How to Find Azure IP Ranges (And Keep Them Up to Date)

Bill Kindle

Read more posts by this author.

Azure IP ranges and service tags for the public and gov clouds are updated weekly. Knowing these ranges and tags is crucial for identifying and working with services in Azure. Luckily, Microsoft makes this data available as a single, large JSON file for both clouds. When that happens, you can use tooling to discover this information programmatically.

In this article, you’re going to learn:

  • Where to find the Azure IP range JSON files online.
  • How to extract the Azure IP range and service tag info using JSON and PowerShell.
  • How to use the Get-AzNetworkServiceTag PowerShell cmdlet to find current service tags.

Ready to explore Azure IP ranges and service tags you need to know? If so, keep reading!

Prerequisites

To find the latest Azure IP ranges, you’ll be using PowerShell in this article so be sure you have the following requirements met:

  1. The latest Az PowerShell module (5.1.0 at the time of this writing) by running Install-Module -Name Az.
  2. PowerShell 7.1+ because of improvements made to JSON cmdlets or you could use the Azure Cloud Shell.

Related: Upgrading to PowerShell 7, Connect-AzAccount: Your Gateway to Azure with PowerShell

Finding Azure IP Ranges with JSON

Microsoft offers a list of all Azure IP ranges and services tags via two JSON files; one for the public cloud and one for the US government cloud (assuming you’re in the US) and one for the public cloud.

If you simply want to quickly find the Azure IP ranges and service tags, you could just download the JSON files and inspect them manually. But these IP ranges change frequently so it’s a much better idea to get a script to download and parse this information regularly.

To save you some time, you will find a PowerShell script below. This PowerShell script will download both the Azure Government and public cloud JSON files, parse them and return a couple of objects which you can then work with.

Create a file called Get-AzureIPRange.ps1 or something similar, copy and paste the below code into it and run the script in a PowerShell console.

## Define each URI for each JSON file. These URI's change weekly so be sure to update them otherwise you will have potentially outdated info!
 $jsonFileUris = @(
     'https://download.microsoft.com/download/6/4/D/64DB03BF-895B-4173-A8B1-BA4AD5D4DF22/ServiceTags_AzureGovernment_20201214.json'
     'https://download.microsoft.com/download/7/1/D/71D86715-5596-4529-9B13-DA13A5DE5B63/ServiceTags_Public_20201214.json'
 )
 foreach ($uri in $jsonFileUris) {
     $jsonFileName = "$($uri.split('/')[-1]).json"
 ## Download the JSON file $null = Invoke-WebRequest -Uri $uri -OutFile $jsonFileName ## Parse the JSON to create an object
 $json = Get-Content -LiteralPath $jsonFileName -Raw | ConvertFrom-Json
 ## Return the PowerShell object [pscustomobject]@{     'Cloud' = $json.cloud     'Values' = $json.values.properties } ## Remove the temporary JSON file Remove-Item -Path $jsonFileName
 }

Running the script above (.\Get-AzureIPRange.ps1), you will see output like below. Notice that the IP ranges are defined with the addressPrefixes property for each region and systemService.

Azure IP Ranges with JSON
Azure IP Ranges with JSON

Related: Wrangling REST APIs with JSON and PowerShell

If you’d like to learn more information about what each of the attributes returned means, check out the Microsoft Regions and Availability Zones in Azure and the Products Available by Region pages.

Now that you know how to discover Azure IP ranges via JSON files, let’s now discover how to perform a similar task using the Az PowerShell module cmdlets!

Finding Azure IP Ranges with the Get-AzNetworkServiceTag Cmdlet

In the last section, you learned how to discover all the ranges you need to know using the publicly available JSON file from Microsoft. But you do not have to download and ingest a JSON file if you don’t want to. The same data can be obtained using the Az module’s Get-AzNetworkServiceTag cmdlet!

While in the Azure Cloud Shell or at your PowerShell console, run the following command.

Get-AzNetworkServiceTag -Location eastus2

Below you will see an example of assigning the output to a variable and then inspecting the Values property like in the previous section.

Azure Service Tags using Get-AzNetworkServiceTag cmdlet
Azure Service Tags using Get-AzNetworkServiceTag cmdlet

As an honorable mention, you can also find ranges via the Azure Virtual Network API; specifically, the Service Tags list call. If you’d like to learn more about this method, check out the Service Tags documentation.

Next Steps

In this article, you’ve learned how you can find all the Azure IP ranges you need to know with PowerShell.

Now see if you can improve the code shown in this article and build a better solution!

Subscribe to Stay in Touch

Never miss out on your favorite ATA posts and our latest announcements!

Looks like you're offline!