I have an Azure App Service which uses an Azure container registry (SKU: Basic).
I would like to put in networking restrictions under SCM portion.
Where can I find the Azure Container Registry IP range to whitelist?
If your organization has policies to allow access only to specific IP addresses or address ranges, download Azure IP Ranges and Service Tags – Public Cloud
To find the ACR REST Endpoint IP ranges, search for “AzureContainerRegistry“ in the JSON file. Also, you can filter for Specific Regions.
Note
IP address ranges for Azure services can change, and updates are
published weekly. Download the JSON file regularly, and make necessary
updates in your access rules. If your scenario involves configuring
network security group rules in an Azure virtual network or you use
Azure Firewall, use the AzureContainerRegistry service tag instead.
For more details, you could refer to configure rules to access an Azure container registry behind a firewall.
Related
Right now we have multiple resources like storage accounts and key vaults where the team is using the firewall setting within the networking tab on the individual services. This means when their ip changes after a disconnect/connect to the company VPN they have to go in to each service and add their new IP address.
Not being well versed in Azure networking possibilities, what are some of the options we have to allow a group of incoming IP addresses to be able to access all these services without having to individually touch each service to add their new ip address?
All services are also on the same virtual network.
Thank You
I used to work on Azure Cloud services as a DevOps in the past.
There should be multiple ways to control incoming network traffic to your landing zone or azure resources. But you should consider your requirements meet the solution.
Here are few you could take a look at which I used:
Virtual network service endpoints
Azure Firewall
Network Security Groups
ExpressRoute
If I am setting up an Azure SQL Database in a vnet which Azure App Service and Azure Function will access. Is using both Subnet Delegation and Service Endpoints the right way to go? I didn't fully understand the documentation.
Regarding subnet delegation, I read this Microsoft article and this stackoverflow post, which stated:
When you delegate a subnet to an Azure service, you allow that service to establish some basic network configuration rules for that subnet, which help the Azure service operate their instances in a stable manner.
That sounds like a good thing but makes me wonder how it worked efficiently w/o subnet delegation.
As for Service Endpoints, I read this Microsoft article, which states:
Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Service Endpoints enables private IP addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the VNet.
Does that mean I cannot reach the Azure SQL Database from my home machine w/a firewall rule?
They both sound like they have the same benefits and I'm struggling to understand the difference. I suppose the larger question is should I enable both for the simple architecture outlined above.
In the Microsoft service endpoints documentation they also mention:
Microsoft recommends use of Azure Private Link for secure and private access to services hosted on Azure platform. For more information, see Azure Private Link.
For some reason that seems like an Azure to on-premise thing.
• You cannot use a ‘Subnet Delegation’ along with a ‘Private endpoint’ since that subnet is delegated for the said service, in your case, the Azure SQL Database. Through a subnet delegation, you can define the NSG association for it, as well as associate multiple delegated subnets to a common NSG. You can also define the IP Address space for the delegated subnet, the route table association with it, the custom DNS entry configuration in Azure DNS as well as define the minimum number of IP Addresses available for that delegated subnet. Similarly, with regards to service endpoint, these stated functions are not available.
• In service endpoint, you do not have control over the routing mechanism as well as the IP address related allotment, reservation, or configuration. Also, managing DNS entries for the resources managed through them and controlling them through a firewall or NAT gateway isn’t required unlike a subnet delegation because all these things are managed by Microsoft Azure’s backbone network on your behalf.
Thus, both have their own features and specifications for enabling you to configure according to your own requirements.
Does that mean I cannot reach the Azure SQL Database from my home machine w/a firewall rule?
Yes, you will have to create a firewall rule to allow the access from on-premises system to Azure SQL Server/Database and configure the service endpoint accordingly to allow the VPN client IP Addresses for accessing the same over public internet.
Also, through Azure private link, you won’t be able to connect from on-premises to Azure as it uses a private IP address and a private DNS zone entry related to it to connect to Azure resources in the same virtual network.
To know more regarding the configuration of Azure service access from on-premises network, kindly refer to the below given link: -
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview#secure-azure-service-access-from-on-premises
Also, refer to the below snapshots regarding the configuration and selection of service endpoint for a particular subnet: -
I want to limit an azure repository to some IP addresses, while other repositories will be open to different IP addresses. To do so, I tried:
1 – to find a setting in azure dev ops to limit access to a repo to IP addresses – I could not find such a setting.
2 – to create a new organization in azure dev ops, transfer the repo to that new organization, and find a setting in azure dev ops to limit access to an organization to IP addresses – I could not find such a setting.
3 – to use azure ad conditional access to limit access to azure dev-ops – it can be done to the entire azure dev-ops application, but not to a specific origination \ repo.
4 – to create another azure dev-ops application in our subscription – I could not find how to do it.
Any idea what I need to do?
Limit access to an azure dev-ops repository to specific IP addresses
As we know the Azure devops services is a cloud service, so we could directly restrict it to your IP address range with Azure devops settings.
To resolve this request, you could create your Azure DevOps Server and set up a firewall on the server machine, so that only some specified IP address can access the Azure devops server.
Besides, if you do not want to set your Azure DevOps Server, you could also try to use Azure AD's conditional access to prevent logins from certain geographies and address ranges.
You could check this guide Learn about Active Directory and Various Azure Services and this post for some more details.
I want to host a website with only html,css,js files in the Azure cloud.
Seems like Azure Blob Static Website is a great option to host it for free if you have an Azure subscription.
Reference: https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blob-static-website
My question here is:
Is there any way to restrict the public IP addresses which can access the endpoint of the Azure Blob hosted Website?
Many of the Azure services provide this feature of IP filtering, but I did not find any way to do it for the above scenario.
Please guide me.
In the storage account, go to Settings → Firewalls and Virtual Networks
Check the radio Selected Networks and then configure the Firewall to allow selected IP address ranges.
I am currently working with a client that requires access to all Azure resource locking down as much as possible and I am having problems with the Storage Account that is utilised by our Azure Functions.
With the Firewalls and Virtual Networks blade in portal set to "All Networks" I am able to deploy to the Function App and it runs without issue.
However once I enable the access restriction by checking "Selected Networks"no matter what virtual network subnets I enter or IP Addresses I can not get the communication to work
I have entered the Outbound IP Addresses of our Consumption based Function App and also check that the additional IP Addresses from the Powershell and all have been added to the whitelist. I have also added all the CIDR IP ranges of the local Azure datacenter but again it does not work.
The problem we have is that once the access restrictions have been put into place we are unable to deploy to the Function App and the app no longer runs. Is this scenario supported and what is the mechanism for tying down access to the Storage Account so that only the Function App can utilise it.
As far as I know, you have two options to restrict access to your storage account from your function app or web app.
Whitelist the outboundIpAddresses and possibleOutboundIpAddresses of the function app in the firewall of the storage account. However, it does not work if the Azure function app and Azure storage located in the same region refer to Sam's answer.
when you hit the storage account from your function, because they are
in the same region as each other, all the traffic goes over the
internal Azure network on internal IP's, not the public IPs listed in
the web app, and so is not allowed over the firewall.
If your resources were in different regions, you could use the network section of function app to allow function app to access resources in a VNet, then enable service endpoint for Microsoft.Storage in this app integration subnet. But you need Azure Functions Premium plan referring to this tutorial: integrate Functions with an Azure virtual network.
Sometimes, the deployment order for networking is important. In this case, you will deploy the followings:
Firstly, you could deploy new VNet integration with an unused subnet. After the VNet Integration is completed and the function app is restarted, you could enable service endpoint for this subnet. In the end, you could add the subnet in the firewall of the storage account.
Note that the new version is in Preview, currently. You could also check these characteristics and get more references from this thread.