Azure Virtual Appliance Routing with Ansible Automation Platform on Azure

The managed application requires access to systems external to a customer’s subscription to operate properly. You will need to take into account expected outbound traffic the offering requires in order to be managed by Red Hat and Microsoft.

Many of these domains are backed by a CDN service or may route you to additional subdomains. Those hosts should also be allowed as a network traffic destination. Customers can ensure that additional domains are unblocked by monitoring activity originating from the managed application and adjusting the firewall rules accordingly.

Your organization may use Azure firewall services or third-party firewall appliances to control the egress of data from your subscription. It is important to allow the entire network range associated with the managed application to reach the following hosts:

IMPORTANT: Unless otherwise specified you will need to allow outbound traffic from the entire CIDR block of the Ansible on Azure to port 80 AND 443.

• redhat.com
• registry.redhat.io
• quay.io
• letsencrypt.org
• gcr.io
• googleapis.com
• microsoftonline.com
• mcr.microsoft.com
• dynatrace.com
• segment.io
• github.com
• azure.com
• azureedge.net
• login.microsoftonline.com
• consul.segment.io

The following Azure Storage URLs will also need to be whitelisted to allow certain operational tasks to be completed:

• *.blob.core.windows.net - Port 443 ONLY

On the following link, Azure will keep updated the list of possible FQDNs used by AKS cluster to communicate and integrate with other Azure-based services. Allowing traffic to all the endpoints listed may not be necessary, but it's something to keep in mind if traffic is observed to be routed to the following endpoints:

• https://learn.microsoft.com/en-us/azure/aks/outbound-rules-control-egress

Required network and FQDN/application rules for AKS cluster:

• https://learn.microsoft.com/en-us/azure/aks/outbound-rules-control-egress#required-outbound-network-rules-and-fqdns-for-aks-clusters

Additionally to that, Azure publishes the complete list of IP ranges used by their services in the next link:

• https://www.microsoft.com/en-us/download/details.aspx?id=56519

This might be helpful in the event of understanding what kind of connections are going in and out of your AKS cluster.

Based on the requirements of importing certain collections/roles and to resolve their dependencies, one might have to consider unblocking additional domains beyond the list mentioned above. Customers can ensure that additional domains are unblocked by adjusting the firewall rules according to their usage of the product.

You will also need to allow traffic from your firewall to any other external domain or IP address that Ansible Automation Platform would need to run automation jobs against.  Otherwise, your firewall will block connectivity between Ansible Automation Platform and destinations for automation.

What if I can use Wildcards in my firewall?

If your security procedure due to your business allows you to add wildcards to the your firewall, simply add on a wildcard in front of your domain: e.g: instead of segment.io, simply use *.segment.io instead. You will still need to monitor for domains being blocked.