[Relay] How to get the relay frontend IP and add it into firewall

Posted on by No Comments ↓

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.

 

If you are Relay users and you have firewalls blocking Relay’s outbound traffic, the article may help you to config your firewalls to allow traffic from Relay.

gujia93_0-1651218866591.png

 

Whitelisting the Relay IP in the firewall would NOT help.

There are lots of instances behind Relay service, their IPs will change hence your Relay service does not have a dedicated outbound IP address. We recommend using the fully qualified domain names for your specific namespaces instead of using hardcoded IP addresses.

Format of Relay FQDN: <youServiceName>. servicebus.windows.net

 

If you still want to whitelist IP, we DO have a way.

We can try to use the following method to get the IPs.

Run nslookup <youServiceName>.servicebus.windows.net resolves to ns-sb2-prod-sy3-001.cloudapp.net as:

gujia93_1-1651218866604.png

 

The gateways of namespaces in your cluster can be obtained as:
nslookup g0-prod-sy3-001-sb.servicebus.windows.net resolves to 13.75.152.38
nslookup g1-prod-sy3-001-sb.servicebus.windows.net resolves to 13.75.154.105
... ... ... ... ... ... ... ... ... ...
nslookup g31-prod-sy3-001-sb.servicebus.windows.net resolves to 40.126.225.100

 

We can use the existing script to auto obtain the gateway IP

Please check here azure-relay-dotnet/GetNamespaceInfo.ps1 at master · Azure/azure-relay-dotnet · GitHub, you can run command “./GetNamespaceInfo.ps1” to run the script. It will help us to resolve all the IPs.

Here’s my testing result and please run the command to update the IP list in your firewall at least on a monthly basis.

 

gujia93_2-1651218866617.png

 

 

Upcoming changes to IP addresses for Azure Relay

Recently, the Relay service team has been working on upgrading our infrastructure to the newest technologies. Due to this infrastructure change, the IP addresses associated with the namespaces are also going to be changed.

Your Relay based solutions may break if you aren't following the best practices of using domain names in your firewall or network device configurations to allow communication with this service but are instead using these IP addresses.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.