Azure HDInsight
An Azure managed cluster service for open-source analytics.
Outbound ports to HDInsight management
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 53%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAB%3C/text%3E%3C/svg%3E)
Alex Boata
21
Reputation points
Hello,
What are the required ports for outbound connection of HDInsight to management IPs and any other needed Azure services when configured with a resource provider connection set to ‘Outbound’?
https://learn.microsoft.com/en-us/azure/hdinsight/hdinsight-restrict-outbound-traffic
I tested with outbound 443,1433,53,80,32526 unsuccessfully.
Thank you in advance,
Alex
Azure HDInsight
-
PRADEEPCHEEKATLA 91,861 Reputation points2021-03-24T06:38:21.243+00:00 Hello @Alex Boata ,
When you say "I tested with outbound 443,1433,53,80,32526 unsuccessfully.", could you please share the below details:
How exactly configured outbound network traffic for Azure HDInsight cluster?
Could you please share the screenshot of the rules configured?
And also, share how exactly have you tested the outbound rules configured?
-
Alex Boata 21 Reputation points
2021-03-24T06:41:45.32+00:00 i used an outbound NSG rule from any IP any port, to service tag ‘Internet’ ports 443,1433,53,80,32526, and without a firewall.
If I change the port to * in the same rule, the deployment succeeds. -
Alex Boata 21 Reputation points
2021-03-24T13:03:47.437+00:00 The error is "FailedToConnectWithClusterThroughGatewayErrorCode","message":"Unable to connect to cluster management endpoint. Please retry later."
-
PRADEEPCHEEKATLA 91,861 Reputation points
2021-03-25T06:18:13.22+00:00 Hello @Alex Boata ,
Thanks for the details.
Note: Configure outbound network traffic for Azure HDInsight clusters using Azure Firewall.
If you are using custom VNet network security group (NSGs) and user-defined routes (UDRs), ensure that your cluster can communicate with HDInsight management services. For additional information see HDInsight management IP addresses.
-
Alex Boata 21 Reputation points
2021-03-25T06:37:52.757+00:00 What ports should I enter in the custom NSG outbound rule?
I see only 443 in this doc however a rule allowing outbound 443,1433,53,80,32526 to any IP in the internet did not succeed the creation for me. -
PRADEEPCHEEKATLA 91,861 Reputation points
2021-03-25T11:01:27.103+00:00 Hello @Alex Boata ,
As you said earlier without a firewall, and just asking to configure outbound network traffic for Azure HDInsight clusters using Azure Firewall and check if that works.
-
Alex Boata 21 Reputation points
2021-03-26T09:20:08.583+00:00 Hi Pradeep,
I would like to try both architectures, with and without firewall, so that is why I need a list of ports for NSG to try without firewall.
Thanks,
Alex -
-
Alex Boata 21 Reputation points
2021-04-06T08:04:12.73+00:00 Hi @PRADEEPCHEEKATLA , it’s not resolved, I did not receive a list of NSG ports.
-
PRADEEPCHEEKATLA 91,861 Reputation points
2021-04-07T04:06:06.827+00:00 Hello @Alex Boata ,
This is not sufficient information to diagnose what might have gone wrong. We need further details like … what is the networking setup (NSG, Azure Firewall vs. NVAs, use of UDRs etc.), kinds of resources being connected to from the cluster (e.g. SQL, SEP protected Storage accounts etc.) and perhaps the most important, what is the operation that is failing and what is the error message?
-
PRADEEPCHEEKATLA 91,861 Reputation points
2021-04-09T09:24:47.527+00:00 Hello @Alex Boata ,
Just checking in if you have had a chance to see the previous response. We need the following information to understand/investigate this issue further.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 97%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESD%3C/text%3E%3C/svg%3E)
S, Deepak 0 Reputation points2026-03-02T08:28:53.2566667+00:00 Even am getting the same below error while creating the HDInsights cluster, As you mentioned already, we already have the Health Management IP Address in our HDInsights subnet allowing for port 443 via service tags.
But still our deployments are failing with the same error,
Can you please help here.
{"status":"Failed","error":{"code":"FailedToConnectWithClusterThroughGatewayErrorCode","message":"Unable to connect to cluster management endpoint. Please retry later. There is a possibility that this issue occurred due to HDInsight's transition to Standard Load Balancer. Please refer to https://learn.microsoft.com/en-us/azure/hdinsight/load-balancer-migration-guidelines to recreate the cluster with standard load balancers if not done yet, or contact support for assistance if it remains unresolved."}} -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 67%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
Akshita Mittal 0 Reputation points2026-03-02T10:50:05.7+00:00 For HDInsight clusters configured with restricted outbound traffic, you must allow outbound access over TCP 443 (HTTPS) to Azure management endpoints and required service dependencies. HDInsight primarily uses HTTPS for communication with Azure Resource Manager, storage accounts, and other dependent services.
In addition to port 443, ensure outbound access is allowed to:
Azure Resource Manager endpoints
Azure Storage (Blob/Data Lake) endpoints
Azure Active Directory endpoints
HDInsight management IP addresses for your region
Port 80 may be required for certificate revocation checks, but most core communication occurs over 443.
If outbound connectivity on 443 is already allowed and still failing, verify:
The correct regional HDInsight management IP ranges are permitted
Service tags such as AzureResourceManager, Storage, and AzureActiveDirectory are allowed in NSG or firewall rules
No UDR is forcing traffic to a blocked path
In most restricted outbound configurations, allowing HTTPS (TCP 443) to the required Azure service tags resolves the issue.
Sign in to comment
Sign in to answer