Hello fellow automation experts!
As you know, Azure Automation supports runbooks on-premise by way of Hybrid Runbook Workers. These are servers in your data center running a special agent that can communicate with Azure Automation, OMS, and your local resources to fulfill your wildest automation dreams.
Recently, I had the opportunity to dig in to the details on what firewall and proxy settings were required to make this work. According to Microsoft's official documentation (link): "The on-premise machine running hybrid runbook worker must have outbound access to *.cloudapp.net on ports 443, 9354, and 30000 - 30199".
That's all well and good but many organizations aren't willing or able to open all access to *.cloudapp.net. In that case, what should they do? Here's the answer!
In short, the on-premise server must have outbound access to the IP addresses of the Azure data center hosting the Operations Management Suite workspace that server is connected to AND the Azure data center hosting the Automation Subscription and associated resources. In diagram form:
.png.aspx)
As you can see, port 443 must be opened to the data center that hosts OMS, and ports 9354, 30000 - 30199 must be opened to the data center that hosts the Automation account and associated resources.
The IP addresses for each Azure data center are available here. Please note they can change on a weekly basis.
Hopefully that helps you get your Hybrid Runbook Workers up and running!
-John