Is there any way to get a servicetag or list of ip ranges for packages.microsoft.com?

[Geertvdc]

Describe the problem you are experiencing.
We want to secure the creation of our linux VMs with disallowing most internet traffic. However during installation certain sources need to be able to be accessed. For other resources such as RHUI Microsoft provides a list of IP addresses which could be whitelisted: https://learn.microsoft.com/en-us/azure/virtual-machines/workloads/redhat/redhat-rhui#the-ips-for-the-rhui-content-delivery-servers

Without this information it is not possible for us to allow this traffic or we would need to add another FW that would allow traffic based on DNS.

Describe any possible solutions that you would like to see.

1. List of ip addresses that are behind packages.microsoft.com or even a split per distribution
2. A servicetag in Azure would even be better to allow certain traffic so we don't have to update IP addresses when they change

[jasonzio]

Azure defines Service Tags for each Azure region. You can build an allow list from the service tags for the regions from which the packages.microsoft.com service is currently hosted:

• East Asia
• Southeast Asia
• East US
• South Central US
• West US
• North Europe
• West Europe
• East US 2 EUAP

The specific IP addresses at which packages.microsoft.com is available are subject to change without notice, so we cannot provide you an allow-list.

We do have an internal task to create a Service Tag specific to the packages.microsoft.com service, but there are technical issues that may make that difficult or impossible. We hope to have a better solution for your request by the end of the calendar year.

[Klaas-]

@jasonzio maybe put it behind a cross region loadbalancer instead of traffic manager, then you have a single IP globally ( https://learn.microsoft.com/en-us/azure/load-balancer/cross-region-overview )

[jasonzio]

@Klaas- that is indeed one of the things we're looking at.