CosmosDb Firewall, Azure IP addresses

Question

I am trying to secure my cosmos db account with a firewall in my arm template. I have used the portal to see how I should edit the template.

In the portal, I have selected the tickbox "Accept connections from within public Azure datacenters" and "Allow access from Azure Portal". This adds the following IP addresses to the ipRangeFilter property.

104.42.195.92
40.76.54.131
52.176.6.30
52.169.50.45
52.187.184.26
0.0.0.0

Can I hardcode these IPs in the arm template, or will they change in the future? Apart from 0.0.0.0 I suspect they would change. If so, how can I automatically add these IPs to the firewall whitelist without going to the portal?

Thanks

Did you try exporting the ARM template to see what it would look like? Does it include the IPs or some other true or false setting that auto populates them in deployment? — Nick Chapsas, Jan 04 '19 at 11:57
There is no bool. These IPs are sent in the patch request from the portal, and in the exported template. This does kinda lead me to believe that actually the IPs won't change. And another reason to think they won't change, it is unlikely that Msft would update this field for all cosmosDb accounts with this setting enabled. I will assume they are safe to hardcode for now... — Edward Rixon, Jan 04 '19 at 12:15
I wouldn't assume that but I would test it first. Your logic is sound, but I'd say prove it first. — Nick Chapsas, Jan 04 '19 at 12:19
Ideally yes, but without getting confirmation from Msft, or just waiting to see if the IPs change, how would I prove this? — Edward Rixon, Jan 04 '19 at 12:21

score 7 · Accepted Answer · answered Jan 04 '19 at 18:31

The Portal IPs are documented here

| Region            | IP address |
| Germany           | 51.4.229.218
| China             | 139.217.8.252
| US Gov            | 52.244.48.71
| All other regions | 104.42.195.92,40.76.54.131,52.176.6.30,52.169.50.45,52.187.184.26

The 0.0.0.0 IP is to allow any other Azure Service (which includes the Portal, since it runs on Azure) to access the account as described here.

This option configures the firewall to allow all requests from Azure, including requests from the subscriptions of other customers deployed in Azure. The list of IPs allowed by this option is wide, so it limits the effectiveness of a firewall policy. Use this option only if your requests don’t originate from static IPs or subnets in virtual networks. Choosing this option automatically allows access from the Azure portal because the Azure portal is deployed in Azure.

Was not aware these were only the portal IPs, thought they may be for other things. — Edward Rixon, Jan 08 '19 at 10:10
So when I check "Allow access from Azure Portal" I also have to add 51.4.229.218 to the whitelist in case I'm in Germany? — MolteNolte, May 05 '21 at 07:08

CosmosDb Firewall, Azure IP addresses

1 Answers1