HDInsight 管理 IP 地址HDInsight management IP addresses


在大多数情况下,现在可以对网络安全组使用服务标记功能,而不是手动添加 IP 地址。In most cases, you can now use the service tag feature for network security groups, instead of manually adding IP addresses. 将仅为服务标记添加新区域,并且最终将弃用静态 IP 地址。New regions will only be added for service tags and the static IP addresses will eventually be deprecated.

如果使用网络安全组 (NSG) 或用户定义的路由 (UDR) 来控制流向 HDInsight 群集的入站流量,则必须确保群集能够与关键的 Azure 运行状况和管理服务通信。If you use network security groups (NSGs) or user defined routes (UDRs) to control inbound traffic to your HDInsight cluster, you must ensure that your cluster can communicate with critical Azure health and management services. 这些服务的有些 IP 地址特定于区域,而有些则适用于所有 Azure 区域。Some of the IP addresses for these services are region specific, and some of them apply to all Azure regions. 如果使用的不是自定义 DNS,则可能还需要允许来自 Azure DNS 服务的流量。You may also need to allow traffic from the Azure DNS service if you aren't using custom DNS.

以下部分介绍了必须允许的特定 IP 地址。The following sections discuss the specific IP addresses that must be allowed.

Azure DNS 服务Azure DNS service

如果使用的是 Azure 提供的 DNS 服务,则允许通过端口 53 从 进行访问。If you are using the Azure-provided DNS service, allow access from on port 53. 有关详细信息,请参阅 VM 和角色实例的名称解析文档。For more information, see the Name resolution for VMs and Role instances document. 如果使用的是自定义 DNS,请跳过此步骤。If you are using custom DNS, skip this step.

运行状况和管理服务:所有区域Health and management services: All regions

对于适用于所有 Azure 区域的 Azure HDInsight 运行状况和管理服务,允许来自其以下 IP 地址的流量:Allow traffic from the following IP addresses for Azure HDInsight health and management services which apply to all Azure regions:

源 IP 地址Source IP address 目标Destination 方向Direction *:443*:443 入站Inbound *:443*:443 入站Inbound *:443*:443 入站Inbound *:443*:443 入站Inbound

运行状况和管理服务:特定的区域Health and management services: Specific regions

对于位于资源所在特定 Azure 区域中的 Azure HDInsight 运行状况和管理服务,允许来自以下 IP 地址的流量:Allow traffic from the IP addresses listed for the Azure HDInsight health and management services in the specific Azure region where your resources are located:


如果未列出你使用的 Azure 区域,请使用网络安全组的服务标记功能。If the Azure region you are using is not listed, then use the service tag feature for network security groups.

国家/地区Country 区域Region 允许的源 IP 地址Allowed Source IP addresses 允许的目标Allowed Destination 方向Direction
中国China 中国北部China North
*:443*:443 入站Inbound
  中国东部China East
*:443*:443 入站Inbound
  中国北部 2China North 2
*:443*:443 入站Inbound
  中国东部 2China East 2
*:443*:443 入站Inbound

有关详细信息,请参阅控制网络流量部分。For more information, see the Controlling network traffic section.

如果使用用户定义的路由 (UDR),则应当指定一个路由并允许来自 VNET 的出站流量到达下一跃点设置为“Internet”的上述 IP。If you are using user-defined routes (UDRs), you should specify a route and allow outbound traffic from the VNET to the above IPs with the next hop set to "Internet".

后续步骤Next steps