I'm looking for the simplest method to create a tenant-wide list of IP addresses that can interact with multiple services. Currently, we've set this up for Azure Files by managing the IP addresses directly in the storage account's network tab. However, as we're adding more services, I'd like a centralized way to maintain this list without having to update it separately for each service. I've considered using 'IP Groups', but it seems not all services support that. Management has suggested that we just keep updating the lists for each service, and they don't think we need Azure Firewall yet. I also tried using a virtual network and NSGs to restrict access, but that approach seems to require an NSG for every service/subnet, which feels counterproductive. Any insights would be appreciated! Thanks!
3 Answers
What specific types of traffic are you trying to control? Is this just internal traffic within your tenant, or are there external users involved? If it’s strictly internal, you might want to look into Private Endpoints or Service Endpoints for better security. If it’s coming from outside Azure, be prepared for a more complex solution.
This really sounds like a textbook case for Infrastructure as Code (IaC). If you manage your environments with IaC, you can define your IP whitelist as a variable. Although it may take some effort to set up at first, it will save you a lot of headaches later on.
Totally agree with IaC! Just keep your IP list in a parameter file and you can use it across your setup.
That definitely seems like the right approach! For best practices nowadays, would you recommend using Bicep, Terraform, or something else?
There are several strategies you could pursue. I support the IaC approach mentioned before. Regardless of your final design, it's crucial. If you opt for NSGs, you might also want to explore the Virtual Network Manager. This allows you to manage your rules from one central location and helps keep all your services and NSGs updated when rules change.
Thanks for the tip! I'll check that out!
Thanks for the input. It’s mainly for our employees, but technically it could be accessed from the internet (according to MS). These IPs are from our different office VPN endpoints.