Skip to main content
Version: Next

Task 03: Verify Firewall Endpoints

Runbook Platform

DOCUMENT CATEGORY: Runbook SCOPE: Firewall rule verification PURPOSE: Verify required endpoints are accessible MASTER REFERENCE: Microsoft Learn - Firewall Requirements

Status: Active Estimated Time: 30 minutes Last Updated: 2026-01-31

Overview

Verify that firewall rules permit outbound access to required Azure and Dell endpoints. Work with the customer's network team to ensure all required rules are in place before proceeding with cluster deployment.

Critical Requirements
  • No HTTPS inspection - Azure Local does not support SSL/TLS interception
  • Ports 80 and 443 must be open for outbound traffic
  • Azure Arc Gateway can reduce endpoint count when enabled

Prerequisites

RequirementDescription
Network TeamCoordination with firewall administrators
Endpoint ListsAzure and Dell endpoint tables (below)
Testing AccessManagement workstation on same VLAN as nodes
Dell PowerSwitchStep 2 completed - switches configured

Variables from variables.yml

Variable PathTypeDescription
networking.onprem.vlans.managementObjectManagement VLAN for test source network
networking.network_devices.fortigate_primaryObjectFirewall hostname and management IP
compute.nodes[].management_ipStringNode IPs that require endpoint access

Azure Public Endpoints

The following Azure endpoints must be accessible from Azure Local cluster nodes:

Authentication & Core Services

EndpointPortComponentArc GWNotes
login.microsoftonline.com443AuthenticationMicrosoft Entra ID
<region>.login.microsoft.com443AuthenticationRegional auth
pas.windows.net443AuthenticationAzure AD auth
management.azure.com443Azure Arc, DeploymentAzure Resource Manager
graph.microsoft.com443DeploymentMicrosoft Graph API

Azure Arc Services

EndpointPortComponentArc GWNotes
<yourarcgatewayendpointid>.gw.arc.azure.com443Azure ArcArc Gateway (unique per deployment)
his.arc.azure.com443Azure ArcArc Hybrid Identity Service
<region>.his.arc.azure.com443Azure ArcRegional Arc HIS
guestconfiguration.azure.com443Azure ArcArc Guest Configuration
<region>.guestconfiguration.azure.com443Azure ArcRegional Guest Config
guestnotificationservice.azure.com443Azure ArcArc Guest Notifications
dp.stackhci.azure.com443Azure ArcArc Data Plane

Azure Local Services

EndpointPortComponentArc GWNotes
azurestackhci.azurefd.net443DeploymentAzure Local cloud services
<yourhcikeyvaultname>.vault.azure.net443DeploymentAzure Key Vault (unique)
<region>.obo.arc.azure.com443DeploymentArc OBO services
servicebus.windows.net443DeploymentAzure Service Bus
edgesupprd.trafficmanager.net443DeploymentEdge support services

Monitoring & Diagnostics

EndpointPortComponentArc GWNotes
dc.services.visualstudio.com443MonitoringApplication Insights
*.ingest.monitor.azure.com443MonitoringAzure Monitor ingestion
*.handler.control.monitor.azure.com443MonitoringAzure Monitor control
gcs.prod.monitoring.core.windows.net443MonitoringGeneva monitoring
*.ods.opinsights.azure.com443MonitoringLog Analytics ODS
*.oms.opinsights.azure.com443MonitoringLog Analytics OMS

Storage & Updates (Cannot use Arc Gateway)

EndpointPortComponentArc GWNotes
*.blob.core.windows.net443StorageAzure Blob Storage
dl.delivery.mp.microsoft.com443, 80Updates❌ NeverWindows Update delivery
*.windowsupdate.com443, 80Updates❌ NeverWindows Update
*.update.microsoft.com443, 80Updates❌ NeverMicrosoft Update
download.microsoft.com443Updates❌ NeverMicrosoft downloads
mcr.microsoft.com443ARB, AKS❌ NeverMicrosoft Container Registry
*.azurecr.io443ARB, AKS❌ NeverAzure Container Registry

AKS & Resource Bridge (Cannot use Arc Gateway)

EndpointPortComponentNotes
k8connecthelm.azureedge.net443AKS InfrastructureKubernetes Helm charts
hybridaks.azurecr.io443AKS InfrastructureHybrid AKS images
msk8s.api.cdp.microsoft.com443AKS InfrastructureAKS hybrid core API
kvamanagementoperator.azurecr.io443Resource BridgeARB container images
arcbridge.blob.core.windows.net443Resource BridgeARB blob storage
gcr.io443Resource BridgeGoogle Container Registry

Certificate Revocation

EndpointPortNotes
crl.microsoft.com80Certificate Revocation List
mscrl.microsoft.com80Microsoft CRL
crl3.digicert.com80DigiCert CRL
crl4.digicert.com80DigiCert CRL
ocsp.digicert.com80DigiCert OCSP
oneocsp.microsoft.com80Microsoft OCSP

Time Synchronization

EndpointPortProtocolNotes
time.windows.com123UDPWindows NTP

Dell OEM Endpoints

Dell Firmware and SBE

EndpointPortProtocolPurpose
downloads.dell.com443HTTPSDell firmware and driver downloads
dl.dell.com443HTTPSDriver downloads
*.dell.com443HTTPSDell general services
auabormmzpd.blob.core.windows.net443HTTPSDell SBE package storage
auabormmzp.blob.core.windows.net443HTTPSDell SBE package storage

Dell SupportAssist

EndpointPortProtocolPurpose
apidp.dell.com443HTTPSSupportAssist API gateway
supportassist.dell.com443HTTPSSupportAssist portal

Critical Notes

HTTPS Inspection Not Supported

Azure Local does NOT support HTTPS inspection (TLS/SSL interception). If your firewall performs HTTPS inspection, you must configure bypass rules for all Azure and OEM endpoints. HTTPS inspection will cause deployment and operation failures.

Azure Arc Private Link Scopes Not Supported

Azure Arc Private Link Scopes are NOT supported for Azure Local deployments. Do not attempt to configure Private Link for Arc connectivity.

Unique Per-Deployment Endpoints

The following endpoints are unique to each deployment:

  • <yourarcgatewayendpointid>.gw.arc.azure.com - Your Arc Gateway endpoint ID
  • <yourhcikeyvaultname>.vault.azure.net - Your Azure Key Vault name
  • <region> placeholders - Replace with your Azure region (e.g., eastus, westeurope)

Endpoint Connectivity Test Script

Run from management workstation on the same VLAN as cluster nodes:

# Azure Local Endpoint Connectivity Test

$AzureEndpoints = @(
 @{ Name = "Azure Resource Manager"; Url = "https://management.azure.com" },
 @{ Name = "Azure AD"; Url = "https://login.microsoftonline.com" },
 @{ Name = "Microsoft Graph"; Url = "https://graph.microsoft.com" },
 @{ Name = "Azure Local Services"; Url = "https://azurestackhci.azurefd.net" },
 @{ Name = "Microsoft Downloads"; Url = "https://download.microsoft.com" },
 @{ Name = "Windows Update"; Url = "https://windowsupdate.microsoft.com" },
 @{ Name = "Azure Monitor"; Url = "https://global.handler.control.monitor.azure.com" }
)

$DellEndpoints = @(
 @{ Name = "Dell Downloads"; Url = "https://downloads.dell.com" },
 @{ Name = "Dell API"; Url = "https://api.dell.com" },
 @{ Name = "Dell SupportAssist"; Url = "https://supportassist.dell.com" }
)

Write-Host "`n=== Azure Endpoint Validation ===" -ForegroundColor Cyan
foreach ($endpoint in $AzureEndpoints) {
 try {
 $response = Invoke-WebRequest -Uri $endpoint.Url -Method Head -TimeoutSec 10 -UseBasicParsing -ErrorAction Stop
 Write-Host "[PASS] $($endpoint.Name): $($endpoint.Url)" -ForegroundColor Green
 }
 catch {
 Write-Host "[FAIL] $($endpoint.Name): $($endpoint.Url) - $($_.Exception.Message)" -ForegroundColor Red
 }
}

Write-Host "`n=== Dell Endpoint Validation ===" -ForegroundColor Cyan
foreach ($endpoint in $DellEndpoints) {
 try {
 $response = Invoke-WebRequest -Uri $endpoint.Url -Method Head -TimeoutSec 10 -UseBasicParsing -ErrorAction Stop
 Write-Host "[PASS] $($endpoint.Name): $($endpoint.Url)" -ForegroundColor Green
 }
 catch {
 Write-Host "[FAIL] $($endpoint.Name): $($endpoint.Url) - $($_.Exception.Message)" -ForegroundColor Red
 }
}

Write-Host "`n=== DNS Resolution Test ===" -ForegroundColor Cyan
$DnsTests = @("management.azure.com", "login.microsoftonline.com", "downloads.dell.com", "time.windows.com")
foreach ($fqdn in $DnsTests) {
 try {
 $result = Resolve-DnsName -Name $fqdn -Type A -ErrorAction Stop
 Write-Host "[PASS] DNS resolution for $fqdn" -ForegroundColor Green
 }
 catch {
 Write-Host "[FAIL] DNS resolution for $fqdn - $($_.Exception.Message)" -ForegroundColor Red
 }
}

Write-Host "`n=== NTP Connectivity Test ===" -ForegroundColor Cyan
try {
 $ntpTest = w32tm /stripchart /computer:time.windows.com /samples:1 /dataonly
 Write-Host "[PASS] NTP connectivity to time.windows.com" -ForegroundColor Green
}
catch {
 Write-Host "[FAIL] NTP connectivity to time.windows.com" -ForegroundColor Red
}

Write-Host "`n=== Validation Complete ===" -ForegroundColor Cyan

Validation Checklist

Azure Endpoints

  • Azure Resource Manager accessible (management.azure.com)
  • Azure AD accessible (login.microsoftonline.com)
  • Microsoft Graph accessible (graph.microsoft.com)
  • Azure Local services accessible (azurestackhci.azurefd.net)
  • Microsoft downloads accessible (download.microsoft.com)
  • Windows Update accessible (windowsupdate.microsoft.com)
  • Azure Monitor endpoints accessible

Dell Endpoints

  • Dell downloads accessible (downloads.dell.com)
  • Dell SupportAssist accessible (supportassist.dell.com)
  • Dell SBE storage accessible (auabormmzpd.blob.core.windows.net)

Infrastructure

  • DNS resolution working for all endpoints
  • NTP connectivity verified (time.windows.com)
  • No HTTPS inspection configured for these endpoints
  • Customer network team confirms rules implemented

Troubleshooting

IssuePossible CauseResolution
Endpoint test times outFirewall rule not applied or wrong source subnetConfirm rule source matches management VLAN CIDR, verify rule is enabled and committed
HTTPS inspection blocking trafficSSL/TLS deep inspection active for Azure endpointsAdd Azure and Dell endpoints to HTTPS inspection bypass list
DNS resolution fails for endpointsDNS forwarder not configured or upstream DNS blockedVerify DNS server can resolve public names, check firewall allows DNS (UDP/TCP 53) outbound
Partial endpoint failuresGeo-specific endpoint variants or CDN issuesTest from multiple nodes, verify all FQDN wildcards are included in allow rules

Next Steps

Proceed to Task 4 - Network Validation to run comprehensive network validation and Microsoft Environment Checker.

Task 02: Dell PowerSwitch↑ Part 3: On-Premises ReadinessTask 04: Network Validation →

Version Control

VersionDateAuthorChanges
1.02026-01-31Azure Local Cloud CI/CD EngineeringInitial document
1.12026-03-03Azure Local Cloud CI/CD EngineeringStandardized runbook format

End of Task