I'm trying to find a way to display the real IPs of VMs a user has tried to sign in instead of the proxy's IP in the "Sign-ins" section of each user.
For example if user "max" tried to sign in to a vm that has the IP '10.0.0.1' then when I go to the Sign-ins section of user max it will show me that this user tried to log in at 10.0.0.1 and not at the proxy IP.
I don't think you can do that unless your VM is directly to connect to the Internet without any proxy. Also, in your example, the IP address 10.0.0.1 is a private address that does not route on the Internet.
To display the IP address is a bit to rely on the networking environment where your VMs. From the Sign-in activity reports in the Azure Active Directory portal, currently Azure tries best effort to convert the IP address to a physical location where the computer located as mapping IP addresses is complicated by the fact that mobile providers and VPNs issue IP addresses from central pools that are often very far from where the client device is actually used.
IP addresses are issued in such a way that there is no definitive
connection between an IP address and where the computer with that
address is physically located. Mapping IP addresses is complicated by
the fact that mobile providers and VPNs issue IP addresses from
central pools that are often very far from where the client device is
actually used. Currently in Azure AD reports, converting IP address to
a physical location is a best effort based on traces, registry data,
reverse look ups and other information.
Have one app service plan (standard 1 pricing tier) with only one web app. From what I understand I have a static ip based on this configuration / price. So when I do an nslookup on my web site and get an ip back, that ip is static correct? Just needed verification. TIA.
So when I do an nslookup on my web site and get an ip back, that ip is static correct? Just needed verification
Every Azure Web App have 1 external IP address and multi outbound addresses. What you saw from nslookup is external IP address.
The external IP address(Inbound address) is used for domain binding(A record binding). If you want to binding your custom domain, please use external IP address. You could find the external IP address from Azure portal. Web App->Custom Domains tab.
From official document, we know
If you delete and recreate your app, or change from a higher pricing tier back to the Shared tier, your app's external IP address may change. Otherwise, the external IP address won't be changed.
Traffic come from your web app will use one of the outbound addresses as IP address. There is no agreement of when the outbound IP address will change or not. They will not change from 1 day to the next, nor is there any plan or real need to change them.
will there be some type of notification from azure when the outbounds do change?
There is no official document which pointed it out. I found following words from MSDN forum. Hope it will be helpful for you.
It becomes necessary for Azure infrastructure to increase the number of outbound IP addresses. In that case the existing IP addresses will be preserved but there will be some new ones. So far there hasn't been a need to increase number of IP addresses and if there ever be the need for that there will be an early notice about it.
The Web App gets relocated to a different scale unit. Prior to that the subscription owner gets an email notification one month in advance.
From: Static outbound IP addresses for Azure Web Apps?
I'm pretty sure you are assigned 4 external IP addresses, so at the very least there are 4 ip addresses you need to consider static, but from what I can tell they are subject to change (that's how it previously was, I'm not sure if it holds now).
Also, remember that those are shared, so whitelisting those is potentially dangerous.
I am trying to connect my custom domain (in my case it's through Godaddy) to my Azure web app.
I have followed all the steps but I am missing the web app IP address to complete the process.
The tutorial found in Azure says:
To create an A record, you need the virtual IP address of your web app. To get the IP address:
In your browser, open the Azure Portal.
Click the Browse option on the left side of the page.
Click the Web Apps blade.
Click the name of your web app.
In the Essentials page, click All settings.
Click Custom domains and SSL.
In the Custom domains and SSL blade, click Bring External Domains". The IP address is located at the bottom of this part.
...everything works well until the last step (#7). I see no "Bring external domains", nor any IP address.
Under "Properties", there is a section OUTBOUND IP ADDRESSES, that contains 4 IPs. None of them seems to redirect to my site (http://educa03.azurewebsites.net/).
How can I find this IP address needed for the A record?
At some point it seems that a bug crept in that has made the incoming IP address disappear from that page.
If you are on a plan that supports domain names, then the best way to find your external IP address is to ping it.
e:\PS>ping educa03.azurewebsites.net
Pinging waws-prod-am2-051.cloudapp.net [104.47.137.62] with 32 bytes of data:
So in this case your external IP address, that you can put in A records, is 104.47.137.62
Any chance you're using a free tier app? if so, you need to upgrade to at least "Shared" to map the custom domain.
I've been trying to find an answer to this for a few days.
I want to host a new azure website in either the Basic tier or Standard tier.
The site will be calling a third party service.
I need to give this service provider an IP address that they will whitelist.
So when the new azure website makes requests to this service the IP address for the request needs to always be the same, as this will be the IP whitelisted.
I read that Azure offers "Reserved IPs" for cloud services and VMs but I wanted to know if something similar can be done with Azure Websites as I really don't want to go with cloud/VM.
My knowledge of networking is limited but as I understand it, if I were to get an IP SSL cert and apply that to my Azure Website then the website would have a static IP address.
If that is the case, would any requests to the third party service be hitting the service providers external firewall with this same static IP?
Thanks for any advice people can give.
An SSL cert with Web Sites will be tied to an inbound IP address. However, Web Sites does not provide a static outbound IP address.
If you need a static IP address to align with 3rd-party services, you'd need to have something residing in Azure (e.g. Application tier) running in a cloud service / VM that your web site accesses, and then have that app tier (with static IP address) communicate with your 3rd-party services.
As David Makogon's answer points out, applying an IP-based SSL certificate only gives the website a static inbound IP address.
However, the outbound IP address a website uses when making outbound network calls can be determined based on where your website is hosted. Microsoft has a list of the these IP addresses here. The third-party service would have to whitelist all of the IP addresses used by the scale unit your website is hosted in (e.g. waws-prod-am2-005).
Correct me if I am wrong, but the information shared by Brant Bobby above shows that, in fact:
All Azure websites (/Web Apps) already have a discoverable and published outgoing IP address.
This outgoing IP address will never be unique to their own site however. So one must keep in mind if they use it for a white-list, it will be allowing in a lot of other Azure visitors hosted on the same scale unit.
Simply get the so-called "scale unit" name for your site, which is the same as what's given in your site's FTP address (and so forth), which is in the format: "waws-prod-[3LetterVar]-[3DigitNum]", e.g. waws-prod-blu-007.
As an example from that article, all the East US region Azure websites can find the four IP addresses their site may rely on as follows (so if white-listing, all 4 should be white-listed):
East US Region
Outbound IP addresses for each scale unit, currently 4 for each. They said they may add more IPs to each scale unit in the future, but these should not change.
waws-prod-blu-001: 168.62.48.13, 168.62.48.19, 168.62.48.33, 168.62.48.122
waws-prod-blu-003: 137.117.81.128, 137.117.81.142, 137.117.81.181, 137.117.81.82
waws-prod-blu-005: 137.117.80.189, 137.117.81.52, 137.117.81.90, 137.117.80.178
waws-prod-blu-007: 23.96.33.205, 23.96.34.196, 23.96.35.20, 23.96.36.229
waws-prod-blu-009: 23.96.97.203, 23.96.97.233, 23.96.97.235, 23.96.97.238
waws-prod-blu-011: 23.96.112.60, 23.96.112.117, 23.96.112.152, 23.96.112.15
waws-prod-blu-013: 191.238.8.154, 191.238.9.80, 191.238.9.94, 191.238.9.170
waws-prod-blu-015: 191.236.19.222, 191.236.19.242, 191.236.21.165, 191.236.18.160
waws-prod-blu-017: 191.238.32.104, 191.238.32.154, 191.238.34.67, 191.238.35.12
waws-prod-blu-019: 104.45.138.197, 104.45.142.87, 104.45.128.144, 104.45.142.131
waws-prod-blu-021: 191.237.24.189, 191.237.30.36, 191.237.26.164, 191.237.28.161
waws-prod-blu-023: 191.236.50.206, 191.237.30.215, 191.237.25.148, 191.237.22.195
waws-prod-blu-025: 191.237.31.86, 191.237.26.176, 191.237.20.70, 191.237.18.239
Azure now supports having static outbound IP address as well.
https://azure.microsoft.com/en-us/documentation/articles/app-service-app-service-environment-intro/
If we do not want to go for costlier App Service Environment setup, we can directly use the outbound IP addresses mentioned in the Azure portal in properties section, Azure assures that it remain 99.9% static. Nothing really changes until there is some changes data center wide. Moreover, the reserved Ip what we use in IaaS is also not 100% reserved for us and azure provides SLA of 99.9% here as well. So, In my opinion, instead of going for ASE and hosting IaaS and using reserved IP, we can just use outbound Ip provided by azure, since we get same reliability in both cases.
I have a WebJob on an Azure Website that needs to connect to a VM Endpoint to make REST calls.
My Endpoint is configured to deny all except my company's IP range. Now what rule would I need to add or url should I use so my webjob can connect to the endpoint?
I have tried the following without success:
Allow my website virtual IP address in the ACL
Connect to the endpoint using the internal IP instead of the DNS without changing
the ACL
Connect to the endpoint using the public virtual IP instead
of the DNS without changing the ACL
This works but is not what I am looking for:
Remove the current ACL and allow all
Keep the ACL but add a /16 rule with my website IP
Thank you for your help, and let me know if you need precision!
I need the same thing but it seems as though is not possible right now. Looking at this answer on a related question:
Azure Web Sites do not have dedicated outbound IP addresses for each
deployment. This precludes you from using ACLs or Virtual Networks to
connect to your Redis / Solr virtual machines.
So even though you can have a (reasonably) fixed incoming IP address on Azure Websites, the outgoing address is highly unpredictable and as far as I can see, the only exclusion that you could make was to restrict it to the entire range of IP addresses for that data centre which is far from ideal.
A solution moving forward will be to connect your Azure Website and the VM on the same Virtual Network. As of my writing this it is still in Preview so it still is not ready for production use just yet.
Here is more information on it: http://azure.microsoft.com/blog/2014/09/15/azure-websites-virtual-network-integration/