Azure-docs: Does "AzureCloud" IP range include all Azure IPs and tag like "Storage", "AppService"?
- Does "AzureCloud" tag includes all Azure resources' public IP? If not, does it overlap (or include) with other tag such as "AppService"?
- What tag should Azure FrontDoor IPs belong to?
- Given a specific Azure IP, how can we identify which tag it belongs to?
I'm asking this because our customer thought whitelisting "AzureCloud" would whitelist all Azure IPs, but got problem that certain services got blocked (which works before when whitelisting "AzureCloud"), and found it's due to a set of new Azure IPs got blocked. Some of the IPs I found belongs to Azure Front Door and not in "AzureCloud" tag.
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 5e905802-0b08-4b3b-25ec-0f88c023bc32
- Version Independent ID: f31325e5-49ea-b28c-336e-10f2a3fc12b4
- Content: Azure security groups overview
- Content Source: articles/virtual-network/security-overview.md
- Service: virtual-network
- GitHub Login: @malopMSFT
- Microsoft Alias: malop;kumud
jinzejian
All 10 comments
Thanks for the question. We are currently investigating and will update you shortly.
Karishma-Tiwari-MSFT
on 18 Apr 2019
@jinzejian
- You are correct, the AzureCloud tag is all azure public IP ranges, which includes many other service tags.
- If you would like to specify the Azure FrontDoor IP Ranges, you can find them Here.
- If you would like to figure out what tag it belongs to / what service it came from, you can match it to the IP Ranges and Service Tags list.
The IP Ranges and Service Tags list should contain everything you need.
TravisCragg-MSFT
on 18 Apr 2019
Hi Travis, thanks for the information. Take "13.107.246.0/24" for example, it belongs to name" AzureFrontDoor.Frontend" and systemService "AzureFrontDoor", but I don't see such tag in NSG. Would you let me know what tag suites "13.107.246.0/24"?
Thanks.
jinzejian
on 18 Apr 2019
@jinzejian Azure FrontDoor does not have a service tag at this time. It will be integrated into the Azure Cloud service tag in the near future, and get it's own service tag.
TravisCragg-MSFT
on 18 Apr 2019
Thanks Travis for the reply. Which means "AzureCloud tag is all azure public IP ranges" is not entirely correct currently, right?
Also, which tag should these IP belongs to (or will belong to), I checked they do belongs to Azure
65.55.163.x
Thanks.
jinzejian
on 19 Apr 2019
@jinzejian The published IP Ranges are in the JSON Doc. I am unsure outside of what is published there unfortunately.
TravisCragg-MSFT
on 19 Apr 2019
Thanks Travis. Per "Azure FrontDoor does not have a service tag at this time. It will be integrated into the Azure Cloud service tag in the near future, and get it's own service tag." Do we have a ETA that can be shared with our customer?
jinzejian
on 22 Apr 2019
@jinzejian Unfortunately no, I cannot state a time that it will be ready at this time.
We will now proceed to close this thread. If there are further questions regarding this matter, please tag me in your reply. We will gladly continue the discussion and we will reopen the issue.
TravisCragg-MSFT
on 22 Apr 2019
Hello @jinzejian - we are currently working on enabling AFD service tag for NSG. Rough ETA is Q3'19. Thank you.
jispar
on 24 Apr 2019
Noted, thanks @jispar !
jinzejian
on 24 Apr 2019
Related issues
clangnerakq
·
46Comments
tshinkle
·
40Comments
ManuelMos
·
46Comments
renattomachado
·
42Comments
andersgidlund
·
45Comments