在 Azure HDInsight 中配置网络虚拟设备Configure network virtual appliance in Azure HDInsight

重要

仅当所要配置的网络虚拟设备 (NVA) 不是 Azure 防火墙时,才需要以下信息。The following information is only required if you wish to configure a network virtual appliance (NVA) other than Azure Firewall.

对于许多常见的重要 FQDN,Azure 防火墙 FQDN 标记已自动配置为允许流量。Azure Firewall FQDN tag is automatically configured to allow traffic for many of the common important FQDNs. 使用另一个网络虚拟设备将需要配置一些其他功能。Using another network virtual appliance will require you to configure a number of additional features. 配置网络虚拟设备时请注意以下因素:Keep the following factors in mind as you configure your network virtual appliance:

  • 可以使用服务终结点配置支持服务终结点的服务,这通常会出于成本或性能考虑因素而导致绕过 NVA。Service Endpoint capable services can be configured with service endpoints which results in bypassing the NVA, usually for cost or performance considerations.
  • 如果将 ResourceProviderConnection 设置为“出站”,则可以将专用终结点用于存储,将 SQL 服务器用于元存储,而无需将它们添加到 NVA。If ResourceProviderConnection is set to outbound , you can use private endpoints for the storage and SQL servers for metastores and there is no need to add them to the NVA.
  • IP 地址依赖项适用于非 HTTP/S 流量(TCP 和 UDP 流量)。IP Address dependencies are for non-HTTP/S traffic (both TCP and UDP traffic).
  • 可在 NVA 设备中批准 FQDN HTTP/HTTPS 终结点。FQDN HTTP/HTTPS endpoints can be approved in your NVA device.
  • 将创建的路由表分配到 HDInsight 子网。Assign the route table that you create to your HDInsight subnet.

支持服务终结点的依赖项Service endpoint capable dependencies

可以选择启用一个或多个以下服务终结点,这将导致绕过 NVA。You can optionally enable one or more of the following service endpoints which will result in bypassing the NVA. 此选项可用于大量数据传输,以便节省成本和优化性能。This option can be useful for large amounts of data transfers to save on cost and also for performance optimizations.

终结点Endpoint
Azure SQLAzure SQL
Azure 存储Azure Storage
Azure Active DirectoryAzure Active Directory

IP 地址依赖项IP address dependencies

终结点Endpoint 详细信息Details
此处发布的 IPIPs published here 这些 IP 用于 HDInsight 资源提供程序,应包含在 UDR 中,以避免非对称路由。These IPs are for HDInsight resource provider and should be included in the UDR to avoid asymmetric routing. 仅当 ResourceProviderConnection 设置为“入站”时,才需要此规则。This rule is only needed if the ResourceProviderConnection is set to Inbound . 如果 ResourceProviderConnection 设置为“出站”,则 UDR 中不需要这些 IP。If the ResourceProviderConnection is set to Outbound then these IPs are not needed in the UDR.
AAD-DS 专用 IPAAD-DS private IPs 仅当 VNET 不是对等互连时,ESP 群集才需要该 IP。Only needed for ESP clusters, if the VNETs are not peered.

FQDN HTTP/HTTPS 依赖项FQDN HTTP/HTTPS dependencies

可以获取 FQDN 依赖项(主要是 Azure 存储和 Azure 服务总线)列表,用于在此存储库中配置 NVA。You can get the list of FQDNs dependencies (mostly Azure Storage and Azure Service Bus) for configuring your NVA in this repo. 有关区域列表,请参阅此处For the regional list see here. 这些依赖项由 HDInsight 资源提供程序 (RP) 使用,以便成功创建和监视/管理群集。These dependencies are used by HDInsight resource provider(RP) to create and monitor/manage clusters successfully. 其中包括遥测/诊断日志、预配元数据、群集相关配置、脚本等。此 FQDN 依赖项列表可能会随未来 HDInsight 更新的发布而更改。These include telemetry/diagnostic logs, provisioning metadata, cluster related configurations, scripts, etc. This FQDN dependency list might change with releasing future HDInsight updates.

以下列表仅提供了在创建群集后以及在群集操作的生存期内,OS 和安全修补程序或证书验证可能需要的几个 FQDN:The list below only gives a few FQDNs that may be needed for OS and security patching or certificate validations after the cluster is created and during the lifetime of cluster operations:

运行时依赖项 FQDNRuntime Dependencies FQDNs
azure.archive.ubuntu.com:80azure.archive.ubuntu.com:80
security.ubuntu.com:80security.ubuntu.com:80
ocsp.msocsp.com:80ocsp.msocsp.com:80
ocsp.digicert.com:80ocsp.digicert.com:80
microsoft.com:80microsoft.com:80
login.windows.net:443login.windows.net:443
login.microsoftonline.com:443login.microsoftonline.com:443

后续步骤Next steps