How to add Microsoft Azure IP ranges and Service tag based IP addresses

Prashanth Kumar
4 min readApr 6, 2023

--

What is Azure service tags

A service tag represents a group of IP address prefixes from a given Azure service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change, minimizing the complexity of frequent updates to network security rules.

Problem Statement.

Intent of this article as each customer wanted to have region based IP addresses wants to be mapped on their Azure Services such as “Storage account”, “Virtual Machines”, in short any Azure Service which uses Virtual Network.

As we want to control network access based on regions so that only specific folks have to use it.

How to achieve this using Automation

There are different ways to achieve adding IP addresses to any Azure service.

  1. Using Azure Automation Account
  2. Using Azure Functions
  3. Using Azure LogicApps.

Lets check the script to achieve this.

I am going to use simple PowerShell Script and then add it to both Azure Function and Azure Automation account.

  1. Create a new Azure function with PowerShell core.
  2. Under functions → click on App files → select “requirements.psd1” and uncomment line ‘Az’ which is by default commented.

3. Now click on functions create a new function with Timer trigger →select run.ps1.

lets look into the code block by block.

as Microsoft releases IP address every monday morning so we need to schedule our function in such a way that it should check current day and then check the difference between Previous Monday vs current Monday.

so I came up with a simple logic of comparion using.

$last_week = (Get-Date)
while ($last_week.DayOfWeek -ne ‘Monday’) {
$last_week = $last_week.AddDays(-1)
}
$last_week = $last_week.ToString(“yyyyMMdd”)
$last_week

It will give the Output result as “20230403”.

Now we need to get this Output result to be added in our REST API link.

so I am going to use.

$url = ‘https://download.microsoft.com/download/7/1/D/71D86715-5596-4529-9B13-DA13A5DE5B63/ServiceTags_Public_' + $last_week + ‘.json’

so the absolute URL would be

https://download.microsoft.com/download/7/1/D/71D86715-5596-4529-9B13-DA13A5DE5B63/ServiceTags_Public_20230403.json

Next we need to connect to Azure subscription or Resource group and here I am using Managed Identity option.

Connect-AzAccount -identity -Accountid ‘db8f96b0–5f08–4977–8b7d-xxxxxxx’

However if someone wants to go with SPN with Secret then we can use alternate option as

$AppId = “xxxxxx-536f-44d5-xxxxxx”
$Secret = “xxxxxxxxxxxxxxxxxxxxxx”
$TenantId = “xxxxxx-0857–4910-bd2c-xxxxxxx”
$SecuredPassword = ConvertTo-SecureString $Secret -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $AppId, $SecuredPassword
Connect-AzAccount -ServicePrincipal -TenantId $TenantId -Credential $Credential

Now we want to download this json file and then extract IP addresses based on region wise.

for this I am going to use Invoke-RestMethod.

# Download the service tags for Azure services
$ip_ranges = Invoke-RestMethod $url -Method ‘GET’

Once you have an IP addresses now we want to further drill based on Regionwise (In our case i am using “west europe” region).

$address_prefixes = $ip_ranges.values | Where-Object {$_.name -eq ‘AzureCloud.westeurope’} | Select-Object -ExpandProperty properties | Select-Object -ExpandProperty addressPrefixes
$address_prefixes = $address_prefixes | Where-Object { $_ -notmatch “:” } | ForEach-Object { @{ ipAddressOrRange = $_ } }

finally to add extracted IP addresses I am going to use for loop.

foreach ($address_prefixes in $address_prefixes.values) {

Add-AzStorageAccountNetworkRule -ResourceGroupName “P2SDemoResouceGroup” -Name “prademostgacc002” -IPAddressOrRange $address_prefixes
}

After you execute Storage account will show all Microsoft Azure west Europe region IP’s. So you can see all IP’s got added and same can be done for other Azure services.

Final script would be something like this.

# Input bindings are passed in via param block.
param($Timer)
Install-Module Az

$last_week = (Get-Date)
while ($last_week.DayOfWeek -ne ‘Monday’) {
$last_week = $last_week.AddDays(-1)
}
$last_week = $last_week.ToString(“yyyyMMdd”)
$last_week
$url = ‘https://download.microsoft.com/download/7/1/D/71D86715-5596-4529-9B13-DA13A5DE5B63/ServiceTags_Public_' + $last_week + ‘.json’

#$AppId = “xxxxxxxxxxxxxxxxxxx”
#$Secret = “xxxxxxxxxxxxxxxxxxx”
#$TenantId = “xxxxxxxxxxxxxxxxxxx”
#$SecuredPassword = ConvertTo-SecureString $Secret -AsPlainText -Force
#$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $AppId, $SecuredPassword

#Connect-AzAccount -ServicePrincipal -TenantId $TenantId -Credential $Credential
Connect-AzAccount -identity -Accountid ‘xxx-5f08–4977–8b7d-xxxx’
#$storageAccountName = “prademostgacc002”
#$resourceGroupName = “P2SDemoResouceGroup”

# Download the service tags for Azure services
$ip_ranges = Invoke-RestMethod $url -Method ‘GET’

$address_prefixes = $ip_ranges.values | Where-Object {$_.name -eq ‘AzureCloud.westeurope’} | Select-Object -ExpandProperty properties | Select-Object -ExpandProperty addressPrefixes
$address_prefixes = $address_prefixes | Where-Object { $_ -notmatch “:” } | ForEach-Object { @{ ipAddressOrRange = $_ } }
#$privateSubnet = Get-AzVirtualNetwork -ResourceGroupName “P2SDemoResouceGroup” -Name “myVirtualNetwork001” | Get-AzVirtualNetworkSubnetConfig -Name “Subnet1”

foreach ($address_prefixes in $address_prefixes.values) {

Add-AzStorageAccountNetworkRule -ResourceGroupName “P2SDemoResouceGroup” -Name “prademostgacc002” -IPAddressOrRange $address_prefixes
}

Same PowerShell Script can be used in Azure Automation account, and for LogicApps we can call Azure function.

--

--

Prashanth Kumar
Prashanth Kumar

Written by Prashanth Kumar

IT professional with 20+ years experience, feel free to contact me at: Prashanth.kumar.ms@outlook.com

No responses yet