[ID-1315] Download list of Azure IP addresses #1736
Conversation
This will eventually be used to ensure only requests from Azure IP addresses are allowed to access Anvil data on Azure (to prevent egress charges).
…o se/ID-1315-get-azure-ips
| public Map<Integer, List<String>> azureIPs() throws IOException { | ||
| URL url = | ||
| new URL( | ||
| "https://download.microsoft.com/download/7/1/D/71D86715-5596-4529-9B13-DA13A5DE5B63/ServiceTags_Public_20240708.json"); |
There was a problem hiding this comment.
I just hard-coded this url for testing btw. It actually changes when the file is updated once a week so our options are to:
- Parse the download url from https://www.microsoft.com/en-us/download/details.aspx?id=56519
- Use the https://learn.microsoft.com/en-us/rest/api/virtualnetwork/service-tags/list?view=rest-virtualnetwork-2024-01-01 API endpoint (this requires a subscription id though)
There was a problem hiding this comment.
ah dang yeah thats annoying, i think using the API endpoint is the move, not sure about the subscription we should use for that though, id ask about it in #dsp-azure
There was a problem hiding this comment.
The second object won't get use Azure IP ranges. It'll just list the Public IPs within a subscription, which are a specific Azure resource
|
| ObjectMapper objectMapper = new ObjectMapper(); | ||
| JsonNode data = objectMapper.readTree(url); | ||
| JsonNode values = data.get("values"); | ||
| // Map {Region ID: List of IP addresses} |
There was a problem hiding this comment.
I'm mapping based on the region id here, since we may need to only allow IPs from certain regions for AXIN. I'm still trying to find the regions those ids correspond to...
There was a problem hiding this comment.
It looks like you can maybe use this endpoint to list the regions? https://learn.microsoft.com/en-us/rest/api/resources/subscriptions/list-locations?view=rest-resources-2022-12-01&tabs=HTTP
There was a problem hiding this comment.
I think it would be helpful to use something like https://seancfoley.github.io/IPAddress/. That way, we have the utilities to check if a given IP is in a cidr block, and other useful features!
Jira ticket: https://broadworkbench.atlassian.net/browse/ID-1315
Addresses
DRSHub now sends the client IP address in the request header when resolving a DRS URI. If AnVIL data is being requested and the IP address is not from Azure, TDR should reject the request to prevent egress charges. In order to do this, TDR needs to get and maintain a list of Azure IP addresses.
Summary of changes
Download the list of Azure IPs (published weekly) and create a mapping of region ids to IP addresses to be used in the
DrsService.Testing Strategy