Using the Azure IP Service Tag API

2019, Sep 06    

Microsoft provides a list of IP Addresses for the Azure DataCenters and more recently specific services they apply to. Historically this has always been a XML file provided as a download. It’s easy to see why an API to supply this data would be useful for when IP addresses change. Automation is fundamental to most cloud implementations, and updating a firewall with new IP ranges is one of the valid scenarios.

Several unofficial API’s have been created which serve up the XML file content. However the XML file is now due to be deprecated: https://azure.microsoft.com/en-us/updates/azure-datacenter-ip-ranges-xml-files-to-be-deprecated/

The new official API is located here: https://docs.microsoft.com/en-us/rest/api/virtualnetwork/servicetags/list

Here’s an example of consuming the API with BASH.

LOC="uksouth"
SUBID=$(az account show -s 'gobyers-int' -o tsv --query 'id')
ACCESS_TOKEN=$(az account get-access-token -o tsv --query 'accessToken')
IP_URL=https://management.azure.com/subscriptions/$SUBID/providers/Microsoft.Network/locations/$LOC/serviceTags?api-version=2019-06-01
IP_JSON_PATH="/mnt/c/Temp/ServiceTagIP-$(date +%F).json"
curl --header "Authorization: Bearer $ACCESS_TOKEN" $IP_URL -o $IP_JSON_PATH
LOC_IP_LIST=$(cat $IP_JSON_PATH | jq -r --arg LOC "$LOC" '.values[].properties | select (.region==$LOC) | .addressPrefixes[]' | sed "s/\"/'/g")

Once you have the IP list in a variable you can start doing some cool stuff with some other scripting.
Make sure to use ServiceTags where possible for services like Azure Firewall though and not just default to IP Lists. 🙂