Thursday, November 12, 2020

How to get list of Azure service tags and IP ranges using az cli

Microsoft provides weekly updated list of IP addresses used by various Azure features as downloadable JSON file on their webpage. Automating download of it is however not supported and prone to breakage.

Same information is now also available via Azure Service Tag Discovery API. New API is still in public preview state and list of IPs it provides is far less than downloadble file contains. So either list of IPs from API is tailored for your particular subscription or it is incomplete.

Discovery API requires authenticated session to Azure so we need to create service principal and custom RBAC role to keep things secure. See you for more after the break.


# Login using your admin account
az login
 
[
  {
    "cloudName": "AzureCloud",
    "homeTenantId": "e6e3b750-3e14-448f-af73-516e1b3b4324",
    "id": "739af45c-37c7-4420-b302-03c0ee7cd9e0",
    "isDefault": true,
    "managedByTenants": [],
    "name": "Azure Pass - Sponsorship",
    "state": "Enabled",
    "tenantId": "e6e3b750-3e14-448f-af73-516e1b3b4324",
    "user": {
      "name": "asiantuntijakaveri@root",
      "type": "user"
    }
  }
]


# Get SubscriptionId
az account list --all --output table

Name                      CloudName    SubscriptionId                        State    IsDefault
------------------------  -----------  ------------------------------------  -------  -----------
Azure Pass - Sponsorship  AzureCloud   739af45c-37c7-4420-b302-03c0ee7cd9e0  Enabled  True



# Register network provider - required if you're trying this on empty sub
az provider register --namespace 'Microsoft.Network'


# Create json file that defines custom rbac role
cat <<'__EOF__' > custom-rbac-servicetag-reader.json
{
  "Name": "Custom: Service Tag Discovery API Reader",
  "IsCustom": true,
  "Description": "Lets you view list of service tags and their IP ranges using 
Service Tag Discovery API.",

  "Actions": [
    "Microsoft.Network/locations/*/serviceTags/read"
  ],
  "NotActions": [],
  "dataActions": [],
  "notDataActions": [],
  "AssignableScopes": [
    "/subscriptions/739af45c-37c7-4420-b302-03c0ee7cd9e0"
  ]
}

__EOF__



# Create custom rbac on Azure
az role definition create --role-definition custom-rbac-servicetag-reader.json



# Verify that role was created successfully
az role definition list --custom-role-only true --output json --query '[].{roleName:roleName, roleType:roleType}'


[
  {
   "roleName": "Custom: Service Tag Discovery API Reader",
   "roleType": "CustomRole"
  }
]



# Create service principal that is only allowed to read service tag IP ranges
az ad sp create-for-rbac -n "https://servicetagdiscoveryapi-reader" --role "Custom: Service Tag Discovery API Reader" --scopes /subscriptions/739af45c-37c7-4420-b302-03c0ee7cd9e0

Creating a role assignment under the scope of "/subscriptions/739af45c-37c7-4420-b302-03c0ee7cd9e0"
{
  "appId": "26099423-d274-4b6e-9953-b523c2bf50b5",
  "displayName": "servicetagdiscoveryapi-reader",
  "name": "https://servicetagdiscoveryapi-reader",
  "password": "Tfgg.k5t_oyltLzN0_XkIf.gGa8.W1wSsD",
  "tenant": "e6e3b750-3e14-448f-af73-516e1b3b4324"
}



# Logout admin account
az logout


# Login using service principal
az login --service-principal -u 26099423-d274-4b6e-9953-b523c2bf50b5 -p Tfgg.k5t_oyltLzN0_XkIf.gGa8.W1wSsD --tenant e6e3b750-3e14-448f-af73-516e1b3b4324

[
  {
    "cloudName": "AzureCloud",
    "homeTenantId": "e6e3b750-3e14-448f-af73-516e1b3b4324",
    "id": "739af45c-37c7-4420-b302-03c0ee7cd9e0",
    "isDefault": true,
    "managedByTenants": [],
    "name": "Azure Pass - Sponsorship",
    "state": "Enabled",
    "tenantId": "e6e3b750-3e14-448f-af73-516e1b3b4324",
    "user": {
      "name": "26099423-d274-4b6e-9953-b523c2bf50b5",
      "type": "servicePrincipal"
    }
  }
]




# Get list of service tags and their IP ranges.
# Location parameter is required and must be valid, but is irrelevant as json response is same for all regions
az network list-service-tags --location westeurope

{
  "changeNumber": "67",
  "cloud": "Public",
  "id": "/subscriptions/
739af45c-37c7-4420-b302-03c0ee7cd9e0/providers/Microsoft.Network/serviceTags/Public",
  "name": "Public",
  "type": "Microsoft.Network/serviceTags",
  "values": [
    {
      "id": "ActionGroup",
      "name": "ActionGroup",
      "properties": {
        "addressPrefixes": [
          "13.66.143.220/30",
          "13.67.10.124/30",
          "13.69.109.132/30",
          "13.71.199.112/30",
...


Also see:
https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles-cli
https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview
https://lnx.azurewebsites.net/non-interactive-login-in-azure-cli-2-0/

17 comments:

  1. Good day! This is my first visit to your blog! We are a collection of volunteers and starting a new project in a community in the same niche. Your blog provided us beneficial information to work. เล่นพนันบอล

    ReplyDelete
  2. Yes I am totally agreed with this article and I just want say that this article is very nice and very informative article. I will make sure to be reading your blog more. You made a good point but I can't help but wonder, what about the other side? !!!!!!Thanks
    온라인섯다
    고스톱

    ReplyDelete
  3. Excellent Blog! I would like to thank for the efforts you have made in writing this post. I am hoping the same best work from you in the future as well. I wanted to thank you for this websites! Thanks for sharing. Great websites!
    토토사이트
    스포츠토토

    ReplyDelete
  4. I was just looking for this information for some time. After six hours of continuous Googleing, finally I got it in your website. I wonder what’s the lack of Google strategy that do not rank this type of informative sites in top of the list. Generally the top sites are full of garbage.
    일본야동
    성인웹툰

    ReplyDelete
  5. The next time I read a blog, I hope that it doesn't disappoint me as much as this one. I mean, I know it was my choice to read, but I actually thought you have something interesting to say. All I hear is a bunch of whining about something that you could fix if you weren't too busy looking for attention.
    안전놀이터
    토토사이트

    ReplyDelete
  6. What’s up, the whole thing is going nicely here and ofcourse every one is sharing information, that’s actually good, keep up writing. 스포츠토토

    ReplyDelete
  7. I want to to thank you for this good read!! I definitely enjoyed every little bit of it. 온라인경마


    ReplyDelete
  8. Great work ! This is the type of information that are supposed to be shared across the internet. 슬롯머신

    ReplyDelete
  9. I like your all post. You have done really good work. Thank you for the information you provide, it helped me a lot 토토사이트

    ReplyDelete
  10. it’s awesome and I found this one informative
    스포츠토토

    ReplyDelete
  11. Your post is very helpful and information is reliable. I am satisfied with your post. Thank you so much for sharing this wonderful post. If you have any assignment requirement then you are at the right place. 메이저사이트

    ReplyDelete
  12. Albeit either sort of addressing plan might have been utilized, progressive addressing was picked understandably. The upside of this plan is that it can deal with countless addresses, to be specific 4.3 billion (a 32 bit address space with two potential qualities for each position that is either 1 or 0 gives 237, or 4,294,967,296).https://onohosting.com/

    ReplyDelete
  13. I think your website has a lot of useful knowledge. I'm so thankful for this website.
    I hope that you continue to share a lot of knowledge.
    This is my website.
    머니상

    ReplyDelete
  14. gwihaui ssaiteuleul algedoeeoseo neomu gippeumnida
    ileon gwihanjeongboleul jusyeoseo neomu gamsahabnida daleunsalamdeul-egedo
    gwihaui nogoleul jeondalhaejugessseubnida
    I am so happy to know your site
    Thank you so much for this valuable information.
    I will pass on your hard work


    온라인홀덤

    ReplyDelete
  15. I think your website has a lot of useful knowledge. I'm so thankful for this website.
    I hope that you continue to share a lot of knowledge.
    This is my website.
    넷파블머니상

    ReplyDelete
  16. This is the perfect post.안전놀이터 It helped me a lot. If you have time, I hope you come to my site and share your opinions. Have a nice day.

    ReplyDelete

Got something to say?!