,请跳过此步骤。If you're using custom DNS, skip this step.

运行状况和管理服务:所有区域Health and management services: All regions

对于适用于所有 Azure 区域的 Azure HDInsight 运行状况和管理服务,允许来自其以下 IP 地址的流量:Allow traffic from the following IP addresses for Azure HDInsight health and management services which apply to all Azure regions:

源 IP 地址Source IP address 目标Destination 方向Direction
168.61.49.99168.61.49.99 *:443*:443 入站Inbound
23.99.5.23923.99.5.239 *:443*:443 入站Inbound
168.61.48.131168.61.48.131 *:443*:443 入站Inbound
138.91.141.162138.91.141.162 *:443*:443 入站Inbound

运行状况和管理服务:特定的区域Health and management services: Specific regions

对于位于资源所在特定 Azure 区域中的 Azure HDInsight 运行状况和管理服务,允许来自以下 IP 地址的流量:Allow traffic from the IP addresses listed for the Azure HDInsight health and management services in the specific Azure region where your resources are located:

重要

如果未列出你使用的 Azure 区域,请使用网络安全组的服务标记功能。If the Azure region you are using is not listed, then use the service tag feature for network security groups.

国家/地区Country 区域Region 允许的源 IP 地址Allowed Source IP addresses 允许的目标Allowed Destination 方向Direction
中国China 中国北部China North 42.159.96.17042.159.96.170
139.217.2.219139.217.2.219

42.159.198.17842.159.198.178
42.159.234.15742.159.234.157
*:443*:443 入站Inbound
  中国东部China East 42.159.198.17842.159.198.178
42.159.234.15742.159.234.157

42.159.96.17042.159.96.170
139.217.2.219139.217.2.219
*:443*:443 入站Inbound
  中国北部 2China North 2 40.73.37.14140.73.37.141
40.73.38.17240.73.38.172
*:443*:443 入站Inbound
  中国东部 2China East 2 139.217.227.106139.217.227.106
139.217.228.187139.217.228.187
*:443*:443 入站Inbound

有关详细信息,请参阅控制网络流量For more information, see Control network traffic.

如果使用用户定义的路由 (UDR),则应当指定一个路由并允许来自虚拟网络的出站流量到达下一跃点设置为“Internet”的上述 IP。If you're using user-defined routes (UDRs), you should specify a route and allow outbound traffic from the virtual network to the above IPs with the next hop set to "Internet".

后续步骤Next steps