Azure IP Downloader v1
My firewall recently blocked Microsoft Azure AD Connect which caused issues with syncing to 365. Turns out the issue was that my IPS (Intrusion Prevention System) flagged it as being “suspected RST injection”.
Normally when something like this happens it’s typically the IPS being overly sensitive and I usually can whitelist the specific detection however the IPS is blocking other things correctly that are also flagged as “suspected RST injection” because this is Microsoft Azure I can’t simply just whitelist the IP or a short IP range because there are so many and they can change fairly often.
Microsoft does list some of the IPs for most of 365 on their website however the IPs that were being blocked from my side of things was 52.239.186.132 and 52.239.149.106. Which aren’t in the main lists as they are part of the Azure side of things.
There’s a link on the same page that will take you to a download page for all the Azure IPs. However they update that file weekly. AWS publishes a JSON file of their IPs here.
It’s been years that people have asked for Microsoft to just publish the IPs in a JSON file like how AWS does. There’s a feedback request from 2016 asking for something like that here. Microsoft did make the JSON file available but in a roundabout way.
All things aside I can’t do anything with the JSON file directly. I decided to find my own way around the problem and wrote a PowerShell script to deal with it. I call it Azure IP filter and downloader script.
In order to make things work there are still a few manual steps. You need to go to the Microsoft download page and click download and then you can steal the direct download URL and feed that into the script so the script can download the JSON directly.
Once the script downloads the JSON it parses it and filters out the regions a bit more. After that it makes an object of the results.
Once we have the resulting object it then outputs a file in C:\temp as a txt file. The file has IPv4 and IPv6 in one file. The script uses regular expressions to make 2 more files one for only the IPv4 IPs and one for only the IPv6 IPs.
After that we can take that txt file an upload it to the firewall or we can publish the txt file somewhere and point the Firewall to that file.
The script is only 46 lines long too.
You can download the script here https://github.com/thedxt/IP-Downloader/blob/main/Azure-IP-Downloader.ps1
# Azure IP filter and downloader script v1.0
# Author: Daniel Keer
# Author URI: https://thedxt.ca
# Script URI: https://github.com/thedxt/IP-Downloader
#
# DESCRIPTION
#
# grabs the JSON file for the Azure IP Ranges and Service Tags – Public Cloud
# script allows for flitering and downloads the ips into one big file
# it also makes a file just for IPv4 and IPv6
# the uri from MS will need to be replaced as that may change
# the uri is here https://www.microsoft.com/en-us/download/details.aspx?id=56519
#
#
# change the variables as needed
#save location
$exportlocation = "C:\temp\"
#region filter
$regionFilter = "canada"
#download the JSON file from MS
$MSjsonDL = Invoke-WebRequest -Uri "https://download.microsoft.com/download/7/1/D/71D86715-5596-4529-9B13-DA13A5DE5B63/ServiceTags_Public_20201228.json"
#getting date
$time = get-date -f yyyy_MMM_dd_hhmm_tt
#convert to PS object
$MSjsonOBJ = ConvertFrom-Json $MSjsonDL
#select the values
$properties = $MSjsonOBJ.values.properties
#filter to pick only specific regions and null for ones that dont have regions
$regions = $properties | where-object { $_.region -match $regionFilter -OR $_.region -eq ""}
#save files using reg ex to filter ipv4 and ipv6 to their own files if needed
$regions.addressPrefixes | out-file "$exportlocation\$($time)_filtered_region_$($regionFilter)_all_IPs.txt"
$regions.addressPrefixes -match '\.' | out-file "$exportlocation\$($time)_filtered_region_$($regionFilter)_v4_IPs.txt"
$regions.addressPrefixes -match '\:' | out-file "$exportlocation\$($time)_filtered_region_$($regionFilter)_v6_IPs.txt"
Code language: PowerShell (powershell)
2 responses to “Azure IP Downloader v1”
I know nothing about PS but looking into it now. A task came up and this script looks perfect. Thank you. Question:
I ran the script as is, to get a feel for it. It should work but doesn’t. Can you verify if the script still good as is. I really appreciate. It would be super useful for me. Thank you.
PS C:\Scripts\IP-Downloader-main> .\Azure-IP-Downloader.ps1
Invoke-WebRequest: C:\Scripts\IP-Downloader-main\Azure-IP-Downloader.ps1:38
Line |
38 | $MSjsonDL = Invoke-WebRequest -Uri $DLURI.href
| ~~~~~~~~~~~
| Cannot validate argument on parameter ‘Uri’. The argument is null or empty. Provide an argument that is not null
| or empty, and then try the command again.
ConvertFrom-Json: C:\Scripts\IP-Downloader-main\Azure-IP-Downloader.ps1:44
Line |
44 | $MSjsonOBJ = ConvertFrom-Json $MSjsonDL
| ~~~~~~~~~
| Cannot bind argument to parameter ‘InputObject’ because it is null.
PS C:\Scripts\IP-Downloader-main>
it looks like you downloaded it from GitHub which is good because that version is more up to date. I downloaded it just now to double check and everything seems to be working on my end.
the root of the error you are seeing is on line 38. Line 38 calls for the results from line 35 and line 35 calls for the items on line 34.
because of something not loading correctly everything cascades the failure.
can you try to things
1. can you try running this command by itself Invoke-WebRequest -uri “https://www.microsoft.com/en-us/download/confirmation.aspx?id=56519”
2. can you try going to this url https://www.microsoft.com/en-us/download/confirmation.aspx?id=56519
if those items fail that is likely what is causing the issue
Another item that could be causing the issue is if you are running this on a server if you are try running it on a Windows 10 or 11 system.