Connecting your on-premises network to the Azure LDMA service
For LDMA to migrate data from your on-premise network to Azure, an agent is deployed on a Hadoop edge node. Outbound TCP connectivity needs to be possible from this edge node to a number of Azure Services to guarantee the successful installation of LDMA. Command and control is achieved from the Azure portal. As a result, there is no requirement for inbound connectivity to the Hadoop cluster.
Common Azure endpoints#
Ensure that your Hadoop edge node can connect to the necessary endpoints below. These endpoints are necessary to use LiveData Migrator for Azure in any region.
| Endpoint | Port | Description |
|---|---|---|
| [accountname].dfs.core.windows.net | 443 | Data transfer HTTPS |
| dc.applicationinsights.azure.com | 443 | Azure Metrics |
| dc.applicationinsights.microsoft.com | 443 | Azure Metrics |
| dc.services.visualstudio.com | 443 | Azure Metrics |
| *.in.applicationinsights.azure.com | 443 | Azure Metrics |
| [servername].database.windows.net | 1433 | Optional SQL server for Hive Metadata |
| pkg.wandisco.com wdfrpdeployments.blob.core.windows.net | 443 | Installer Download and packages |
Regional endpoints#
Ensure your Hadoop edge node can connect to the appropriate endpoints below for your chosen region. List of supported regions.
- Asia
- Australia
- Canada
- Europe
- Germany
- Korea
- UK
- USA
| Endpoint | Port | Description |
|---|---|---|
| wd-frp-prod-sb-southeastasia.servicebus.windows.net | 5671 | AMQP messaging |
| ldm-metrics-southeastasia.servicebus.windows.net | 5671 | AMQP messaging |
| Endpoint | Port | Description |
|---|---|---|
| wd-frp-prod-sb-australiaeast.servicebus.windows.net | 5671 | AMQP messaging |
| ldm-metrics-australiaeast.servicebus.windows.net | 5671 | AMQP messaging |
| Endpoint | Port | Description |
|---|---|---|
| wd-frp-prod-sb-canada.servicebus.windows.net | 5671 | AMQP messaging |
| ldm-metrics-canada.servicebus.windows.net | 5671 | AMQP messaging |
| canadacentral-0.in.applicationinsights.azure.com | 443 | Azure Metrics |
| Endpoint | Port | Description |
|---|---|---|
| wd-frp-prod-sb-northeurope.servicebus.windows.net | 5671 | AMQP messaging |
| ldm-metrics-northeurope.servicebus.windows.net | 5671 | AMQP messaging |
| northeurope-2.in.applicationinsights.azure.com | 443 | Azure Metrics |
| Endpoint | Port | Description |
|---|---|---|
| wd-frp-prod-sb-germanywestcentral.servicebus.windows.net | 5671 | AMQP messaging |
| ldm-metrics-germanywestcentral.servicebus.windows.net | 5671 | AMQP messaging |
| westus2-0.in.applicationinsights.azure.com | 443 | Azure Metrics |
| Endpoint | Port | Description |
|---|---|---|
| wd-frp-prod-sb-korea.servicebus.windows.net | 5671 | AMQP messaging |
| ldm-metrics-korea.servicebus.windows.net | 5671 | AMQP messaging |
| koreacentral-0.in.applicationinsights.azure.com | 443 | Azure Metrics |
Port 443 is required to:
- Download the installer
- Run the installer
- Deploy target storage
- Deploy a migration
- Migrate data
Port 5671 is required to:
- Start LDMA
- Deploy storage
- Deploy a migration
Test connectivity#
The Netcat command-line utility can be used to test connectivity to the required Azure endpoints.
Run the following commands on the Hadoop edge node (where the LDMA agent will be deployed). Replace "accountname" with your account name, and "servername" with your server name.
If the Hadoop edge node is unable to establish network communication to any of the endpoints, LDMA will not function correctly. You will need to resolve this before the installation of LDMA can be achieved successfully.
On-premises firewall#
Firewall configuration varies significantly from customer to customer, so the below is a general guide. Contact us if you are unable to work with your own security teams to ensure the tests in the previous section can pass.
IP whitelisting#
The table below contains a list of DNS end-points that require a connection from the Hadoop edge node.
| Endpoint Name / Port | Global Range | Region Specific Range (example) |
|---|---|---|
| EventHub / 5671 | EventHub | EventHub.WestCentralUS |
| Storage / 443 | Storage | Storage.WestCentralUS |
| AzureMonitor / 443 | AzureMonitor | AzureMonitor.WestCentralUS |
| ActiveDirectory / 443 | AzureActiveDirectoryDomainServices | N/A |
| ServiceBus / 5671 | ServiceBus | ServiceBus.WestCentralUS |
| SQL Server / 1433 | SQL | Sql.WestCentralUS |
| Content Delivery Network (CDN) / 443 | AzureFrontDoor.Frontend | N/A |
Some users with DNS firewalls may find it sufficient to allow access to the end-point name. However, in many cases the on-premise firewall needs to be configured to allow access to the full IP ranges in use for these services.
Microsoft publishes the IP ranges here.
Some users allow access to all trusted Azure services in this list as they conduct their migration to Azure, it is possible to allow explicit ranges by looking up the service and region by looking up the region of intended use.
Microsoft periodically updates the IP ranges in use for their services so this list should be monitored and if appropriate firewall rules may need to be updated further in the future.
Azure network services#
IPSec VPN#
If you are using an IPSec VPN:
- Check the Connection in Azure to make sure the status is connected.
- Check the Address Space on the Local Network Gateway matches the expected on-prem subnet.
- Check the Onprem device is showing the VPN as connected.
- Check the correct VNet is assigned to the Virtual Network Gateway.
Express route#
If you are using ExpressRoute then you will need to check your BGP configuration is correct. This will likely require a Network Administrator as BGP will be configured on Edge devices.
Next steps#
What if I can’t open outbound access to the services?#
Our native Azure service, LDMA, requires the on-premise agent to be able to connect to these services. As a result, LDMA will not function correctly.
Who can I contact for help?#
Contact us for help if you have issues with your connectivity.