Connecting your on-premises network to the Azure LDMA service

For LDMA to migrate data from your on-premise network to Azure, an agent is deployed on a Hadoop edge node. Outbound TCP connectivity needs to be possible from this edge node to a number of Azure Services to guarantee the successful installation of LDMA. Command and control is achieved from the Azure portal. As a result, there is no requirement for inbound connectivity to the Hadoop cluster.

Common Azure endpoints#

Ensure that your Hadoop edge node can connect to the necessary endpoints below. These endpoints are necessary to use LiveData Migrator for Azure in any region.

EndpointPortDescription
[accountname].dfs.core.windows.net443Data transfer HTTPS
dc.applicationinsights.azure.com443Azure Metrics
dc.applicationinsights.microsoft.com443Azure Metrics
dc.services.visualstudio.com443Azure Metrics
*.in.applicationinsights.azure.com443Azure Metrics
[servername].database.windows.net1433Optional SQL server for Hive Metadata
pkg.wandisco.com wdfrpdeployments.blob.core.windows.net443Installer Download and packages

Regional endpoints#

Ensure your Hadoop edge node can connect to the appropriate endpoints below for your chosen region. List of supported regions.

EndpointPortDescription
wd-frp-prod-sb-1.servicebus.windows.net5671AMQP messaging
ldm-metrics-prod.servicebus.windows.net5671AMQP messaging
westus2-0.in.applicationinsights.azure.com443Azure Metrics

Port 443 is required to:

  • Download the installer
  • Run the installer
  • Deploy target storage
  • Deploy a migration
  • Migrate data

Port 5671 is required to:

  • Start LDMA
  • Deploy storage
  • Deploy a migration

Test connectivity#

The Netcat command-line utility can be used to test connectivity to the required Azure endpoints.

Run the following commands on the Hadoop edge node (where the LDMA agent will be deployed). Replace "accountname" with your account name, and "servername" with your server name.

nc -zv wd-frp-prod-sb-1.servicebus.windows.net 5671
nc -zv [accountname].dfs.core.windows.net 443
nc -zv dc.applicationinsights.microsoft.com 443
nc -zv [servername].database.windows.net 1433
nc -zv wandiscopublicfusion.afd.azureedge.net 443
nc -zv wdfrpdeployments.afd.azureedge.net 443

If the Hadoop edge node is unable to establish network communication to any of the endpoints, LDMA will not function correctly. You will need to resolve this before the installation of LDMA can be achieved successfully.

On-premises firewall#

Firewall configuration varies significantly from customer to customer, so the below is a general guide. Contact us if you are unable to work with your own security teams to ensure the tests in the previous section can pass.

IP whitelisting#

The table below contains a list of DNS end-points that require a connection from the Hadoop edge node.

Endpoint Name / PortGlobal RangeRegion Specific Range (example)
EventHub / 5671EventHubEventHub.WestCentralUS
Storage / 443StorageStorage.WestCentralUS
AzureMonitor / 443AzureMonitorAzureMonitor.WestCentralUS
ActiveDirectory / 443AzureActiveDirectoryDomainServicesN/A
ServiceBus / 5671ServiceBusServiceBus.WestCentralUS
SQL Server / 1433SQLSql.WestCentralUS
Content Delivery Network (CDN) / 443AzureFrontDoor.FrontendN/A

Some users with DNS firewalls may find it sufficient to allow access to the end-point name. However, in many cases the on-premise firewall needs to be configured to allow access to the full IP ranges in use for these services.

Microsoft publishes the IP ranges here.

Some users allow access to all trusted Azure services in this list as they conduct their migration to Azure, it is possible to allow explicit ranges by looking up the service and region by looking up the region of intended use.

Microsoft periodically updates the IP ranges in use for their services so this list should be monitored and if appropriate firewall rules may need to be updated further in the future.

Azure network services#

IPSec VPN#

If you are using an IPSec VPN:

  • Check the Connection in Azure to make sure the status is connected.
  • Check the Address Space on the Local Network Gateway matches the expected on-prem subnet.
  • Check the Onprem device is showing the VPN as connected.
  • Check the correct VNet is assigned to the Virtual Network Gateway.

Express route#

If you are using ExpressRoute then you will need to check your BGP configuration is correct. This will likely require a Network Administrator as BGP will be configured on Edge devices.

Next steps#

What if I can’t open outbound access to the services?#

Our native Azure service, LDMA, requires the on-premise agent to be able to connect to these services. As a result, LDMA will not function correctly.

Who can I contact for help?#

Contact us for help if you have issues with your connectivity.