IP addresses used by Azure Monitor

Azure Monitor uses several IP addresses. Azure Monitor is made up of core platform metrics and logs in addition to Log Analytics and Application Insights. You might need to know IP addresses if the app or infrastructure that you're monitoring is hosted behind a firewall.


Although these addresses are static, it's possible that we'll need to change them from time to time. All Application Insights traffic represents outbound traffic with the exception of availability monitoring and webhook action groups, which also require inbound firewall rules.

You can use Azure network service tags to manage access if you're using Azure network security groups. If you're managing access for hybrid/on-premises resources, you can download the equivalent IP address lists as JSON files, which are updated each week. To cover all the exceptions in this article, use the service tags ActionGroup, ApplicationInsightsAvailability, and AzureMonitor.

Alternatively, you can subscribe to this page as an RSS feed by adding https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/azure-monitor/app/ip-addresses.md to your favorite RSS/ATOM reader to get notified of the latest changes.

Outgoing ports

You need to open some outgoing ports in your server's firewall to allow the Application Insights SDK or Status Monitor to send data to the portal.

Purpose URL Type IP Ports
Telemetry dc.applicationinsights.azure.com

Live Metrics live.applicationinsights.azure.com


Example for {region}: westus2
Find all supported regions in this table.



For Live Metrics, it is required to add the list of IPs for the respective region aside from global IPs.


These addresses are listed by using Classless Interdomain Routing notation. As an example, an entry like is equivalent to 16 IPs that start at and end at


As described in the Azure TLS 1.2 migration announcement, Application Insights connection-string based regional telemetry endpoints only support TLS 1.2. Global telemetry endpoints continue to support TLS 1.0 and TLS 1.1.

If you're using an older version of TLS, Application Insights will not ingest any telemetry. For applications based on .NET Framework see Transport Layer Security (TLS) best practices with the .NET Framework to support the newer TLS version.

Status Monitor

Status Monitor configuration is needed only when you're making changes.

Purpose URL Ports
Configuration management.core.windows.net 443
Configuration management.azure.com 443
Configuration login.windows.net 443
Configuration login.microsoftonline.com 443
Configuration secure.aadcdn.microsoftonline-p.com 443
Configuration auth.gfx.ms 443
Configuration login.live.com 443
Installation globalcdn.nuget.org, packages.nuget.org ,api.nuget.org/v3/index.json nuget.org, api.nuget.org, dc.services.vsallin.net 443

Availability tests

This is the list of addresses from which availability web tests are run. If you want to run web tests on your app but your web server is restricted to serving specific clients, you'll have to permit incoming traffic from our availability test servers.


For resources located inside private virtual networks that can't allow direct inbound communication with the availability test agents in public Azure, the only option is to create and host your own custom availability tests.

Service tag

If you're using Azure network security groups, add an inbound port rule to allow traffic from Application Insights availability tests. Select Service Tag as the Source and ApplicationInsightsAvailability as the Source service tag.

Screenshot that shows selecting Inbound security rules and then selecting Add.

Screenshot that shows the Add inbound security rule tab.

Open port 80 (HTTP) and port 443 (HTTPS) for incoming traffic from these addresses. IP addresses are grouped by location.

IP addresses

If you're looking for the actual IP addresses so that you can add them to the list of allowed IPs in your firewall, download the JSON file that describes Azure IP ranges. These files contain the most up-to-date information. After you download the appropriate file, open it by using your favorite text editor. Search for ApplicationInsightsAvailability to go straight to the section of the file that describes the service tag for availability tests.

For Azure public cloud, you need to allow both the global IP ranges and the ones specific for the region of your Application Insights resource which receives live data. You can find the global IP ranges in the Outgoing ports table at the top of this document, and the regional IP ranges in the Addresses grouped by region table below.

Azure public cloud

Download public cloud IP addresses.

Azure US Government cloud

Download US Government cloud IP addresses.

Azure China cloud

Download China cloud IP addresses.

Addresses grouped by region (Azure public cloud)


Add the subdomain of the corresponding region to the Live Metrics URL from the Outgoing ports table.

Continent/Country Region Subdomain IP
Asia East Asia eastasia
Southeast Asia southeastasia
Australia Australia Central australiacentral

Australia Central 2 australiacentral2

Australia East australiaeast
Australia Southeast australiasoutheast

Brazil Brazil South brazilsouth
Brazil Southeast brazilsoutheast

Canada Canada Central canadacentral

Europe North Europe northeurope
West Europe westeurope
France France Central francecentral
France South francesouth
Germany Germany West Central germanywestcentral

India Central India centralindia

South India southindia

Japan Japan East japaneast
Japan West japanwest

Korea Korea Central koreacentral

Norway Norway East norwayeast

Norway West norwaywest

Qatar Qatar Central qatarcentral

South Africa South Africa North southafricanorth

Switzerland Switzerland North switzerlandnorth

Switzerland West switzerlandwest

United Arab Emirates UAE North uaenorth
United Kingdom UK South uksouth
UK West ukwest
United States Central US centralus
East US eastus
East US 2 eastus2

North Central US northcentralus
South Central US southcentralus
West US westus
West US 2 westus2

West US 3 westus3

Upcoming regions (Azure public cloud)


The following regions are not supported yet, but will be added in the near future.

Continent/Country Region Subdomain IP
Canada Canada East TBD

Germany Germany North TBD

India West India TBD

Jio India Central TBD

Jio India West TBD

Israel Israel Central TBD

Poland Poland Central TBD

South Africa South Africa West TBD

Sweden Sweden Central TBD

Sweden South TBD

Taiwan Taiwan North TBD

Taiwan Northwest TBD

United Arab Emirates UAE Central TBD

United States West Central US TBD

Discovery API

You might also want to programmatically retrieve the current list of service tags together with IP address range details.

Application Insights and Log Analytics APIs

Purpose URI IP Ports
API api.applicationinsights.io
Azure Pipeline annotations extension aigs1.aisvc.visualstudio.com dynamic 443

Application Insights analytics

Purpose URI IP Ports
Analytics portal analytics.applicationinsights.io dynamic 80,443
CDN applicationanalytics.azureedge.net dynamic 80,443
Media CDN applicationanalyticsmedia.azureedge.net dynamic 80,443

The *.applicationinsights.io domain is owned by the Application Insights team.

Log Analytics portal

Purpose URI IP Ports
Portal portal.loganalytics.io dynamic 80,443
CDN applicationanalytics.azureedge.net dynamic 80,443

The *.loganalytics.io domain is owned by the Log Analytics team.

Application Insights Azure portal extension

Purpose URI IP Ports
Application Insights extension stamp2.app.insightsportal.visualstudio.com dynamic 80,443
Application Insights extension CDN insightsportal-prod2-cdn.aisvc.visualstudio.com
dynamic 80,443

Application Insights SDKs

Purpose URI IP Ports
Application Insights JS SDK CDN az416426.vo.msecnd.net
dynamic 80,443

Action group webhooks

You can query the list of IP addresses used by action groups by using the Get-AzNetworkServiceTag PowerShell command.

Action group service tag

Managing changes to source IP addresses can be time consuming. Using service tags eliminates the need to update your configuration. A service tag represents a group of IP address prefixes from a specific Azure service. Microsoft manages the IP addresses and automatically updates the service tag as addresses change, which eliminates the need to update network security rules for an action group.

  1. In the Azure portal under Azure Services, search for Network Security Group.

  2. Select Add and create a network security group:

    1. Add the resource group name, and then enter Instance details information.
    2. Select Review + Create, and then select Create.

    Screenshot that shows how to create a network security group.

  3. Go to Resource Group, and then select the network security group you created:

    1. Select Inbound security rules.
    2. Select Add.

    Screenshot that shows how to add inbound security rules.

  4. A new window opens in the right pane:

    1. Under Source, enter Service Tag.
    2. Under Source service tag, enter ActionGroup.
    3. Select Add.

    Screenshot that shows how to add a service tag.


Purpose URI IP Ports
Agent agent.azureserviceprofiler.net
Portal gateway.azureserviceprofiler.net dynamic 443
Storage *.core.windows.net dynamic 443

Snapshot Debugger


Profiler and Snapshot Debugger share the same set of IP addresses.

Purpose URI IP Ports
Agent agent.azureserviceprofiler.net
Portal gateway.azureserviceprofiler.net dynamic 443
Storage *.core.windows.net dynamic 443