For LDMA to migrate data from your on-premise network to Azure, an agent is deployed on a Hadoop edge node. Outbound TCP connectivity needs to be possible from this edge node to a number of Azure Services to guarantee the successful installation of LDMA. Command and control is achieved from the Azure portal. As a result, there is no requirement for inbound connectivity to the Hadoop cluster.
Ensure that your Hadoop edge node can connect to the necessary endpoints below. These endpoints are necessary to use LiveData Migrator for Azure in any region.
|[accountname].dfs.core.windows.net||443||Data transfer HTTPS|
|[servername].database.windows.net||1433||Optional SQL server for Hive Metadata|
|pkg.wandisco.com wdfrpdeployments.blob.core.windows.net||443||Installer Download and packages|
Ensure your Hadoop edge node can connect to the appropriate endpoints below for your chosen region. List of supported regions.
Port 443 is required to:
- Download the installer
- Run the installer
- Deploy target storage
- Deploy a migration
- Migrate data
Port 5671 is required to:
- Start LDMA
- Deploy storage
- Deploy a migration
The Netcat command-line utility can be used to test connectivity to the required Azure endpoints.
Run the following commands on the Hadoop edge node (where the LDMA agent will be deployed). Replace "accountname" with your account name, and "servername" with your server name.
If the Hadoop edge node is unable to establish network communication to any of the endpoints, LDMA will not function correctly. You will need to resolve this before the installation of LDMA can be achieved successfully.
Firewall configuration varies significantly from customer to customer, so the below is a general guide. Contact us if you are unable to work with your own security teams to ensure the tests in the previous section can pass.
The table below contains a list of DNS end-points that require a connection from the Hadoop edge node.
|Endpoint Name / Port||Global Range||Region Specific Range (example)|
|EventHub / 5671||EventHub||EventHub.WestCentralUS|
|Storage / 443||Storage||Storage.WestCentralUS|
|AzureMonitor / 443||AzureMonitor||AzureMonitor.WestCentralUS|
|ActiveDirectory / 443||AzureActiveDirectoryDomainServices||N/A|
|ServiceBus / 5671||ServiceBus||ServiceBus.WestCentralUS|
|SQL Server / 1433||SQL||Sql.WestCentralUS|
|Content Delivery Network (CDN) / 443||AzureFrontDoor.Frontend||N/A|
Some users with DNS firewalls may find it sufficient to allow access to the end-point name. However, in many cases the on-premise firewall needs to be configured to allow access to the full IP ranges in use for these services.
Microsoft publishes the IP ranges here.
Some users allow access to all trusted Azure services in this list as they conduct their migration to Azure, it is possible to allow explicit ranges by looking up the service and region by looking up the region of intended use.
Microsoft periodically updates the IP ranges in use for their services so this list should be monitored and if appropriate firewall rules may need to be updated further in the future.
If you are using an IPSec VPN:
- Check the Connection in Azure to make sure the status is connected.
- Check the Address Space on the Local Network Gateway matches the expected on-prem subnet.
- Check the Onprem device is showing the VPN as connected.
- Check the correct VNet is assigned to the Virtual Network Gateway.
If you are using ExpressRoute then you will need to check your BGP configuration is correct. This will likely require a Network Administrator as BGP will be configured on Edge devices.
Our native Azure service, LDMA, requires the on-premise agent to be able to connect to these services. As a result, LDMA will not function correctly.
Contact us for help if you have issues with your connectivity.