Close

Whitelist Azure

If you want to call a webservice from Azure, the webservice provider might ask you for a list of ip addresses to whitelist on their firewall. As you know, Azure has no fixed IP addresses. It’s no good practice either to supply ip addresses per individual service. As an example in the properties of an Azure function container, you can find a function has five outbound ip addresses. A custom API App also has it’s own set of outbound ip addresses. And worst part of it. These IP addresses are not fixed, but might change. For instance when you reinstall a function or custom API App.

It’s good to know there’s a Microsoft web site with Azure IP ranges. These ranges can also change, so also look up the folling link:
https://www.microsoft.com/en-us/download/confirmation.aspx?id=41653
Microsoft send me a mail with another link about whitelisting outbound IP addresses for Azure Logic Apps:
https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-limits-and-config#configuration-ip-addresses

The IP ranges are grouped per Azure Region. So, if your solution is hosted in region WestEurope, you have to pass the IP addresses listed under “europewest”.
Example:
<Region Name=”europewest”>
<IpRange Subnet=”13.69.0.0/17″ />
<IpRange Subnet=”13.73.128.0/18″ />
<IpRange Subnet=”13.73.224.0/21″ />
<IpRange Subnet=”13.80.0.0/15″ />
….

Disadvantage: There’s many IP ranges to whitelist on the firewall. Network engineers might not like that, because that means many security holes.

The below links explain how you can find the inbound/outbound ip addresses for a specific Azure App (instead of whitelisting an entire IP range):

  • Each app has a single inbound IP address. The inbound IP address may change when you perform one of the following actions: (1) Delete an app and recreate it in a different resource group, (2) Delete the last app in a resource group and region combination and recreate it, (3) Delete an existing SSL binding, such as during certificate renewal. Link:  docs.microsoft.com
  • The set of outbound IP addresses for your app changes when you scale your app between the lower tiers (BasicStandard, and Premium) and the Premium V2 tier. Link: docs.microsoft.com
  • And for SSL: docs.microsoft.com