What IP Ranges Are Used By The Azure Resource Manager When Reading Linked ARM Templates in Blob Containers

0
votes

I have setup an Azure storage account, setting the Firewalls and virtual networks to allow access from Selected networks. The account is connected to a VNet and subnet where my self-hosted release VMs are connected. When attempting to execute a new deployment with linked ARM templates, the release VMs are able to upload the ARM templates to the blob containers and obtain a SAS token, but the Azure Resource Manager reports "Error: Code=InvalidContentLink; Message=Unable to download deployment content from 'https://...".

All of the Allow exceptions are enabled.

enter image description here

If I change the firewall setting back to All networks, the execution completes successfully.

Is there a list of IP address that I should add? For example, Azure DevOps publishes a similar list that I've had to use at https://docs.microsoft.com/en-us/azure/devops/organizations/security/allow-list-ip-url?view=azure-devops#ip-addresses-and-range-restrictions

1
azure-resource-managerarm-template

1 Answers

1
votes

See: https://social.technet.microsoft.com/wiki/contents/articles/50886.azure-get-datacenter-ip-address-ranges-via-api.aspx

One challenge here is that there are more IP ranges than we allow whitelisting for, so you need to restrict somehow (e.g. location) for this to work well in prod. We're working on an alternative solution but don't have an ETA yet.

One option some customers use is to have a separate storage account used only for staging when the files are transient. That doesn't work for all scenarios (e.g. longer term sharing of files) but may offer some short-term relief. Happy to chat offline in more detail about options here if it helps.