difrentiate IP ranges per service
At the moment if we want to restrict access to Azure services we need to whitelist entire Region. PCI certification requirements require to limit also outgoing access to the specific IP addreses to avoid possibility that attacker will be able to exfiltrate data from attacked machine.
With current scenario (whitelisting entire region) attacker can put FTP or HTTP upload server in the same region of the Azure and successfully upload data there. If ranges would be specific for services (e.g. Sql Azure, Key Vault, etc) then such exfiltration wouldn't be possible as we could restrict access to the services which we are using (and since those are offered as SaaS (Sql Azure, Key Vault) attacher would not be able to use them for getting data out.
Jan Nitecki
shared this idea
We do have Service Tags, is this what you were looking for?
https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview#available-service-tags
– Anavi N [MSFT]
2 comments
-
Joseph
commented
I believe MS have done this: https://download.microsoft.com/download/7/1/D/71D86715-5596-4529-9B13-DA13A5DE5B63/ServiceTags_Public_20190701.json
-
Anonymous
commented
We are struggling due to this, if we have access to Service Specific Public IP Addresses per Azure DC, we can whitelist particular service within that DC.