Whitelisting URLs and Ports
To facilitate communication between the edge device and the cloud services, it's necessary to whitelist specific URLs and ports on your network or firewall. The following URLs and ports need to be whitelisted:
| Service | FQDN | Protocols (Port) | Direction | Explanation |
|---|---|---|---|---|
| Container registry (Microsoft) | mcr.microsoft.com | HTTPS (443) | Outbound | Access to Microsoft's container registry for storing and deploying container images. |
| Container registry (Facts) | facts.azurecr.io | HTTPS (443) | Outbound | Access to the PA Facts container registry for storing and deploying container images. |
| Container registry (Custom) | <custom-environment>.azurecr.io | HTTPS (443) | Outbound | Access to any custom container registry for storing and deploying customer specific container images. |
| IoT Hub | azure-device.net | HTTPS (443), AMQP (5671), MQTT (8883) | Outbound | Access to the IoT Hub service to allow the Facts edge device to communicate securely and reliably with cloud-based resources. |
| DPS | azure-device-provisioning.net | HTTPS (443) | Outbound | Access to the Azure Device Provisioning Service (DPS). |
| DPS Global | global.azure-devices-provisioning.net | HTTPS (443) | Outbound | Access to the global Azure Device Provisioning Service (DPS). |
| Docker | hub.docker.com | HTTPS (443) | Outbound | Access to the Docker registry for storing and deploying container images. |
| Microsoft Linux Packages | packages.microsoft.com | HTTPS (443) | Outbound | Downloading necessary Linux packages provided by Microsoft such as moby and iot-edge. |
| Configuration and Scripts | github.com/Azure | HTTPS (443) | Outbound | Downloading necessary configuration and script files. |
| IoT Central | azureiotcentral.com | HTTPS (443), AMQP (5671), MQTT (8883) | Outbound | Access to the IoT Central service to allow the Facts edge device to communicate securely and reliably with cloud-based resources. |
Given that IoT Hub and DPS services are dynamically created by the Facts on Demand system, it's critical to whitelist azure-device.net and azure-device-provisioning.net, along with their respective subdomains, to ensure smooth communication and operation.
If you're using the Enterprise Version with custom modules, you'll need to permit access to your custom container registry, in addition to the default Microsoft and Facts container registries. Your custom container registry will typically have a URL in the format of <custom-environment>.azurecr.io.
If you require support to unblock these URLs and ports, please consult with your network administrator or IT department. They can assist you in configuring your network or firewall to permit outbound traffic on these URLs and ports.