Update hdinsight-restrict-outbound-traffic.md

omidm1 · web-flow · commit 1d725ae0a92d · 2020-10-15T14:09:33.000-07:00
diff --git a/articles/hdinsight/hdinsight-restrict-outbound-traffic.md b/articles/hdinsight/hdinsight-restrict-outbound-traffic.md
@@ -18,11 +18,11 @@ This article provides the steps for you to secure outbound traffic from your HDI
 
 HDInsight clusters are normally deployed in a virtual network. The cluster has dependencies on services outside of that virtual network.
 
-There are several dependencies that require inbound traffic. The inbound management traffic can't be sent through a firewall device. The source addresses for this traffic are known and are published [here](hdinsight-management-ip-addresses.md). You can also create Network Security Group (NSG) rules with this information to secure inbound traffic to the clusters.
+The inbound management traffic can't be sent through a firewall. You can use NSG service tags for the inbound traffic as documented [here](https://docs.microsoft.com/azure/hdinsight/hdinsight-service-tags). 
 
-The HDInsight outbound traffic dependencies are almost entirely defined with FQDNs. Which don't have static IP addresses behind them. The lack of static addresses means Network Security Groups (NSGs) can't lock down outbound traffic from a cluster. The addresses change often enough one can't set up rules based on the current name resolution and use.
+The HDInsight outbound traffic dependencies are almost entirely defined with FQDNs. Which don't have static IP addresses behind them. The lack of static addresses means Network Security Groups (NSGs) can't lock down outbound traffic from a cluster. The IP addresses change often enough one can't set up rules based on the current name resolution and use.
 
-Secure outbound addresses with a firewall that can control outbound traffic based on domain names. Azure Firewall restricts outbound traffic based on the FQDN of the destination or [FQDN tags](../firewall/fqdn-tags.md).
+Secure outbound addresses with a firewall that can control outbound traffic based on FQDNs. Azure Firewall restricts outbound traffic based on the FQDN of the destination or [FQDN tags](../firewall/fqdn-tags.md).
 
 ## Configuring Azure Firewall with HDInsight
 
@@ -74,7 +74,7 @@ Create an application rule collection that allows the cluster to send and receiv
     | --- | --- | --- | --- | --- |
     | Rule_2 | * | https:443 | login.windows.net | Allows Windows login activity |
     | Rule_3 | * | https:443 | login.microsoftonline.com | Allows Windows login activity |
-    | Rule_4 | * | https:443,http:80 | storage_account_name.blob.core.windows.net | Replace `storage_account_name` with your actual storage account name. If your cluster is backed by WASB, then add a rule for WASB. To use ONLY https connections, make sure ["secure transfer required"](../storage/common/storage-require-secure-transfer.md) is enabled on the storage account. |
+    | Rule_4 | * | https:443,http:80 | storage_account_name.blob.core.windows.net | Replace `storage_account_name` with your actual storage account name. To use ONLY https connections, make sure ["secure transfer required"](../storage/common/storage-require-secure-transfer.md) is enabled on the storage account. If you are using Private endpoint to access storage accounts, this step is not needed and storage traffic is not forwarded to the firewall.|
 
    ![Title: Enter application rule collection details](./media/hdinsight-restrict-outbound-traffic/hdinsight-restrict-outbound-traffic-add-app-rule-collection-details.png)
 
@@ -96,21 +96,12 @@ Create the network rules to correctly configure your HDInsight cluster.
     |Priority|200|
     |Action|Allow|
 
-    **IP Addresses section**
-
-    | Name | Protocol | Source addresses | Destination addresses | Destination ports | Notes |
-    | --- | --- | --- | --- | --- | --- |
-    | Rule_1 | UDP | * | * | 123 | Time service |
-    | Rule_2 | Any | * | DC_IP_Address_1, DC_IP_Address_2 | * | If you're using Enterprise Security Package (ESP), then add a network rule in the IP Addresses section that allows communication with AAD-DS for ESP clusters. You can find the IP addresses of the domain controllers on the AAD-DS section in the portal |
-    | Rule_3 | TCP | * | IP Address of your Data Lake Storage account | * | If you're using Azure Data Lake Storage, then you can add a network rule in the IP Addresses section to address an SNI issue with ADLS Gen1 and Gen2. This option will route the traffic to firewall. Which might result in higher costs for large data loads but the traffic will be logged and auditable in firewall logs. Determine the IP address for your Data Lake Storage account. You can use a PowerShell command such as `[System.Net.DNS]::GetHostAddresses("STORAGEACCOUNTNAME.blob.core.windows.net")` to resolve the FQDN to an IP address.|
-    | Rule_4 | TCP | * | * | 12000 | (Optional) If you're using Log Analytics, then create a network rule in the IP Addresses section to enable communication with your Log Analytics workspace. |
-
     **Service Tags section**
 
     | Name | Protocol | Source Addresses | Service Tags | Destination Ports | Notes |
     | --- | --- | --- | --- | --- | --- |
-    | Rule_7 | TCP | * | SQL | 1433 | Configure a network rule in the Service Tags section for SQL that will allow you to log and audit SQL traffic. Unless you configured Service Endpoints for SQL Server on the HDInsight subnet, which will bypass the firewall. |
-    | Rule_8 | TCP | * | Azure Monitor | * | (optional) Customers who plan to use auto scale feature should add this rule. |
+    | Rule_5 | TCP | * | SQL | 1433 | If you are using the default sql servers provided by HDInsight, configure a network rule in the Service Tags section for SQL that will allow you to log and audit SQL traffic. Unless you configured Service Endpoints for SQL Server on the HDInsight subnet, which will bypass the firewall. If you are using custom SQL server for Ambari, Oozie, Ranger and Hive metastroes then you only need to allow the traffic to your own custom SQL Servers.|
+    | Rule_6 | TCP | * | Azure Monitor | * | (optional) Customers who plan to use auto scale feature should add this rule. |
     
    ![Title: Enter application rule collection](./media/hdinsight-restrict-outbound-traffic/hdinsight-restrict-outbound-traffic-add-network-rule-collection.png)
 
@@ -120,9 +111,7 @@ Create the network rules to correctly configure your HDInsight cluster.
 
 Create a route table with the following entries:
 
-* All IP addresses from [Health and management services: All regions](../hdinsight/hdinsight-management-ip-addresses.md#health-and-management-services-all-regions) with a next hop type of **Internet**.
-
-* Two IP addresses for the region where the cluster is created from [Health and management services: Specific regions](../hdinsight/hdinsight-management-ip-addresses.md#health-and-management-services-specific-regions) with a next hop type of **Internet**.
+* All IP addresses from [Health and management services](../hdinsight/hdinsight-management-ip-addresses.md#health-and-management-services-all-regions) with a next hop type of **Internet**. It should include 4 IPs of the generic regions as well as 2 IPs for your specific region. This rule is only needed if the ResourceProviderConnection is set to *Inbound*. If the ResourceProviderConnection is set to *Outbound* then these IPs are not needed in the UDR. 
 
 * One Virtual Appliance route for IP address 0.0.0.0/0 with the next hop being your Azure Firewall private IP address.
 
