Azure IP Ranges & Service Tags

Name: Azure IP Ranges & Service Tags
Creator: Microsoft Azure

Microsoft Azure public IP ranges, key service tags, and how to use them in Network Security Groups (NSGs) and Azure Firewall rules.

AWS Ranges GCP Ranges

Azure Service Tags

Microsoft Azure uses Service Tags — named groups of IP address prefixes that represent a service or group of services. In Azure Network Security Groups (NSGs) and Azure Firewall, you can use service tags directly instead of specifying individual IP ranges. Azure automatically keeps these tags up to date as service IPs change.

Microsoft publishes the full list of service tags and their IP ranges as a weekly JSON download from the Microsoft Download Center. The complete machine-readable data is available on Microsoft's Download Center.

Key Azure Service Tags

Service Tag	What it covers	Common Use
`AzureCloud`	All Azure public IP addresses globally	Allow all Azure services
`AzureCloud.EastUS`	Azure East US region IPs	Region-scoped allow rules
`AzureLoadBalancer`	Azure Load Balancer probe source IPs	Must allow for health probes to work
`AzureTrafficManager`	Traffic Manager probe IPs	Health check probes from TM
`Storage`	Azure Storage service IPs	Allow access to Azure Blob, Files, Queues
`Sql`	Azure SQL and SQL MI IPs	Allow SQL database connectivity
`AppService`	Azure App Service environment IPs	Inbound/outbound App Service
`AzureContainerRegistry`	Azure Container Registry IPs	Pull images in restricted networks
`AzureKeyVault`	Azure Key Vault IPs	Allow Key Vault access from NSG
`AzureMonitor`	Azure Monitor, Log Analytics, App Insights IPs	Allow telemetry egress
`GatewayManager`	Azure VPN/App Gateway management IPs	Required for Gateway health probes
`Internet`	Everything outside the VNet (the public internet)	Broad allow/deny rules
`VirtualNetwork`	The entire VNet address space + peered VNets	Allow intra-VNet traffic

Notable Azure IP Ranges

Representative ranges — Azure IPs change frequently. Always use Service Tags in production NSG rules.

IP Prefix	Region / Service
13.64.0.0/11	East US — core compute	Details →
13.96.0.0/13	East US 2 — compute	Details →
13.104.0.0/14	Global — Microsoft network	Details →
20.0.0.0/8	Global — Azure (large block)	Details →
40.64.0.0/10	Global — Azure services	Details →
52.0.0.0/8	Global — Azure (large block)	Details →
104.40.0.0/13	West Europe	Details →
137.116.0.0/15	East Asia	Details →
168.61.0.0/16	West US — Azure infra	Details →
191.232.0.0/13	Brazil South	Details →

Example: NSG Rule Using Service Tags

In an Azure Network Security Group, you can reference a service tag directly instead of managing a list of IP ranges. Azure keeps the tag's prefixes up to date automatically.

# Allow inbound HTTPS from Azure Load Balancer probes
{
  "name": "Allow-AzureLoadBalancer",
  "priority": 100,
  "direction": "Inbound",
  "access": "Allow",
  "protocol": "Tcp",
  "sourceAddressPrefix": "AzureLoadBalancer",
  "destinationAddressPrefix": "*",
  "destinationPortRange": "443"
}

# Allow inbound from all of Azure Cloud (East US region only)
{
  "name": "Allow-AzureCloud-EastUS",
  "priority": 200,
  "direction": "Inbound",
  "access": "Allow",
  "protocol": "*",
  "sourceAddressPrefix": "AzureCloud.EastUS",
  "destinationAddressPrefix": "*",
  "destinationPortRange": "*"
}

☁️

AWS IP Ranges

Live data from ip-ranges.amazonaws.com

🌐

Google Cloud IP Ranges

Live data from gstatic.com/ipranges/cloud.json