Share via

How do I determine the outbound IP addresses of my Azure App Service

  • Article

Issue

Some network environments are locked down via a Firewall and allow only whitelisted IP addresses inbound to their internal network.  Common questions are, “what is my Azure Web App, Azure Mobile App (insert your type of Azure App Service here) outbound IP address”?  What IP addresses do I need to whitelist for Azure?  Even if you determine it through a network trace or firewall log, you will notice it can change.  This is because of the internal structure of Azure.  The outbound address could be any address within a certain range.  However, this range is not static.

Solution

For an individual App you can look in the Properties of the application:

capture20170213155855859

What if you need to whitelist a region however (you are constantly adding new apps etc…)?

We provide a list of the Azure Data Center IP ranges.  You can download this XML file and find the Data Center that your Azure Web App is in and then whitelist those ranges of IPs.  This list is update weekly (mostly with additions).  Then you can automate or manually update your firewall with this list to ensure your app is able to call into your network through your firewall.

Here is an example:

The app I want to find the range of IPs for is called problemwebapp.  I look this up in the Azure Portal to see what Data Center is in (in the Overview tab) and I see it is in ‘East US’:

capture20170201141406310

Next I go to this link and download the XML File with the Azure Data Center IP listing:   Microsoft Azure Datacenter IP Ranges

And search for the location.  I searched on ‘us’, then ‘east’ and was able to find this (yes it is a bit cryptic but it will not change):

capture20170201141948711

At this point you have the information for that Data Center and can add these IP ranges to your Firewall.  Depending on how your firewall is managed, you may be able to automate this (talk to your firewall provider).

 

FAQs

What does this list include:

Will I have time to update my firewall before a change happens:

How often can this outbound list change:

Is this only Web Apps or ALL IPs in the data center:

Per Microsoft Azure Datacenter IP Ranges, all of these questions above are answered in the Details section:

https://www.microsoft.com/en-us/download/details.aspx?id=41653 “This file contains the Compute IP address ranges (including SQL ranges) used by the Microsoft Azure Datacenters. A new xml file will be uploaded every Wednesday (Pacific Time) with the new planned IP address ranges. New IP address ranges will be effective on the following Monday (Pacific Time). Please download the new xml file and perform the necessary changes on your site before Monday.“

Is there a way to narrow this list to just Azure Web Apps:   No

Comments

  • Anonymous
    March 16, 2017
    I'm comparing the four outbound addresses listed under properties for my web app and the current xml file I downloaded. I don't see a match for any of the listed ips to the xml list. Does that mean the ips currently listed for my web app will change soon? Also how often these ip addresses change on azure for a web app instance?
  • Anonymous
    June 09, 2017
    You can easily grab and parse those ranges with this project: https://github.com/poshsecurity/AzurePublicIPAddressesVery handy if you have to refresh that list weekly in some Cisco/Juniper/Checkpoint/youNameIt device out there, since you'll want to do that programatically.. since we all have a life :)