Configuring a VNet with private IPs in Azure
When you create your CDP environment without public IPs, you have two options: Have CDP set up your private network and security groups, or set up the VNet with your private IPs and security groups. Either way, you must enable CCM.
Have CDP set up a VNet with private IPs and security groups
If you choose to have CDP create your private network and security groups when you are testing or sandboxing CCM, when you enable CCM, CDP performs the following:
Creates more than 30 subnets. Azure does not distinguish between public and private subnets. By default they are all private.
When CDP creates the security group, it opens two ports to the CIDR range that you specify, port 22 and port 443. Use these ports only to access these clusters. For a list of security group rules that CDP creates, see Default security group settings on Azure.
Set up your own VNet with private IPs and security groups
If you choose to configure your own VNets without public IPs, you will need to configure the following in your Azure Portal:
Create at least one virtual network subnet. See VNet and subnet planning to determine the exact number of subnets needed.
You must configure outbound traffic for CDP resources.
The workload clusters containing CCM (Knox, master, or CM for Classic Cluster) must be able to reach the Network Load Balancers (NLBs).
You can use port 443 to connect to the NLBs.
Create your security groups as described in Network security groups.