Azure IP Downloader v1

Azure IP Downloader v1

My firewall recently blocked Microsoft Azure AD Connect which caused issues with syncing to 365. Turns out the issue was that my IPS (Intrusion Prevention System) flagged it as being “suspected RST injection”.

Normally when something like this happens it’s typically the IPS being overly sensitive and I usually can whitelist the specific detection however the IPS is blocking other things correctly that are also flagged as “suspected RST injection” because this is Microsoft Azure I can’t simply just whitelist the IP or a short IP range because there are so many and they can change fairly often.

Microsoft does list some of the IPs for most of 365 on their website however the IPs that were being blocked from my side of things was 52.239.186.132 and 52.239.149.106. Which aren’t in the main lists as they are part of the Azure side of things.

There’s a link on the same page that will take you to a download page for all the Azure IPs. However they update that file weekly. AWS publishes a JSON file of their IPs here.

It’s been years that people have asked for Microsoft to just publish the IPs in a JSON file like how AWS does. There’s a feedback request from 2016 asking for something like that here. Microsoft did make the JSON file available but in a roundabout way.

All things aside I can’t do anything with the JSON file directly. I decided to find my own way around the problem and wrote a PowerShell script to deal with it. I call it Azure IP filter and downloader script.

In order to make things work there are still a few manual steps. You need to go to the Microsoft download page and click download and then you can steal the direct download URL and feed that into the script so the script can download the JSON directly.

Once the script downloads the JSON it parses it and filters out the regions a bit more. After that it makes an object of the results.

Once we have the resulting object it then outputs a file in C:\temp as a txt file. The file has IPv4 and IPv6 in one file. The script uses regular expressions to make 2 more files one for only the IPv4 IPs and one for only the IPv6 IPs.

After that we can take that txt file an upload it to the firewall or we can publish the txt file somewhere and point the Firewall to that file.

The script is only 46 lines long too.

You can download the script here https://github.com/thedxt/IP-Downloader/blob/main/Azure-IP-Downloader.ps1

# Azure IP filter and downloader script v1.0
# Author: Daniel Keer
# Author URI: https://thedxt.ca
# Script URI: https://github.com/thedxt/IP-Downloader
#
# DESCRIPTION
#
# grabs the JSON file for the Azure IP Ranges and Service Tags – Public Cloud
# script allows for flitering and downloads the ips into one big file
# it also makes a file just for IPv4 and IPv6
# the uri from MS will need to be replaced as that may change
# the uri is here https://www.microsoft.com/en-us/download/details.aspx?id=56519
#
#
# change the variables as needed


#save location
$exportlocation = "C:\temp\"

#region filter
$regionFilter = "canada"

#download the JSON file from MS
$MSjsonDL = Invoke-WebRequest -Uri "https://download.microsoft.com/download/7/1/D/71D86715-5596-4529-9B13-DA13A5DE5B63/ServiceTags_Public_20201228.json"


#getting date
$time = get-date -f yyyy_MMM_dd_hhmm_tt

#convert to PS object
$MSjsonOBJ = ConvertFrom-Json $MSjsonDL

#select the values
$properties = $MSjsonOBJ.values.properties


#filter to pick only specific regions and null for ones that dont have regions
$regions = $properties | where-object { $_.region -match $regionFilter -OR $_.region -eq ""}

#save files using reg ex to filter ipv4 and ipv6 to their own files if needed
$regions.addressPrefixes | out-file "$exportlocation\$($time)_filtered_region_$($regionFilter)_all_IPs.txt"

$regions.addressPrefixes -match '\.' | out-file "$exportlocation\$($time)_filtered_region_$($regionFilter)_v4_IPs.txt"

$regions.addressPrefixes -match '\:' | out-file "$exportlocation\$($time)_filtered_region_$($regionFilter)_v6_IPs.txt"

Leave a comment

Your email address will not be published. Required fields are marked *