Azure Application Insights - specific datacenter - deriving correct firewall configuration
A server behind a firewall needs to send telemetrics to a specific Azure data center (Application Insights) and I need to open the right IP addresses + port numbers in a firewall.
The documentation from Microsoft is very confusing here: If I look at the IP-range json from Microsoft (https://www.microsoft.com/en-us/download/confirmation.aspx?id=56519) there are a lot of IP address intervals without specifying which data center they are relevant for.
I assume I need to consider these two system services: ApplicationInsightsAvailability + AzureMonitor. But how do I identify the ones that are relevant for my data center?
https://learn.microsoft.com/en-us/azure/azure-monitor/app/ip-addresses
The Azure Datacenter IP ranges (XML files) was deprecated in June 30, 2020. So Please start using the JSON files listed below. IP Ranges for each cloud, broken down by region and by the tagged services in that cloud are now available on MS Download:
- Public https://www.microsoft.com/en-us/download/details.aspx?id=56519
- US Gov http://www.microsoft.com/en-us/download/details.aspx?id=57063
- Germany http://www.microsoft.com/en-us/download/details.aspx?id=57064
- China http://www.microsoft.com/en-us/download/details.aspx?id=57062
These JSON files are updated weekly and include versioning both for the full file and each individual service tag in that file.
You can filter out the IP address using Region
So that you can use the Service Tag Discovery API to integrate with an on-premises firewall.
By programmatically retrieving the information using Service Tag Discovery API
$serviceTags = Get-AzNetworkServiceTag -Location eastus2
$storage = $serviceTags.Values | Where-Object { $_.Name -eq "Storage" }
$storage.Properties.AddressPrefixes
We have another way to retrieve the current list of service tags together with the IP address range
Refer here for more information.