Firewall
On this page
Your Azure Firewall should cover the following:
- Default AKS functionality – logs and pods should be able to see Kubernetes API Server (as recommended in Outbound network and FQDN rules for AKS clusters).
- CluedIn resource access – resources needed for the CluedIn installation.
- CluedIn and custom enrichers - external web endpoints to enrich your data.
Additionally, if you want to use Power Automate integration for workflows in CluedIn and/or Power Apps integration, you need to add specific URLs to your Azure Firewall as described here
AKS and CluedIn resources
Below are the required endpoints for CluedIn to be functional out of the box.
| Rule address | Port | Description |
|---|---|---|
cluedinprod.azurecr.io | 443 | CluedIn container registry |
*.blob.core.windows.net | 443 | storage account endpoint provided by the registry |
api.nuget.org | 443 | NuGet packages |
github.com | 443 | GitHub artifacts |
objects.githubusercontent.com | 443 | GitHub artifacts |
billing.cluedin.com | 443 | CluedIn licensing server |
*.grafana.com | 443 | Grafana chart content |
mcr.microsoft.com | 443 | Microsoft container registry |
*.data.mcr.microsoft.com | 443 | MCR storage backed by the Azure content delivery network |
acme-v02.api.letsencrypt.org | 443 | (Optional) Let’s Encrypt service. Only required if not supplying own certificate |
quay.io/jetstack | 443 | (Optional) The cert-manager Let’s Encrypt ACME service uses images. Not required if using own certificate |
AKS Control Plane | 443 | (For public clusters only) FQDN can be found under the AKS resource next to the API server address property (for example, aks-cluedin.hcp.westeurope.azmk8s.io) |
*.file.core.windows.net | 445 | The Azure File CSI driver mounts some shares via NFS/SMB using this port |
pkgs.dev.azure.com | 443 | download the nuget dlls from cluedin public |
cluedin-io.github.io | 443 | Cluedin helm repository |
community.chocolatey.org | 443 | community.chocolatey.org |
get.helm.sh | 443 | Helm binary downloads |
chocolatey.org | 443 | Chocolatey package repository |
aka.ms | 443 | Microsoft redirection service (Azure CLI) |
packages.microsoft.com | 443 | Azure CLI and Kubernetes CLI packages |
dl.k8s.io | 443 | Kubernetes CLI downloads |
openssl.org | 443 | OpenSSL downloads |
Enricher examples
Below are optional additions to the above and are only required if you use enrichers. Below are two of our common enrichers, but each enricher will have its own endpoint configured. If you require assistance with what endpoint is used for each CluedIn enricher, please reach out to CluedIn support who will be happy to assist.
| Enricher name | Port | Description |
|---|---|---|
CompanyHouse | 443 | Our companies house enricher will call the endpoint https://api.companieshouse.gov.uk to validate UK based businesses |
GoogleMaps | 443 | The endpoint https://maps.googleapis.com/maps/api is called to query an address for correct address formatting and other metadata |
Because both enrichers call external addresses, this traffic will leave the Kubernetes cluster and will need to be whitelisted if using CluedIn enrichers or developing your own enrichers that require external endpoints.
If the rules have not been added, the installation may fail.
Power Apps and Power Automate
If you want to use Power Automate integration for workflows in CluedIn and/or Power Apps integration, you need to add the following rules to your Azure Firewall:
https://api.flow.microsoft.comhttps://<env-name>.api.crm4.dynamics.com– for example,https://org7bfc52cb.api.crm4.dynamics.comhttps://<env-name>.crm4.dynamics.com– for example,https://org7bfc52cb.crm4.dynamics.comhttps://graph.microsoft.comhttps://api.powerapps.comhttps://*.<region>.logic.azure.com– for example,https://prod-251.westeurope.logic.azure.com
Additionally, you need to add the following domains, which are hosts for incoming requests from Power Automate:
https://<name>.consent.azure-apihub.net– for example,https://europe002-002.consent.azure-apihub.nethttps://*.azure-apihub.net– for example,https://europe002-002.consent.azure-apihub.netandhttps://europe002-002.azure-apihub.net
Instead of using the domains above, you may choose to whitelist them by service tags:
AzureConnectorsLogicApps
There are options to further narrow down by region, for example, AzureConnectors.NorthEurope. This would depend on your Power Platform region. For example, if Power Platform is created in the Europe region, it is not clear whether it is North or West Europe, so you would add both regions in Europe:
AzureConnectors.NorthEuropeAzureConnectors.WestEurope