Azure Stack Hub sets up various endpoints (virtual IP addresses (VIPs)) for its infrastructure roles. VIPs are allocated from the public IP address pool. Each VIP is secured with an access control list (ACL) in the software-defined network layer. ACLs are also used across the physical switches (ToRs and BMC) to further harden the solution. A DNS entry is created for each endpoint in the external DNS zone that was specified at deployment time.
The following figure shows the different network layers and ACLs.
Figure 4. Azure Stack Hub network layers and ACL architecture diagram
The outbound ports apply to inbound communication when publishing Azure Stack Hub Services through an existing firewall.
We recommend, but do not require, that you use a firewall device to help secure Azure Stack Hub. Although firewalls can help with distributed denial-of-service (DDOS) attacks and content inspection, they can become a throughput bottleneck for Azure storage services such as BLOBS, tables, and queues.