Azure HDInsight—Simplify NSG rules management using service tags
Updated: November 22, 2019
Azure HDInsight now supports the use of service tags to simplify inbound network security group (NSG) rule management. Azure service tags group multiple IP addresses under a single user friendly tag. Administrators need to only create rules by referring to the tags while Microsoft takes the responsibility of keeping the IP addresses up to date. Administrators maintaining Azure HDInsight clusters can now benefit from this manageability improvement.
Previously, administrators provisioning HDInsight clusters needed to explicitly add HDInsight service management up to six IP addresses in the inbound NSG rules guarding access to their clusters. This was a manual, error prone process as the IP addresses differed in each region. Furthermore, any changes to the IP addresses would impact both the provisioning of new clusters and the operations of existing ones. It was up to the administrator to monitor changes to the IP addresses and manually update their NSG rules.
With the newly introduced Azure HDInsight service tag, administrators now only need to add a single HDInsight global service tag in their NSG rules. This will enable HDInsight management services from all the regions to monitor and manage the HDInsight clusters. If the source IP addresses of the HDInsight management services change, the service tags will automatically refresh and connectivity to the HDInsight clusters will continue unaffected. Administrators don’t need to worry about monitoring for changes and updating NSG rules.
Customers with even more restrictive network security policies can choose to use regional HDInsight service tags instead of the single global service tag. It’s almost as simple to set up and there’s still no need to actively monitor for changes to IP addresses.
For more details, please read Network security group (NSG) service tags for Azure HDInsight.