Custom hostname for Azure storage and application services

Arkady Miasnikov 1 Reputation point
2022-11-24T10:02:24.657+00:00

Hello,

In one of our installations I need to white list all the host names our IoT uses. The goal is to narrow the list of entries we should add in the firewall protecting the LAN.
I have dumped the DNS requests and among other things I see

r1007eus.eastus.cloudapp.azure.com

is it a storage or an application? How do I customize the host name in this case?

I see also
azat-eus2-sf-agntsvc0-zr.eastus2.cloudapp.azure.com.
e564bc96-67af-48ed-a19d-c52c75827541.agentsvc.azure-automation.net.
e564bc96-67af-48ed-a19d-c52c75827541.ods.opinsights.azure.com.
e564bc96-67af-48ed-a19d-c52c75827541.oms.opinsights.azure.com.
ipv4-cses-oms-eus-az02-prod.eastus.cloudapp.azure.com.
advisor52637988640647733.blob.core.windows.net
eus1.fe.azcr.io
main-ingress-545609a41fcaf5d6.elb.us-east-1.amazonaws.com

How do I find the minimal possible list of hosts required by the system. Is this page relevant https://learn.microsoft.com/en-us/azure/azure-portal/azure-portal-safelist-urls?tabs=public-cloud ?
My current Azure related list of allowed domains looks like the one below. The list is based on the tcpdump running for a few hours. How do I narrow it?

*.azure.com
*.azure.net
*.microsoftonline.com
*.aka.ms
*.azure-api.net
*.azuredatalakestore.net
*.azureedge.net
*.loganalytics.io
*.microsoft.com
*.microsoftonline-p.com
*.msauth.net
*.msftauth.net
*.visualstudio.com
*.windows.net
*.windows-int.net
*.trafficmanager.net
*.azure.io
*.akadns.net
*.azcr.io
*.cloudapp.net

Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,635 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Arkady Miasnikov 1 Reputation point
    2022-11-29T16:45:35.133+00:00

    For the sake of the future generations:

    the way DNS resolver at Microsoft works is that the hosts login.microsoftonline.com and drivethruclient.azurecr.io depend on the accessibility of the hosts *.msidentity.com, *.trafficmanager.net, *.cloudapp.net, *.cloudapp.azure.com, *.azcr.io . May be there is more, but this is what I have seen so far. You can see the CDN at work in this ping, for example

    ping login.microsoftonline.com
    PING www.tm.ak.prd.aadg.trafficmanager.net (20.190.159.3) 56(84) bytes of data.

    If a firewall blocks trafficmanager.net az login will fail. DNS resolver rotates the (CDN?) providers every 5-10 minutes. The actual dependency can be r1007eus.eastus.cloudapp.azure.com, etc. This explains occasional failures of of the az login for devices installed behind DNS filters. This means that whitelists 1) are not complete 2) will never be complete. Using a custom domain in Azure Container Registry is a private preview feature, and I am not confident that it is not just another redirect. A typical example is Cisco Umbrella in the "Allowed only mode" when the DNS filter blocks access to all destinations except those specifically allowed.

    In my view this is a deficiency of the Azure container registry limiting the deployment options. If you are to deploy docker container behind a whitelist only firewall consider using a different docker registry, or a VPN.

    0 comments No comments