Rediger

Del via

IP addresses used by Azure Monitor

  • Artikel

Azure Monitor uses several IP addresses. Azure Monitor is made up of core platform metrics and logs in addition to Log Analytics and Application Insights. You might need to know IP addresses if the app or infrastructure that you're monitoring is hosted behind a firewall.

Note

All Application Insights traffic represents outbound traffic except for availability monitoring and webhook action groups, which also require inbound firewall rules.

You can use Azure network service tags to manage access if you're using Azure network security groups. If you're managing access for hybrid/on-premises resources, you can download the equivalent IP address lists as JSON files, which are updated each week. To cover all the exceptions in this article, use the service tags ActionGroup, ApplicationInsightsAvailability, and AzureMonitor.

Note

Service tags don't replace validation/authentication checks required for cross-tenant communications between a customer's Azure resource and other service tag resources.

Outgoing ports

You need to open some outgoing ports in your server's firewall to allow the Application Insights SDK or Application Insights Agent to send data to the portal.

Note

These addresses are listed by using Classless Interdomain Routing notation. As an example, an entry like 51.144.56.112/28 is equivalent to 16 IPs that start at 51.144.56.112 and end at 51.144.56.127.

Purpose URL Type Ports
Telemetry dc.applicationinsights.azure.com
dc.applicationinsights.microsoft.com
dc.services.visualstudio.com

{region}.in.applicationinsights.azure.com

 Global
Global
Global

Regional
 443
Live Metrics live.applicationinsights.azure.com
rt.applicationinsights.microsoft.com
rt.services.visualstudio.com

{region}.livediagnostics.monitor.azure.com

Example for {region}: westus2		 Global
Global
Global

Regional
 443

Note

Application Insights ingestion endpoints are IPv4 only.

Application Insights Agent

Application Insights Agent configuration is needed only when you're making changes.

Purpose URL Ports
Configuration management.core.windows.net 443
Configuration management.azure.com 443
Configuration login.windows.net 443
Configuration login.microsoftonline.com 443
Configuration secure.aadcdn.microsoftonline-p.com 443
Configuration auth.gfx.ms 443
Configuration login.live.com 443
Installation globalcdn.nuget.org, packages.nuget.org ,api.nuget.org/v3/index.json nuget.org, api.nuget.org, dc.services.vsallin.net 443

Availability tests

For more information on availability tests, see Private availability testing.

Application Insights and Log Analytics APIs

Purpose URI Ports
API api.applicationinsights.io
api1.applicationinsights.io
api2.applicationinsights.io
api3.applicationinsights.io
api4.applicationinsights.io
api5.applicationinsights.io
dev.applicationinsights.io
dev.applicationinsights.microsoft.com
dev.aisvc.visualstudio.com
www.applicationinsights.io
www.applicationinsights.microsoft.com
www.aisvc.visualstudio.com
api.loganalytics.io
*.api.loganalytics.io
dev.loganalytics.io
docs.loganalytics.io
www.loganalytics.io
api.loganalytics.azure.com		 80,443
Azure Pipeline annotations extension aigs1.aisvc.visualstudio.com 443

Application Insights analytics

Purpose URI Ports
CDN applicationanalytics.azureedge.net 80,443
Media CDN applicationanalyticsmedia.azureedge.net 80,443

The Application Insights team owns the *.applicationinsights.io domain.

Log Analytics portal

Purpose URI Ports
Portal portal.loganalytics.io 80,443

The Log Analytics team owns the *.loganalytics.io domain.

Application Insights Azure portal extension

Purpose URI Ports
Application Insights extension stamp2.app.insightsportal.visualstudio.com 80,443
Application Insights extension CDN insightsportal-prod2-cdn.aisvc.visualstudio.com
insightsportal-prod2-asiae-cdn.aisvc.visualstudio.com
insightsportal-cdn-aimon.applicationinsights.io		 80,443

Application Insights SDKs

Purpose URI Ports
Application Insights JS SDK CDN az416426.vo.msecnd.net
js.monitor.azure.com		 80,443

Action group webhooks

You can query the list of IP addresses used by action groups by using the Get-AzNetworkServiceTag PowerShell command.

Action group service tag

Managing changes to source IP addresses can be time consuming. Using service tags eliminates the need to update your configuration. A service tag represents a group of IP address prefixes from a specific Azure service. Microsoft manages the IP addresses and automatically updates the service tag as addresses change, which eliminates the need to update network security rules for an action group.

  1. In the Azure portal under Azure Services, search for Network Security Group.

  2. Select Add and create a network security group:

    1. Add the resource group name, and then enter Instance details information.
    2. Select Review + Create, and then select Create.

    Screenshot that shows how to create a network security group.

  3. Go to Resource Group, and then select the network security group you created:

    1. Select Inbound security rules.
    2. Select Add.

    Screenshot that shows how to add inbound security rules.

  4. A new window opens in the right pane:

    1. Under Source, enter Service Tag.
    2. Under Source service tag, enter ActionGroup.
    3. Select Add.

    Screenshot that shows how to add a service tag.

Application Insights Profiler for .NET

Purpose URI Ports
Agent agent.azureserviceprofiler.net
*.agent.azureserviceprofiler.net
profiler.monitor.azure.com		 443
Portal gateway.azureserviceprofiler.net
dataplane.diagnosticservices.azure.com		 443
Storage *.core.windows.net 443

Snapshot Debugger

Note

Application Insights Profiler for .NET and Snapshot Debugger share the same set of IP addresses.

Purpose URI Ports
Agent agent.azureserviceprofiler.net
*.agent.azureserviceprofiler.net
snapshot.monitor.azure.com		 443
Portal gateway.azureserviceprofiler.net
dataplane.diagnosticservices.azure.com		 443
Storage *.core.windows.net 443

Frequently asked questions

This section provides answers to common questions.

Can I monitor an intranet web server?

Yes, but you need to allow traffic to our services by either firewall exceptions or proxy redirects.

See IP addresses used by Azure Monitor to review our full list of services and IP addresses.

How do I reroute traffic from my server to a gateway on my intranet?

Route traffic from your server to a gateway on your intranet by overwriting endpoints in your configuration. If the Endpoint properties aren't present in your config, these classes use the default values which are documented in IP addresses used by Azure Monitor.

Your gateway should route traffic to our endpoint's base address. In your configuration, replace the default values with http://<your.gateway.address>/<relative path>.