You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: includes/batch-virtual-network-ports.md
+13-13Lines changed: 13 additions & 13 deletions
Original file line number
Diff line number
Diff line change
@@ -3,7 +3,7 @@ title: include file
3
3
description: include file
4
4
services: batch
5
5
documentationcenter:
6
-
author: dlepow
6
+
author: laurenhughes
7
7
manager: jeconnoc
8
8
editor: ''
9
9
@@ -13,8 +13,8 @@ ms.devlang: na
13
13
ms.topic: include
14
14
ms.tgt_pltfrm: na
15
15
ms.workload:
16
-
ms.date: 10/05/2018
17
-
ms.author: danlep
16
+
ms.date: 04/10/2019
17
+
ms.author: lahugh
18
18
ms.custom: include file
19
19
---
20
20
@@ -49,27 +49,27 @@ Additional VNet requirements differ, depending on whether the Batch pool is in t
49
49
The subnet must allow inbound communication from the Batch service to be able to schedule tasks on the compute nodes, and outbound communication to communicate with Azure Storage or other resources. For pools in the Virtual Machine configuration, Batch adds NSGs at the level of network interfaces (NICs) attached to VMs. These NSGs automatically configure inbound and outbound rules to allow the following traffic:
50
50
51
51
* Inbound TCP traffic on ports 29876 and 29877 from Batch service role IP addresses.
52
-
* Inbound TCP traffic on port 22 (Linux nodes) or port 3389 (Windows nodes) to permit remote access.
52
+
* Inbound TCP traffic on port 22 (Linux nodes) or port 3389 (Windows nodes) to permit remote access. For certain types of multi-instance tasks on Linux (such as MPI), you will need to also allow SSH port 22 traffic for IPs in the subnet containing the Batch compute nodes.
53
53
* Outbound traffic on any port to the virtual network.
54
54
* Outbound traffic on any port to the internet.
55
55
56
56
> [!IMPORTANT]
57
57
> Exercise caution if you modify or add inbound or outbound rules in Batch-configured NSGs. If communication to the compute nodes in the specified subnet is denied by an NSG, then the Batch service sets the state of the compute nodes to **unusable**.
58
58
59
-
You do not need to specify NSGs at the subnet level because Batch configures its own NSGs. However, if the specified subnet has associated Network Security Groups (NSGs) and/or a firewall, configure the inbound and outbound security rules as shown in the following tables. Configure inbound traffic on port 3389 (Windows) or 22 (Linux) only if you need to permit remote access to the pool VMs. It is not required for the pool VMs to be usable.
59
+
You do not need to specify NSGs at the subnet level because Batch configures its own NSGs. However, if the specified subnet has associated Network Security Groups (NSGs) and/or a firewall, configure the inbound and outbound security rules as shown in the following tables. Configure inbound traffic on port 3389 (Windows) or 22 (Linux) only if you need to permit remote access to the pool VMs from outside sources. It is not required for the pool VMs to be usable. Note that you will need to enable virtual network subnet traffic on port 22 for Linux if using certain kinds of multi-instance tasks such as MPI.
Any <br /><br />Although this requires effectively "allow all", the Batch service applies an NSG at the network interface level on each VM created under Virtual Machine configuration that filters out all non-Batch service IP addresses. | * | Any | 29876-29877 | TCP | Allow |
66
-
| User machines, used for debugging purposes to remotely access the pool VMs. | * | Any | 3389 (Windows), 22 (Linux) | TCP | Allow |
63
+
| Source IP addresses | Source service tag | Source ports | Destination | Destination ports | Protocol | Action |
| User source IPs for remotely accessing compute nodes and/or compute node subnet for Linux multi-instance tasks, if required. |N/A |* | Any | 3389 (Windows), 22 (Linux) | TCP | Allow |
67
67
68
68
**Outbound security rules**
69
69
70
70
| Source | Source ports | Destination | Destination service tag | Protocol | Action |
71
71
| --- | --- | --- | --- | --- | --- |
72
-
| Any | 443 |[Service tag](../articles/virtual-network/security-overview.md#service-tags)| Storage (in the same region as your Batch account and VNet) | Any | Allow |
72
+
| Any | 443 |[Service tag](../articles/virtual-network/security-overview.md#service-tags)|`Storage` (in the same region as your Batch account and VNet) | Any | Allow |
73
73
74
74
### Pools in the Cloud Services configuration
75
75
@@ -89,17 +89,17 @@ The subnet must allow inbound communication from the Batch service to be able to
89
89
90
90
You do not need to specify an NSG, because Batch configures inbound communication only from Batch IP addresses to the pool nodes. However, If the specified subnet has associated NSGs and/or a firewall, configure the inbound and outbound security rules as shown in the following tables. If communication to the compute nodes in the specified subnet is denied by an NSG, then the Batch service sets the state of the compute nodes to **unusable**.
91
91
92
-
Configure inbound traffic on port 3389 (Windows) or 22 (Linux) only if you need to permit remote access to the pool nodes. It is not required for the pool nodes to be usable.
92
+
Configure inbound traffic on port 3389 for Windowsif you need to permit RDP access to the pool nodes. It is not required for the pool nodes to be usable.
Any <br /><br />Although this requires effectively "allow all", the Batch service applies an ACL rule at the level of each node that filters out all non-Batch service IP addresses. | * | Any | 10100, 20100, 30100 | TCP | Allow |
99
-
|User machines, used for debugging purposesto remotely access the pool VMs. | * | Any |3389 (Windows), 22 (Linux)| TCP | Allow |
99
+
|Optional, to allow RDP access to compute nodes. | * | Any | 3389 | TCP | Allow |
0 commit comments