Thursday, November 12, 2020

How to get list of Azure service tags and IP ranges using az cli

Microsoft provides weekly updated list of IP addresses used by various Azure features as downloadable JSON file on their webpage. Automating download of it is however not supported and prone to breakage.

Same information is now also available via Azure Service Tag Discovery API. New API is still in public preview state and list of IPs it provides is far less than downloadble file contains. So either list of IPs from API is tailored for your particular subscription or it is incomplete.

Discovery API requires authenticated session to Azure so we need to create service principal and custom RBAC role to keep things secure. See you for more after the break.


# Login using your admin account
az login
 
[
  {
    "cloudName": "AzureCloud",
    "homeTenantId": "e6e3b750-3e14-448f-af73-516e1b3b4324",
    "id": "739af45c-37c7-4420-b302-03c0ee7cd9e0",
    "isDefault": true,
    "managedByTenants": [],
    "name": "Azure Pass - Sponsorship",
    "state": "Enabled",
    "tenantId": "e6e3b750-3e14-448f-af73-516e1b3b4324",
    "user": {
      "name": "asiantuntijakaveri@root",
      "type": "user"
    }
  }
]


# Get SubscriptionId
az account list --all --output table

Name                      CloudName    SubscriptionId                        State    IsDefault
------------------------  -----------  ------------------------------------  -------  -----------
Azure Pass - Sponsorship  AzureCloud   739af45c-37c7-4420-b302-03c0ee7cd9e0  Enabled  True



# Register network provider - required if you're trying this on empty sub
az provider register --namespace 'Microsoft.Network'


# Create json file that defines custom rbac role
cat <<'__EOF__' > custom-rbac-servicetag-reader.json
{
  "Name": "Custom: Service Tag Discovery API Reader",
  "IsCustom": true,
  "Description": "Lets you view list of service tags and their IP ranges using 
Service Tag Discovery API.",

  "Actions": [
    "Microsoft.Network/locations/*/serviceTags/read"
  ],
  "NotActions": [],
  "dataActions": [],
  "notDataActions": [],
  "AssignableScopes": [
    "/subscriptions/739af45c-37c7-4420-b302-03c0ee7cd9e0"
  ]
}

__EOF__



# Create custom rbac on Azure
az role definition create --role-definition custom-rbac-servicetag-reader.json



# Verify that role was created successfully
az role definition list --custom-role-only true --output json --query '[].{roleName:roleName, roleType:roleType}'


[
  {
   "roleName": "Custom: Service Tag Discovery API Reader",
   "roleType": "CustomRole"
  }
]



# Create service principal that is only allowed to read service tag IP ranges
az ad sp create-for-rbac -n "https://servicetagdiscoveryapi-reader" --role "Custom: Service Tag Discovery API Reader" --scopes /subscriptions/739af45c-37c7-4420-b302-03c0ee7cd9e0

Creating a role assignment under the scope of "/subscriptions/739af45c-37c7-4420-b302-03c0ee7cd9e0"
{
  "appId": "26099423-d274-4b6e-9953-b523c2bf50b5",
  "displayName": "servicetagdiscoveryapi-reader",
  "name": "https://servicetagdiscoveryapi-reader",
  "password": "Tfgg.k5t_oyltLzN0_XkIf.gGa8.W1wSsD",
  "tenant": "e6e3b750-3e14-448f-af73-516e1b3b4324"
}



# Logout admin account
az logout


# Login using service principal
az login --service-principal -u 26099423-d274-4b6e-9953-b523c2bf50b5 -p Tfgg.k5t_oyltLzN0_XkIf.gGa8.W1wSsD --tenant e6e3b750-3e14-448f-af73-516e1b3b4324

[
  {
    "cloudName": "AzureCloud",
    "homeTenantId": "e6e3b750-3e14-448f-af73-516e1b3b4324",
    "id": "739af45c-37c7-4420-b302-03c0ee7cd9e0",
    "isDefault": true,
    "managedByTenants": [],
    "name": "Azure Pass - Sponsorship",
    "state": "Enabled",
    "tenantId": "e6e3b750-3e14-448f-af73-516e1b3b4324",
    "user": {
      "name": "26099423-d274-4b6e-9953-b523c2bf50b5",
      "type": "servicePrincipal"
    }
  }
]




# Get list of service tags and their IP ranges.
# Location parameter is required and must be valid, but is irrelevant as json response is same for all regions
az network list-service-tags --location westeurope

{
  "changeNumber": "67",
  "cloud": "Public",
  "id": "/subscriptions/
739af45c-37c7-4420-b302-03c0ee7cd9e0/providers/Microsoft.Network/serviceTags/Public",
  "name": "Public",
  "type": "Microsoft.Network/serviceTags",
  "values": [
    {
      "id": "ActionGroup",
      "name": "ActionGroup",
      "properties": {
        "addressPrefixes": [
          "13.66.143.220/30",
          "13.67.10.124/30",
          "13.69.109.132/30",
          "13.71.199.112/30",
...


Also see:
https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles-cli
https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview
https://lnx.azurewebsites.net/non-interactive-login-in-azure-cli-2-0/

No comments:

Post a Comment

Got something to say?!