StarLink IP6 point of presence switching between NZ/US

super_kennedys 0 Reputation points
2023-07-23T22:31:25.7133333+00:00

I have several users with StarLink IP6 connections. These users are attempting to connect to our Azure tenant - previously (before 20-7-2024), their home IP6 addresses as assigned by StarLink had a NZ based point of presence, matching the users and StarLink base stations. Since Thursday 20th July, they are switching between resolving as NZ/US, which breaks some of the conditional access rules and results in alerts around impossible travel etc. Could the problem be with how StarLink have defined their end point IP addresses, or with how Azure are looking them up (perhaps a stale incorrect cache?) - as mentioned, previous SpaceX IP6 addresses resolved locally.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. super_kennedys 0 Reputation points
    2023-07-24T19:46:50.16+00:00

    I fixed this by using the StarLink published IP ranges, which provided a 40-bit mask and greater discrimination than the 32-bit mask that Azure DNS seems to use for location attribution. By adding the two IP6 ranges [2406:2d40:4200::/40 and 2406:2d40:7200::/40] as named locations I was able to exclude these from the geoblock rule. Much safer to add a subset of known good addresses than remove the rule completely for those users.


  2. JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator
    2023-07-25T18:38:17.74+00:00

    @super_kennedys

    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I'll repost your solution in case you'd like to accept the answer.


    Issue:

    You have users connecting to your Azure tenant with IP6 addresses (assigned through StarLink) showing NZ as their based point of presence. Recently, users IP6 addresses have been resolving as NZ/US which is causing issues with some of your Conditional Access rules and resulting is alerts around impossible travel, etc...

    I have several users with StarLink IP6 connections. These users are attempting to connect to our Azure tenant - previously (before 20-7-2024), their home IP6 addresses as assigned by StarLink had a NZ based point of presence, matching the users and StarLink base stations. Since Thursday 20th July, they are switching between resolving as NZ/US, which breaks some of the conditional access rules and results in alerts around impossible travel etc. Could the problem be with how StarLink have defined their end point IP addresses, or with how Azure are looking them up (perhaps a stale incorrect cache?) - as mentioned, previous SpaceX IP6 addresses resolved locally.

    Solution:

    To resolve your issue, you used the StarLink published IP ranges which provides a 40-bit mask and greater discrimination than the 32-bit mask provided by Azure DNS.

    I fixed this by using the StarLink published IP ranges, which provided a 40-bit mask and greater discrimination than the 32-bit mask that Azure DNS seems to use for location attribution. By adding the two IP6 ranges [2406:2d40:4200::/40 and 2406:2d40:7200::/40] as named locations I was able to exclude these from the geoblock rule. Much safer to add a subset of known good addresses than remove the rule completely for those users.


    If I missed anything please let me know and I'd be happy to add it to my answer, or feel free to comment below with any additional information.

    I hope this helps!

    If you have any other questions, please let me know. Thank you again for your time and patience throughout this issue.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.