Skip to content

Firewall settings

Our experience after installing numerous gateways, is that there are a couple of things that are good to know and prepare for, before going to the customer site and start installing. First of all, most gateways must be connected to the internet. One problem is that if we are using the customer’s internet they need to open up port 8883 (MQTT) and port 443 (HTTPS) in the firewall (outgoing connections), some customers will require even more security and will need to block outgoing traffic on domain level or even IP address.

Setting up the firewall

When setting up firewall rules for outgoing traffic we strongly recommend to block using domain names instead of IP-addresses. The servers' IP addresses are dynamically allocated and change over time. Therefore, it is not practical to configure your firewall exceptions using IP addresses. The list of IP addresses is long, and they may change from time-to-time. The best way to configure your firewall exceptions is using the wildcard domains.

This explanation is from Azure support: “The IoT Hub IP address can be discovered by using a reverse DNS lookup on the cname (* However, the IP mapped is subject to change without notice. This also doesn’t help discover the geo-paired Hub IP address, that would be needed in case of a failover/disaster recovery“.

Here is an explanation of the domains and ports that need to be added to the firewall rules:

Domain Outgoing port IP address Subject to change without notice Description
* 443 Used to download configuration and update gateway software. 443 and 8883 Used to send telemetry to IoT-Hub and to upload blobs. 443 Used to upload blobs. 443 Used to update gateway software.
* 123 (UDP) Used for time synchronization.

If there is a requirement to block on IP address, the current IP addresses can be downloaded from Azure IP ranges or you can manually look them up with the following commands: 

nslookup nslookup nslookup