Uncategorized

Get Azure IP Ranges for Your Cloud Management Gateway

April 15, 2020

Update 4/16/2020: I want to be clear that the IP address ranges for Azure can and will change, any of the address ranges could be used. The below should only be used in the rare case where the team managing the VPN refuses to add the entire MSFT IP space to the split tunnel configuration, cannot or will not use FQDN based split tunneling, and the VPN is under stress due to the amount of traffic. The best answer when a VPN is required is to get to FQDN based split tunneling.

Rob York recently published a great blog post on managing patches with Configuration Manager in our new remote work world. One of the options listed, although the least desirable, was for those customers that cannot use FQDN based split tunneling.

Microsoft does not publish IP ranges for Microsoft Update. For those customers limited to IP Ranges for split tunneling that means they cannot keep their endpoints from crossing the VPN for update binaries whether the endpoints are trying to download from an on-prem DP or directly from Microsoft Update. The solution is to publish update binaries to your content enabled CMG or a CDP and use the Azure IP ranges for split tunneling. This technique will incur a cost and you can read about that in Rob’s blog post.

Where I can add to the conversation is filtering the list of Azure IP ranges, which is a bit overwhelming unfiltered. The public cloud json file is 40k lines long! Good luck convincing your network team to add all of it to the split tunnel configuration. Instead, you can use this short script to get just what I need from the list, only 59 lines for CentralUS.

Start by downloading the correct json file for your area. Since these files are updated weekly, and the file name changes with each update, I was not able to add the download to the script.

Public: https://www.microsoft.com/en-us/download/details.aspx?id=56519
US Gov: http://www.microsoft.com/en-us/download/details.aspx?id=57063
Germany: http://www.microsoft.com/en-us/download/details.aspx?id=57064
China: http://www.microsoft.com/en-us/download/details.aspx?id=57062

Now you will need to know what region you want. You can look at the json file to find what you need or reference the list at the bottom of this post. In my case I used “CentralUS” for the Central US region.

If you run the script with the parameters, you will get back all Azure IP ranges specific to the region you entered. In my case, this was 621 ranges. If you add the -CMG switch, the results are limited to AzureStorage, which for East US, is just 59. I then add /32 range for the IP of your CMG. I cannot be certain those are the only services you’ll need but I am comfortable saying they should be, although I have been wrong before.

You now have a much more manageable list to provide your network team. Remember that the published ranges can change, so you may want to put this on your monthly or quarterly task list. Also, keep after the network team to enable FQDN based split tunneling so you no longer worry about keeping updated or the cost of endpoints having to download updates from your CMG/CDP. I’d predict a couple of months paying to downloading from the CMG/CDP and the tone of the conversation will change.

If you start experiencing issues the first item I’d check is the latest IP range list update.

# Microsoft provides programming examples for illustration only, 
# without warranty either expressed or implied, including, but not 
# limited to, the implied warranties of merchantability and/or 
# fitness for a particular purpose. 
#
# This sample assumes that you are familiar with the programming 
# language being demonstrated and the tools used to create and debug 
# procedures. Microsoft support professionals can help explain the 
# functionality of a particular procedure, but they will not modify 
# these examples to provide added functionality or construct 
# procedures to meet your specific needs. If you have limited 
# programming experience, you may want to contact a Microsoft 
# Certified Partner or the Microsoft fee-based consulting line at 
# (800) 936-5200. 
#
# For more information about Microsoft Certified Partners, please 
# visit the following Microsoft Web site:
# https://partner.microsoft.com/global/30000104
<#
    .SYNOPSIS
    Gets IP Ranges from Microsoft IP List json file

    JSON files available at:
    Public: https://www.microsoft.com/en-us/download/details.aspx?id=56519
    US Gov: http://www.microsoft.com/en-us/download/details.aspx?id=57063
    Germany: http://www.microsoft.com/en-us/download/details.aspx?id=57064
    China: http://www.microsoft.com/en-us/download/details.aspx?id=57062


    .PARAMETER  jsonpath
    The path to the downloaded json file

    .PARAMETER  region
    The shortened name for the desired region. You can get this by looking through the JSON file

    .PARAMETER  CMG
    If desired, add the FQDN of your ConfigMgr Cloud Management Gateway to limit teh results to your CMG and the AzureStorage for your region

    .EXAMPLE
    PS C:\> Get-MSFTIPRangesByRegion -region "EastUS" -jsonpath "C:\Users\ken\Downloads\ServiceTags_Public_20200413.json"

    .EXAMPLE
    Get-MSFTIPRangesByRegion "EastUS" "C:\Users\ken\Downloads\ServiceTags_Public_20200413.json" -CMG "configmgrpfe.cloudapp.net"

    .NOTES
        Author: Ken Wygant
        Date Created: 14Apr2020
#> 

Param(
  [parameter(Mandatory=$True,Position=0)][string]$region,
  [parameter(Mandatory=$True,Position=1)][string]$jsonpath,
  [parameter()][string]$CMG
)

$ipdata = (Get-Content $jsonpath | ConvertFrom-Json).values
$items = @()
$ipdata | where-object{$_.properties.region -eq $region} | ForEach{
    $item = $_.properties | select Region, SystemService, addressPrefixes
    ForEach($prefix in $item.addressPrefixes){
        $obj = New-Object -typename psobject
        Add-Member -InputObject $obj -MemberType NoteProperty -Name "Region" -Value $item.region
        Add-Member -InputObject $obj -MemberType NoteProperty -Name "SystemService" -Value $item.SystemService
        Add-Member -InputObject $obj -MemberType NoteProperty -Name "AddressPrefix" -Value $prefix
        $items += $obj
    }
}
if($CMG){
    $hostEntry= [System.Net.Dns]::GetHostByName($CMG)
    $obj = New-Object -typename psobject
    Add-Member -InputObject $obj -MemberType NoteProperty -Name "Region" -Value $region
    Add-Member -InputObject $obj -MemberType NoteProperty -Name "SystemService" -Value "CMG"
    Add-Member -InputObject $obj -MemberType NoteProperty -Name "AddressPrefix" -Value "$($hostEntry.AddressList[0].IPAddressToString)/32"
    $items += $obj
    $items | where-object{$_.SystemService -eq "AzureStorage" -or $_.SystemService -eq "CMG"}
}
else{$items}

Public Cloud Regions:
australiacentral
AustraliaCentral
AustraliaCentral2
australiacentral2
australiaeast
AustraliaEast
australiasoutheast
AustraliaSoutheast
Backend
brazilse
BrazilSouth
brazilsouth
BrazilSoutheast
CanadaCentral
canadacentral
canadaeast
CanadaEast
centralfrance
CentralIndia
centralindia
centralus
CentralUS
centraluseuap
CentralUSEUAP
EastAsia
eastasia
eastus
EastUS
EastUS2
eastus2
EastUS2EUAP
eastus2euap
EastUS2Stage
FirstParty
FranceCentral
FranceSouth
Frontend
germanyn
GermanyNorth
germanywc
GermanyWestCentral
JapanEast
japaneast
japanwest
JapanWest
KoreaCentral
koreacentral
KoreaSouth
koreasouth
NorthCentralUS
northcentralus
NorthCentralUSStage
NorthEurope
northeurope
norwaye
NorwayEast
norwayw
NorwayWest
southafricanorth
SouthAfricaNorth
SouthAfricaWest
southafricawest
southcentralus
SouthCentralUS
SoutheastAsia
southeastasia
southfrance
southindia
SouthIndia
switzerlandn
SwitzerlandNorth
switzerlandw
SwitzerlandWest
UAECentral
uaecentral
UAENorth
uaenorth
uknorth
UKNorth
uksouth
UKSouth
uksouth2
UKSouth2
ukwest
UKWest
westcentralus
WestCentralUS
WestEurope
westeurope
westindia
WestIndia
WestUS
westus
westus2
WestUS2