In this post, we will use the Azure CLI and the Azure Resource Graph to quickly generate a list of endpoints for Allow or Deny lists. You can find the source code for this example here:
An Allow List is a list of endpoints that you will allow through your firewall. A Deny List is the exact opposite: endpoints you deny through your firewall. You may be more familiar with the archaic terms, white list and black list. They are essentially the same thing. When I use the term endpoints, I am using it as a generic term to refer to URLs or IP Addresses.
Over the years I've worked with many Microsoft Partners who were helping their internal IT teams prepare to move to Azure. Often some services would live in Azure and some would remain on-premises. The internal IT teams needed a list of all the public endpoints in Azure so they could allow-list them or deny-list them.
Building this list in the past was complicated. Imagine if you have thousands of Azure Resources and many of them had public endpoints; it used to be a pain to gather all that information. Almost every Azure service has a public endpoint. Popular services like Azure SQL DB, Azure Storage Accounts, and Azure Web Apps all have public endpoint and there are many, many more. Some services, like storage accounts, even have multiple public endpoints!
Even if you're not concerned with creating Allow Lists or Deny Lists, you might be interested to see all of the publicly available endpoints for your Azure services. You might want to track each of them and make sure you understand the risk and risk mitigation efforts for each.
Just by running this tool you might be surprised or even shocked at what you'll find. If you're an administrator for large deployments in Azure, you may have had suspicions that there a ton of externally available resources. Now you can easily find them all and implement a plan to address them.
I built some sample code using node to show you how easy it is. Azure has a cross platform CLI and a couple of years ago the team built the Azure Resource Graph (ARG). ARG lets you query your Azure Resources and return just the data you need, formatted the way you need. Before ARG came along, it was a real pain to pull all of this information together.
ARG gets us most of the way there. I wrote some node code for the finishing touches.
To get a CSV file of all your URLs and IP addresses in an Azure subscription, you just need to run a command like this
npm install node index.js c8faea8e-b5d3-4f31-bc58-f15f4390309a > azure-allow-list.csv
You can open that csv file in Excel and you'll get something that looks like this.
Notice the value column has the URL or the IP Address for your service. You can now take this list and import it into whatever Firewall or Network appliance you're using.
You can find all the easy steps to get started on the Github repo: https://github.com/michaelsrichter/azure-allow-list. It works great in the Azure Shell too!
Of course, this tool can be improved in many ways. Feel free to make a suggestion or submit your own pull-request. And please let me know if you have any thoughts or feedback. You can use the comments below or on Github too. Thanks!