Azure IP Networks in .NET and ASP.NET Core
In the cloud, network security is vital. Azure's IP ranges, used by various services, play a critical role in managing access. However, some services don't support allow listing based on Service Tags, regions, or cloud. This is where the AzureIPNetworks library comes in handy, offering .NET developers a way to manage Azure IP networks effectively.
Using AzureIPNetworks Locally (no internet connection)
To begin, you can use the library to work with Azure IP ranges locally:
using AzureIPNetworks;
// Check if an IP is part of Azure's range
var ip = "52.239.148.88";
var isAzureIp = await AzureIPsProvider.Local.IsAzureIpAsync(IPAddress.Parse(ip));
Console.WriteLine(isAzureIp ? "It's an Azure IP!" : "It's not an Azure IP.");
// outputs: It's an Azure IP!Using AzureIPNetworks Remotely
The library can also fetch the latest IP data from Microsoft:
using AzureIPNetworks;
// Check if an IP is part of Azure's range
var ip = "52.239.148.88";
var isAzureIp = await AzureIPsProvider.Remote.IsAzureIpAsync(IPAddress.Parse(ip));
Console.WriteLine(isAzureIp ? "It's an Azure IP!" : "It's not an Azure IP.");
// outputs: It's an Azure IP!The ranges are downloaded once per application instance.
Implementing IP-based Authentication in ASP.NET Core
Integrating AzureIPNetworks with ASP.NET Core allows for IP-based authentication, which is crucial for services that don’t support Azure Service Tags or when doing hybrid setup and want to check where requests are coming from. You can use the Tingle.AspNetCore.Authorization library to simplify this.
In your Program.cs file:
builder.Services.AddAuthorization(options =>
{
options.AddPolicy("AzureOnly", policy =>
{
policy.AddAuthenticationSchemes("my_auth_scheme")
.RequireAuthenticatedUser()
.RequireAzureIPNetworks();
});
});
// add accessor for HttpContext i.e. implementation of IHttpContextAccessor
builder.Services.AddHttpContextAccessor();
// add IAuthorizationHandler for approved networks
builder.Services.AddApprovedNetworksHandler();In your controller:
[Authorize(Policy = "AzureOnly")]
public IActionResult SecureEndpoint()
{
return Ok("You have access!");
}Filtering
When checking whether an IPAddress or IPNetwork is part of Azure, it defaults to the Public cloud. However, this can be changed to support other clouds. The check can also be filtered by services (e.g. AzureAppConfiguration, AzureAppServiceManagement, etc) or regions (e.g. westeurope, westindia) as is exposed in the method overloads.
Why This Matters
This library is essential when dealing with services that don’t support allow listing based on Azure Service Tags, regions, or the entire cloud. It’s also useful for services outside Azure that require secure network management.
Conclusion
The AzureIPNetworks library simplifies managing Azure IP ranges in .NET and integrating them into ASP.NET Core for robust IP-based authentication. Whether you’re working within Azure or securing non-Azure services, this tool provides the flexibility and security you need.