Skip to content

Azure Service Tag API

This solution was developed in the Data Platfrom Team and contributed to the CLOE Terraform Solutions.

Description

The lookup of the public IPs that are associated with the Service Tags of an Azure service can be quite troublesome. It either requires the download and parsing of a weekly updated JSON file or calling an authenticated API which means additional infrastructure on top of the services and applications that should use the data, e.g. for firewall configurations.

Note: The data published by the Azure Service Tag API is delayed for up to 4 weeks.

These options are described in detail in the Microsoft documentation.

To alleviate some of that pain, this API project consumes both sources, consolidates their contents and offers the most recently available data through selected public endpoints. These options include:

  • JSON REST API
  • list function
    • offers different formats, set using the format query parameter, e.g. GET <endpoint-url>/api/list?format=api
    • file (identical to the JSON file download from Microsoft)
    • api (identical to the official Azure Service Tag API)
    • plain (plaintext list of all IPs of the requested (filtered) Service Tags)
    • offers optional filter options
    • region (comma separated list of regions to filter the available Service Tags)
    • service (comma separated list of services to filter the available Service Tags)
    • ipversion (filter to receive either IPv4 or IPv6 address prefixes instead of both)
  • capabilities function
    • simple endpoint to get all available filter values and examples
  • Azure Blob Storage
  • for static formats comsumed by clients that can natively use the Blob API
    • file (identical to the JSON file download from Microsoft)
    • api (identical to the official Azure Service Tag API)

The REST API can be reached under https://<function-app-defautl-domain>/api/<endpoint> using the GET method.

Example:

GET https://my-function-app.azurewebsites.net/api/list?format=api&region=westeurope

Architecture

architectual overview

Deployment

:info: The following steps should be done within the supplied DevContainer.

The Azure Service Tag API infrastructure is deployed using Terraform. To prepare the deployment, first fill out the config Yaml file located at terraform/config/<env>.yml directory, where env refers to the project environment, e.g., dev, uat, or prd. See the section about the yaml config file for details. Fill the terraform backend config file terraform/config/<env>.tfbackend, where env refers to the project environment, e.g., dev, uat, or prd. See the section about the backend config file for details.

:info: You can have separate config files for each environment. Make sure to use also separate state files in your backend config, for example by changing the the key of the state file.

Use the Terminal to navigate to the terraform directory (cd snowflake/FirewallUpdater/terraform). Login using the Azure CLI (az login --use-device-code; follow the instructions given by the Azure CLI).

Deploy the infrastructure using the deploy.sh bash script ( bash deploy.sh --env <env>, where env is the environment you want to deploy to, e.g., dev, uat, or prd). The script will run terraform and display a deployment plan. Verify that the plan matches your configuration. The script will prompt you if the proposed plan should be applied. Answer with y to roll out the proposed plan.

YAML Config File

subscription_id: "<subscription-id>"            # Azure Subscription Id. Must exist before deployment.
resource_group_name: "<resource-group-name>"    # Azure Resource Group Name where the Service Tag API is deployed. Must exist before deployment.
storage_account_name: "<storage-account-name>"  # Enter the name of the storage account for the Service Tag API.
storage_account_sku: "LRS"                      # Storage account replication. Leave at 'LRS' unless required otherwise.
hosting_plan_name: "<app-service-plan-name>"    # Enter the name of the App Service Plan hosting the function app.
hosting_plan_sku: "<app-service-plan-sku>"      # Enter the SKU of the App Service Plan. See https://azure.microsoft.com/en-us/pricing/details/app-service/linux/
function_app_name: "<function-app-name>"        # Enter the name of the Service Tag API function app.
download_schedule: "0 0 */6 * * *"              # Update Schedule of the Service Tag API. Default: Every 6 hours.
tags:
  environment: "dev"

Terraform Backend Config File

The Backend Config file contains information where the Terraform State is stored.

  • subscription_id: Azure Subscription Id
  • resource_group_name: Resource Group Name where the State is stored. This does not need to be the same as the Firewall Updater RG.
  • storage_account_name: Storage Account used to store the Terraform state.
  • container_name: Container name on the Storage Account where the Terraform state is stored.
  • key: Name of the state file.

Custom Role

To access the Microsoft Service Tag API, the Managed Identity of our Azure Function needs to be granted access to it by assigning a role to it on the Subscription. This role needs to permit at least the Microsoft.Network/locations/serviceTags/read action. For the least privilege granted, create and use the custom role ServiceTag-Reader as defined in custom-role. Alternatively, you can assign the Reader role on the subscription.