I've a custom policy that reaches out to other services via a RESTful technical profiles for claims processing. I need to whitelist the IP address range of the AD B2C instance to allow connection to these services as they reside outside of the Azure domain.
I've come across this post, and the updated set of data center IP addresses for Azure here.
A few questions
Are there different IP addresses for Azure AD B2C than Azure AD or are they both covered by the "AzureIdentity" system services in the 2nd link?
If the latter, which set of IP addresses are relevant to Azure AD B2C, "AzureActiveDirectoryDomainServices" or "AzureActiveDirectory.ServiceEndpoint" ?
Finally, is there a more definitive way to scope down the set of IP addresses, e.g. by region or perhaps by addressPrefix as with Azure Functions via the resource explorer and a resource profile?
TIA
Not possible. The outgoing IPs will be in the Azure Datacentre IP range. Anyone can stand up a VM in this ip range. Rather than use network security, work on API authentication schemes described here:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/secure-rest-api
Related
Right now we have multiple resources like storage accounts and key vaults where the team is using the firewall setting within the networking tab on the individual services. This means when their ip changes after a disconnect/connect to the company VPN they have to go in to each service and add their new IP address.
Not being well versed in Azure networking possibilities, what are some of the options we have to allow a group of incoming IP addresses to be able to access all these services without having to individually touch each service to add their new ip address?
All services are also on the same virtual network.
Thank You
I used to work on Azure Cloud services as a DevOps in the past.
There should be multiple ways to control incoming network traffic to your landing zone or azure resources. But you should consider your requirements meet the solution.
Here are few you could take a look at which I used:
Virtual network service endpoints
Azure Firewall
Network Security Groups
ExpressRoute
If I am setting up an Azure SQL Database in a vnet which Azure App Service and Azure Function will access. Is using both Subnet Delegation and Service Endpoints the right way to go? I didn't fully understand the documentation.
Regarding subnet delegation, I read this Microsoft article and this stackoverflow post, which stated:
When you delegate a subnet to an Azure service, you allow that service to establish some basic network configuration rules for that subnet, which help the Azure service operate their instances in a stable manner.
That sounds like a good thing but makes me wonder how it worked efficiently w/o subnet delegation.
As for Service Endpoints, I read this Microsoft article, which states:
Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Service Endpoints enables private IP addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the VNet.
Does that mean I cannot reach the Azure SQL Database from my home machine w/a firewall rule?
They both sound like they have the same benefits and I'm struggling to understand the difference. I suppose the larger question is should I enable both for the simple architecture outlined above.
In the Microsoft service endpoints documentation they also mention:
Microsoft recommends use of Azure Private Link for secure and private access to services hosted on Azure platform. For more information, see Azure Private Link.
For some reason that seems like an Azure to on-premise thing.
• You cannot use a ‘Subnet Delegation’ along with a ‘Private endpoint’ since that subnet is delegated for the said service, in your case, the Azure SQL Database. Through a subnet delegation, you can define the NSG association for it, as well as associate multiple delegated subnets to a common NSG. You can also define the IP Address space for the delegated subnet, the route table association with it, the custom DNS entry configuration in Azure DNS as well as define the minimum number of IP Addresses available for that delegated subnet. Similarly, with regards to service endpoint, these stated functions are not available.
• In service endpoint, you do not have control over the routing mechanism as well as the IP address related allotment, reservation, or configuration. Also, managing DNS entries for the resources managed through them and controlling them through a firewall or NAT gateway isn’t required unlike a subnet delegation because all these things are managed by Microsoft Azure’s backbone network on your behalf.
Thus, both have their own features and specifications for enabling you to configure according to your own requirements.
Does that mean I cannot reach the Azure SQL Database from my home machine w/a firewall rule?
Yes, you will have to create a firewall rule to allow the access from on-premises system to Azure SQL Server/Database and configure the service endpoint accordingly to allow the VPN client IP Addresses for accessing the same over public internet.
Also, through Azure private link, you won’t be able to connect from on-premises to Azure as it uses a private IP address and a private DNS zone entry related to it to connect to Azure resources in the same virtual network.
To know more regarding the configuration of Azure service access from on-premises network, kindly refer to the below given link: -
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview#secure-azure-service-access-from-on-premises
Also, refer to the below snapshots regarding the configuration and selection of service endpoint for a particular subnet: -
We are trying to set up office 365 to send email from our azure account.
Are our Outbound IPs shared with other azure users or not?
https://learn.microsoft.com/en-us/azure/app-service/overview-inbound-outbound-ips
To find out if the outbound IPs that are shown in the properties area of my portal are shared with other users or do I have to buy a dedicated static IP address to make sure no one else is using them.
It seems that you refer to the outbound IP of web service in Azure. Azure App Service is a multi-tenant service, except for App Service Environments. Apps that are not in an App Service environment (not in the Isolated tier) share network infrastructure with other apps. So the IP address lists used for the web app are possible to share with others.
Unless you use an Application Service Environment (ASE) you cannot guarantee that the inbound or outbound IPs will change, However, you could control when the IP address will change. The set of outbound IP addresses for your app changes when you scale your app between the lower tiers (Basic, Standard, and Premium) and the Premium V2 tier. For more references, you could see steve's answer here.
I have to restrict public access to my Azure app service, Hence I have implemented IP whitelist in web config. Is it required to whitelist the Azure datacenter IP ranges?
My app service uses Azure SQL, redis and search service.
Short answer to your question is no, you will not need to add Azure data center IP addresses for using Azure services. Only case where you need to add IP addresses to the allow list is when a service/application tries to access your web application and not the other way round.
Given your objective to restrict public access, you should definitely consider using the IP restrictions feature from Azure Portal. Microsoft has improved this feature and it's better than having just the web.config <ipsecurity> configuration,
With Azure App Service IP restrictions, traffic will blocked even
before it reaches your IIS.
You can still continue to use your web.config configuration as it is.
Configuration effort is pretty minimal as it's all available through portal
Read more about it here
Azure App Service Static IP Restrictions
For a time, the IP Restrictions capability in the portal was a layer
on top of the ipSecurity capability in IIS. The current IP
Restrictions capability is different. You can still configure
ipSecurity within your application web.config but the front-end based
IP Restrictions rules will be applied before any traffic reaches IIS.
I was trying to provision users from On Premise AD to Azure AD using Azure AD connect agent. From my organization the firewall is blocking the provisioning.Can any one please let me know the Azure AD IP address to raise the firewall request.
Referred the following url - https://learn.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-ports
You will find the information from behind a link, from the url you posted:
https://support.office.com/en-us/article/office-365-urls-and-ip-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#bkmk_identity_ip
As soon as you open up the list of IP ranges, you will realize that the list is quite huge and it can change over a course of time. Thats why I do suggest another approach instead of allowing outbound traffic to specific CIDR blocks or IP ranges.
Edit: this link leads directly to the expandable IP range list:
https://support.office.com/en-us/article/office-365-urls-and-ip-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#bkmk_identity_ip