Let’s say you have an Azure Logic app which needs to access resources on the client’s on-premise network and the administrator for the 3rd party network wants to only allow specific IP addresses/ranges (a perfectly reasonable request), how will you accomplish this?
Let’s consider a couple of scenarios:
You have the Azure Logic App App trying to access an on-premise client network and client’s IT department will only provide access to a limited number of IP addresses: Under the Properties section of the Web app, get the comma separated list of Outbound IP Addresses and provide this list to your client’s IT department to allow incoming on their local network firewall.
You have a whole bunch of Azure Logic Apps that could potentially send incoming traffic to your client’s on-premise network and client’s IT department is cooperative aka will allow you to specify a set of CIDR range of IP addresses:
- Figure out which datacenter(s) your Azure Logic Apps are located in e.g. US East, US East 2 and so on.
- Download the list of Microsoft Azure Datacenter IP Ranges
- The XML file has list of IP Range Subnet in CIDR format
- Obtain all IP addresses for that datacenter. For instance, my web app in Scenario 1 was located in US South Central and I found that range of IP address (circle in red) in the XML file under USSouth.
- If needed, convert from CIDR to IP Range
- Provide these IP addresses to client’s IT department so they can configure their on-premise network firewall accordingly
Note: while my post is strictly restricted to Azure Logic Apps (for the sake of simplicity), this approach will work for most Azure services including Web Apps, Functions and so on.
If you liked this post, please share it on social media and follow me on Twitter @_s_hari
Is there anything I’m leaving out? Feel free to share in the comments below.