This section describes the security rule settings for the network security group that are required to allow communication within the cluster.

PRIMECLUSTER uses several protocols/ports for communication within the cluster.

When creating a new network security group, all communication within the Azure Virtual Network is allowed according to the default security rules of Azure. When setting detailed security rules, create the security rules described in this section, and allow communication of protocols/ports for communication within the cluster.

In addition to the security rules described in this section, you can add security rules based on the security requirements of the customer to design network security groups.

When adding security rules according to requirements or adding security rules required for the operation of other software, set the priority so that PRIMECLUSTER communication is not rejected.

The tables below describe the security rules for the cluster system with a two-node configuration (CF node names are cluster node 1 and cluster node 2).

Design the security rules applied to the administrative LAN.

Inbound security rules

Source	Source port range	Destination	Destination port range	Protocol	Action	Description
Administrative LAN IP of cluster node 1	*(Specify all ports)	Administrative LAN IP of cluster node 2	9382	UDP	Allow	Used for the shutdown facility (SF)
Administrative LAN IP of cluster node 2		Administrative LAN IP of cluster node 1
Administrative LAN IP of cluster node 1	*(Specify all ports)	Administrative LAN IP of cluster node 2	9796	UDP	Allow	Used for the management view
Administrative LAN IP of cluster node 2		Administrative LAN IP of cluster node 1
Administrative LAN IP of cluster node 1	*(Specify all ports)	Administrative LAN IP of cluster node 2	9797	TCP	Allow	Used for the management view
Administrative LAN IP of cluster node 2		Administrative LAN IP of cluster node 1
Administrative LAN IP of cluster node 1	*(Specify all ports)	Administrative LAN IP of cluster node 2	*(Specify all ports)	ICMP	Allow	Used for clchkcluster
Administrative LAN IP of cluster node 2		Administrative LAN IP of cluster node 1

Replace sources and destinations with VNet/Application security groups according to your requirements.

Outbound security rules

Source	Source port range	Destination	Destination port range	Protocol	Action	Description
Administrative LAN IP of cluster node 1	*(Specify all ports)	Administrative LAN IP of cluster node 2	9382	UDP	Allow	Used for the shutdown facility (SF)
Administrative LAN IP of cluster node 2		Administrative LAN IP of cluster node 1
Administrative LAN IP of cluster node 1	*(Specify all ports)	Administrative LAN IP of cluster node 2	9796	UDP	Allow	Used for the management view
Administrative LAN IP of cluster node 2		Administrative LAN IP of cluster node 1
Administrative LAN IP of cluster node 1	*(Specify all ports)	Administrative LAN IP of cluster node 2	9797	TCP	Allow	Used for the management view
Administrative LAN IP of cluster node 2		Administrative LAN IP of cluster node 1
Administrative LAN IP of cluster node 1	*(Specify all ports)	Administrative LAN IP of cluster node 2	*(Specify all ports)	ICMP	Allow	Used for clchkcluster
Administrative LAN IP of cluster node 2		Administrative LAN IP of cluster node 1
Administrative LAN IP of cluster node 1	*(Specify all ports)	168.63.129.16 (DNS server)	53	TCP	Allow	Used for forced stop and network switching
Administrative LAN IP of cluster node 2
Administrative LAN IP of cluster node 1	*(Specify all ports)	168.63.129.16 (DNS server)	53	UDP	Allow	Used for forced stop and network switching
Administrative LAN IP of cluster node 2

Source	Source port range	Destination	Destination service tag	Destination port range	Protocol	Action	Description
Administrative LAN IP of cluster node 1	*(Specify all ports)	Service Tag	AzureCloud	443	TCP	Allow	Used for forced stop and network switching (communication with API endpoint)
Administrative LAN IP of cluster node 2
Administrative LAN IP of cluster node 1	*(Specify all ports)	Service Tag	Internet	123	TCP	Allow	Used for NTP server query
Administrative LAN IP of cluster node 2
Administrative LAN IP of cluster node 1	*(Specify all ports)	Service Tag	Internet	123	UDP	Allow	Used for NTP server query
Administrative LAN IP of cluster node 2

Replace sources and destinations with VNet/Application security groups according to your requirements.

Design the security rules applied to the Web-Based Admin View.

Design the security rules applied to the Web-Based Admin View (cluster node side).

Inbound security rules

Source	Source port range	Destination	Destination port range	Protocol	Action	Description
Virtual machine IP for the management view client.	*(Specify all ports)	Administrative LAN IP of cluster node 1	8081	TCP	Allow	Used for the management view
		Administrative LAN IP of cluster node 2
Virtual machine IP for the management view client.	*(Specify all ports)	Administrative LAN IP of cluster node 1	9798	TCP	Allow	Used for the management view
		Administrative LAN IP of cluster node 2
Virtual machine IP for the management view client.	*(Specify all ports)	Administrative LAN IP of cluster node 1	9799	TCP	Allow	Used for the management view
		Administrative LAN IP of cluster node 2

Replace sources and destinations with VNet/Application security groups according to your requirements.

Design the security rules applied to the Web-Based Admin View (management client side).

Outbound security rules

Source	Source port range	Destination	Destination port range	Protocol	Action	Description
Virtual machine IP for the management view client.	*(Specify all ports)	Administrative LAN IP of cluster node 1	8081	TCP	Allow	Used for the management view
		Administrative LAN IP of cluster node 2
Virtual machine IP for the management view client.	*(Specify all ports)	Administrative LAN IP of cluster node 1	9798	TCP	Allow	Used for the management view
		Administrative LAN IP of cluster node 2
Virtual machine IP for the management view client.	*(Specify all ports)	Administrative LAN IP of cluster node 1	9799	TCP	Allow	Used for the management view
		Administrative LAN IP of cluster node 2

Replace sources and destinations with VNet/Application security groups according to your requirements.

Also, create an inbound security rule for the network security group to allow a remote desktop connection from a remote control terminal of the management view client to a virtual machine for the management view client.

Design the security rules applied to the Web-Based Admin View (cluster node side).

Inbound security rules

Source	Source port range	Destination	Destination port range	Protocol	Action	Description
CIDR of the management view client	*(Specify all ports)	Administrative LAN IP of cluster node 1	8081	TCP	Allow	Used for the management view
		Administrative LAN IP of cluster node 2
CIDR of the management view client	*(Specify all ports)	Administrative LAN IP of cluster node 1	9798	TCP	Allow	Used for the management view
		Administrative LAN IP of cluster node 2
CIDR of the management view client	*(Specify all ports)	Administrative LAN IP of cluster node 1	9799	TCP	Allow	Used for the management view
		Administrative LAN IP of cluster node 2

Replace sources and destinations with VNet/Application security groups according to your requirements.

Design the security rules applied to the Web-Based Admin View (management client side).

Outbound security rules

Source	Source port range	Destination	Destination port range	Protocol	Action	Description
CIDR of the management view client	*(Specify all ports)	Administrative LAN IP of cluster node 1	8081	TCP	Allow	Used for the management view
		Administrative LAN IP of cluster node 2
CIDR of the management view client	*(Specify all ports)	Administrative LAN IP of cluster node 1	9798	TCP	Allow	Used for the management view
		Administrative LAN IP of cluster node 2
CIDR of the management view client	*(Specify all ports)	Administrative LAN IP of cluster node 1	9799	TCP	Allow	Used for the management view
		Administrative LAN IP of cluster node 2

Replace sources and destinations with VNet/Application security groups according to your requirements.

Design the security rules applied to the virtual machine access during installation and maintenance.

Inbound security rules

Source	Source port range	Destination	Destination port range	Protocol	Action	Description
CIDR of the access source	*(Specify all ports)	Administrative LAN IP of cluster node 1	22	TCP	Allow	Used for the SSH remote access
		Administrative LAN IP of cluster node 2

Replace sources and destinations with VNet/Application security groups according to your requirements.

Outbound security rules

Source	Source port range	Destination	Destination service tag	Destination port range	Protocol	Action	Description
Administrative LAN IP of cluster node 1	*(Specify all ports)	Service Tag	Internet	80	TCP	Allow	Used for installing dependent packages
Administrative LAN IP of cluster node 2
Administrative LAN IP of cluster node 1	*(Specify all ports)	Service Tag	Internet	443	TCP	Allow	Used for installing dependent packages
Administrative LAN IP of cluster node 2

Replace sources and destinations with VNet/Application security groups according to your requirements.

Design the security rules applied to the cluster interconnect.

This setting is not necessary in a single-node cluster.

Inbound security rules

Source	Source port range	Destination	Destination port range	Protocol	Action	Description
IP of NIC for cluster interconnect of cluster node 1	*(Specify all ports)	IP of NIC for cluster interconnect of cluster node 2	*(Specify all ports)	Any	Allow	Used for the heartbeat
IP of NIC for cluster interconnect of cluster node 2		IP of NIC for cluster interconnect of cluster node 1

Replace sources and destinations with VNet/Application security groups according to your requirements.

Outbound security rules

Source	Source port range	Destination	Destination port range	Protocol	Action	Description
IP of NIC for cluster interconnect of cluster node 1	*(Specify all ports)	IP of NIC for cluster interconnect of cluster node 2	*(Specify all ports)	Any	Allow	Used for the heartbeat
IP of NIC for cluster interconnect of cluster node 2		IP of NIC for cluster interconnect of cluster node 1

Replace sources and destinations with VNet/Application security groups according to your requirements.

Design the security rules applied to the public LAN.

Add the security rules that are required for application operations.

Set the security rules applied to the network for data synchronization.

Inbound security rules

Source	Source port range	Destination	Destination port range	Protocol	Action	Description
IP of NIC for data synchronization of cluster node 1	*(Specify all ports)	IP of NIC for data synchronization of cluster node 2	3260	TCP	Allow	Used for mirroring among servers
IP of NIC for data synchronization of cluster node 2		IP of NIC for data synchronization of cluster node 1

Replace sources and destinations with VNet/Application security groups according to your requirements.

Outbound security rules

Source	Source port range	Destination	Destination port range	Protocol	Action	Description
IP of NIC for data synchronization of cluster node 1	*(Specify all ports)	IP of NIC for data synchronization of cluster node 2	3260	TCP	Allow	Used for mirroring among servers
IP of NIC for data synchronization of cluster node 2		IP of NIC for data synchronization of cluster node 1

Replace sources and destinations with VNet/Application security groups according to your requirements.