IP addresses used by Azure Monitor
Azure Monitor uses several IP addresses. Azure Monitor is made up of core platform metrics and logs in addition to Log Analytics and Application Insights. You might need to know IP addresses if the app or infrastructure that you're monitoring is hosted behind a firewall.
Note
Although these addresses are static, it's possible that we'll need to change them from time to time. All Application Insights traffic represents outbound traffic with the exception of availability monitoring and webhook action groups, which also require inbound firewall rules.
You can use Azure network service tags to manage access if you're using Azure network security groups. If you're managing access for hybrid/on-premises resources, you can download the equivalent IP address lists as JSON files, which are updated each week. To cover all the exceptions in this article, use the service tags ActionGroup, ApplicationInsightsAvailability, and AzureMonitor.
Alternatively, you can subscribe to this page as an RSS feed by adding https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/azure-monitor/app/ip-addresses.md to your favorite RSS/ATOM reader to get notified of the latest changes.
Outgoing ports
You need to open some outgoing ports in your server's firewall to allow the Application Insights SDK or Status Monitor to send data to the portal.
| Purpose | URL | Type | IP | Ports |
|---|---|---|---|---|
| Telemetry | dc.applicationinsights.azure.com dc.applicationinsights.microsoft.com dc.services.visualstudio.com *.in.applicationinsights.azure.com |
Global Global Global Regional |
443 | |
| Live Metrics | live.applicationinsights.azure.com rt.applicationinsights.microsoft.com rt.services.visualstudio.com {region}.livediagnostics.monitor.azure.com Example for {region}: westus2 Find all supported regions in this table. |
Global Global Global Regional |
20.49.111.32/29 13.73.253.112/29 |
443 |
Important
For Live Metrics, it is required to add the list of IPs for the respective region aside from global IPs.
Note
These addresses are listed by using Classless Interdomain Routing notation. As an example, an entry like 51.144.56.112/28 is equivalent to 16 IPs that start at 51.144.56.112 and end at 51.144.56.127.
Note
As described in the Azure TLS 1.2 migration announcement, Application Insights connection-string based regional telemetry endpoints only support TLS 1.2. Global telemetry endpoints continue to support TLS 1.0 and TLS 1.1.
If you're using an older version of TLS, Application Insights will not ingest any telemetry. For applications based on .NET Framework see Transport Layer Security (TLS) best practices with the .NET Framework to support the newer TLS version.
Status Monitor
Status Monitor configuration is needed only when you're making changes.
| Purpose | URL | Ports |
|---|---|---|
| Configuration | management.core.windows.net |
443 |
| Configuration | management.azure.com |
443 |
| Configuration | login.windows.net |
443 |
| Configuration | login.microsoftonline.com |
443 |
| Configuration | secure.aadcdn.microsoftonline-p.com |
443 |
| Configuration | auth.gfx.ms |
443 |
| Configuration | login.live.com |
443 |
| Installation | globalcdn.nuget.org, packages.nuget.org ,api.nuget.org/v3/index.json nuget.org, api.nuget.org, dc.services.vsallin.net |
443 |
Availability tests
This is the list of addresses from which availability web tests are run. If you want to run web tests on your app but your web server is restricted to serving specific clients, you'll have to permit incoming traffic from our availability test servers.
Note
For resources located inside private virtual networks that can't allow direct inbound communication with the availability test agents in public Azure, the only option is to create and host your own custom availability tests.
Service tag
If you're using Azure network security groups, add an inbound port rule to allow traffic from Application Insights availability tests. Select Service Tag as the Source and ApplicationInsightsAvailability as the Source service tag.
Open port 80 (HTTP) and port 443 (HTTPS) for incoming traffic from these addresses. IP addresses are grouped by location.
IP addresses
If you're looking for the actual IP addresses so that you can add them to the list of allowed IPs in your firewall, download the JSON file that describes Azure IP ranges. These files contain the most up-to-date information. After you download the appropriate file, open it by using your favorite text editor. Search for ApplicationInsightsAvailability to go straight to the section of the file that describes the service tag for availability tests.
For Azure public cloud, you need to allow both the global IP ranges and the ones specific for the region of your Application Insights resource which receives live data. You can find the global IP ranges in the Outgoing ports table at the top of this document, and the regional IP ranges in the Addresses grouped by region table below.
Azure public cloud
Download public cloud IP addresses.
Azure US Government cloud
Download US Government cloud IP addresses.
Azure China cloud
Download China cloud IP addresses.
Addresses grouped by region (Azure public cloud)
Note
Add the subdomain of the corresponding region to the Live Metrics URL from the Outgoing ports table.
| Continent/Country | Region | Subdomain | IP |
|---|---|---|---|
| Asia | East Asia | eastasia | 52.229.216.48/28 20.189.111.16/29 |
| Southeast Asia | southeastasia | 52.139.250.96/28 23.98.106.152/29 |
|
| Australia | Australia Central | australiacentral | 20.37.227.104/29 |
| Australia Central 2 | australiacentral2 | 20.53.60.224/31 |
|
| Australia East | australiaeast | 20.40.124.176/28 20.37.198.232/29 |
|
| Australia Southeast | australiasoutheast | 20.42.230.224/29 |
|
| Brazil | Brazil South | brazilsouth | 191.233.26.176/28 191.234.137.40/29 |
| Brazil Southeast | brazilsoutheast | 20.206.0.196/31 |
|
| Canada | Canada Central | canadacentral | 52.228.86.152/29 |
| Europe | North Europe | northeurope | 52.158.28.64/28 20.50.68.128/29 |
| West Europe | westeurope | 51.144.56.96/28 40.113.178.32/29 |
|
| France | France Central | francecentral | 20.40.129.32/28 20.43.44.216/29 |
| France South | francesouth | 20.40.129.96/28 52.136.191.12/31 |
|
| Germany | Germany West Central | germanywestcentral | 20.52.95.50/31 |
| India | Central India | centralindia | 52.140.108.216/29 |
| South India | southindia | 20.192.153.106/31 |
|
| Japan | Japan East | japaneast | 52.140.232.160/28 20.43.70.224/29 |
| Japan West | japanwest | 20.189.194.102/31 |
|
| Korea | Korea Central | koreacentral | 20.41.69.24/29 |
| Norway | Norway East | norwayeast | 51.120.235.248/29 |
| Norway West | norwaywest | 51.13.143.48/31 |
|
| Qatar | Qatar Central | qatarcentral | 20.21.39.224/29 |
| South Africa | South Africa North | southafricanorth | 102.133.219.136/29 |
| Switzerland | Switzerland North | switzerlandnorth | 51.107.52.200/29 |
| Switzerland West | switzerlandwest | 51.107.148.8/29 |
|
| United Arab Emirates | UAE North | uaenorth | 20.38.143.44/31 40.120.87.204/31 |
| United Kingdom | UK South | uksouth | 51.105.9.128/28 51.104.30.160/29 |
| UK West | ukwest | 20.40.104.96/28 51.137.164.200/29 |
|
| United States | Central US | centralus | 13.86.97.224/28 20.40.206.232/29 |
| East US | eastus | 20.42.35.32/28 20.49.111.32/29 |
|
| East US 2 | eastus2 | 20.49.102.24/29 |
|
| North Central US | northcentralus | 23.100.224.16/28 20.49.114.40/29 |
|
| South Central US | southcentralus | 20.45.5.160/28 13.73.253.112/29 |
|
| West US | westus | 40.91.82.48/28 52.250.228.8/29 |
|
| West US 2 | westus2 | 40.64.134.128/29 |
|
| West US 3 | westus3 | 20.150.241.64/29 |
Upcoming regions (Azure public cloud)
Note
The following regions are not supported yet, but will be added in the near future.
| Continent/Country | Region | Subdomain | IP |
|---|---|---|---|
| Canada | Canada East | TBD | 52.242.40.208/31 |
| Germany | Germany North | TBD | 51.116.75.92/31 |
| India | West India | TBD | 20.192.84.164/31 |
| Jio India Central | TBD | 20.192.50.200/29 |
|
| Jio India West | TBD | 20.193.194.32/29 |
|
| Israel | Israel Central | TBD | 20.217.44.250/31 |
| Poland | Poland Central | TBD | 20.215.4.250/31 |
| South Africa | South Africa West | TBD | 102.37.86.196/31 |
| Sweden | Sweden Central | TBD | 51.12.25.192/29 |
| Sweden South | TBD | 51.12.17.128/29 |
|
| Taiwan | Taiwan North | TBD | 51.53.28.214/31 |
| Taiwan Northwest | TBD | 51.53.172.214/31 |
|
| United Arab Emirates | UAE Central | TBD | 20.45.95.68/31 |
| United States | West Central US | TBD | 52.150.154.24/29 |
Discovery API
You might also want to programmatically retrieve the current list of service tags together with IP address range details.
Application Insights and Log Analytics APIs
| Purpose | URI | IP | Ports |
|---|---|---|---|
| API | api.applicationinsights.ioapi1.applicationinsights.ioapi2.applicationinsights.ioapi3.applicationinsights.ioapi4.applicationinsights.ioapi5.applicationinsights.iodev.applicationinsights.iodev.applicationinsights.microsoft.comdev.aisvc.visualstudio.comwww.applicationinsights.iowww.applicationinsights.microsoft.comwww.aisvc.visualstudio.comapi.loganalytics.io*.api.loganalytics.iodev.loganalytics.iodocs.loganalytics.iowww.loganalytics.io |
20.37.52.188 20.37.53.231 20.36.47.130 20.40.124.0 20.43.99.158 20.43.98.234 13.70.127.61 40.81.58.225 20.40.160.120 23.101.225.155 52.139.8.32 13.88.230.43 52.230.224.237 52.242.230.209 52.173.249.138 52.229.218.221 52.229.225.6 23.100.94.221 52.188.179.229 52.226.151.250 52.150.36.187 40.121.135.131 20.44.73.196 20.41.49.208 40.70.23.205 20.40.137.91 20.40.140.212 40.89.189.61 52.155.118.97 52.156.40.142 23.102.66.132 52.231.111.52 52.231.108.46 52.231.64.72 52.162.87.50 23.100.228.32 40.127.144.141 52.155.162.238 137.116.226.81 52.185.215.171 40.119.4.128 52.171.56.178 20.43.152.45 20.44.192.217 13.67.77.233 51.104.255.249 51.104.252.13 51.143.165.22 13.78.151.158 51.105.248.23 40.74.36.208 40.74.59.40 13.93.233.49 52.247.202.90 |
80,443 |
| Azure Pipeline annotations extension | aigs1.aisvc.visualstudio.com | dynamic | 443 |
Application Insights analytics
| Purpose | URI | IP | Ports |
|---|---|---|---|
| Analytics portal | analytics.applicationinsights.io | dynamic | 80,443 |
| CDN | applicationanalytics.azureedge.net | dynamic | 80,443 |
| Media CDN | applicationanalyticsmedia.azureedge.net | dynamic | 80,443 |
The *.applicationinsights.io domain is owned by the Application Insights team.
Log Analytics portal
| Purpose | URI | IP | Ports |
|---|---|---|---|
| Portal | portal.loganalytics.io | dynamic | 80,443 |
| CDN | applicationanalytics.azureedge.net | dynamic | 80,443 |
The *.loganalytics.io domain is owned by the Log Analytics team.
Application Insights Azure portal extension
| Purpose | URI | IP | Ports |
|---|---|---|---|
| Application Insights extension | stamp2.app.insightsportal.visualstudio.com | dynamic | 80,443 |
| Application Insights extension CDN | insightsportal-prod2-cdn.aisvc.visualstudio.com insightsportal-prod2-asiae-cdn.aisvc.visualstudio.com insightsportal-cdn-aimon.applicationinsights.io |
dynamic | 80,443 |
Application Insights SDKs
| Purpose | URI | IP | Ports |
|---|---|---|---|
| Application Insights JS SDK CDN | az416426.vo.msecnd.net js.monitor.azure.com |
dynamic | 80,443 |
Action group webhooks
You can query the list of IP addresses used by action groups by using the Get-AzNetworkServiceTag PowerShell command.
Action group service tag
Managing changes to source IP addresses can be time consuming. Using service tags eliminates the need to update your configuration. A service tag represents a group of IP address prefixes from a specific Azure service. Microsoft manages the IP addresses and automatically updates the service tag as addresses change, which eliminates the need to update network security rules for an action group.
In the Azure portal under Azure Services, search for Network Security Group.
Select Add and create a network security group:
- Add the resource group name, and then enter Instance details information.
- Select Review + Create, and then select Create.
Go to Resource Group, and then select the network security group you created:
- Select Inbound security rules.
- Select Add.
A new window opens in the right pane:
- Under Source, enter Service Tag.
- Under Source service tag, enter ActionGroup.
- Select Add.
Profiler
| Purpose | URI | IP | Ports |
|---|---|---|---|
| Agent | agent.azureserviceprofiler.net *.agent.azureserviceprofiler.net |
20.190.60.38 20.190.60.32 52.173.196.230 52.173.196.209 23.102.44.211 23.102.45.216 13.69.51.218 13.69.51.175 138.91.32.98 138.91.37.93 40.121.61.208 40.121.57.2 51.140.60.235 51.140.180.52 52.138.31.112 52.138.31.127 104.211.90.234 104.211.91.254 13.70.124.27 13.75.195.15 52.185.132.101 52.185.132.170 20.188.36.28 40.89.153.171 52.141.22.239 52.141.22.149 102.133.162.233 102.133.161.73 191.232.214.6 191.232.213.239 |
443 |
| Portal | gateway.azureserviceprofiler.net | dynamic | 443 |
| Storage | *.core.windows.net | dynamic | 443 |
Snapshot Debugger
Note
Profiler and Snapshot Debugger share the same set of IP addresses.
| Purpose | URI | IP | Ports |
|---|---|---|---|
| Agent | agent.azureserviceprofiler.net *.agent.azureserviceprofiler.net |
20.190.60.38 20.190.60.32 52.173.196.230 52.173.196.209 23.102.44.211 23.102.45.216 13.69.51.218 13.69.51.175 138.91.32.98 138.91.37.93 40.121.61.208 40.121.57.2 51.140.60.235 51.140.180.52 52.138.31.112 52.138.31.127 104.211.90.234 104.211.91.254 13.70.124.27 13.75.195.15 52.185.132.101 52.185.132.170 20.188.36.28 40.89.153.171 52.141.22.239 52.141.22.149 102.133.162.233 102.133.161.73 191.232.214.6 191.232.213.239 |
443 |
| Portal | gateway.azureserviceprofiler.net | dynamic | 443 |
| Storage | *.core.windows.net | dynamic | 443 |
Feedback
Submit and view feedback for