RobC_CTL on Mon, 04 Dec 2017 10:38:09
I have an environment that has a NSG that blocks all outbound internet access apart from Azure services. This works great for all the regular Azure services i.e. backup, OMS etc. However I am hitting an error when trying to enable Azure Disk Encryption. In the error I can see is that it can't connect to an IP address, this IP address isn't part of the usual 51.x.x.x Azure range so isn't added by my NSG creation script (which gets it's list from here).
If I add this IP address to the NSG the encryption process works, happy days. However I have a number of Linux boxes in this environment and the error I get on these boxes doesn't contain the IP address. To add to the fun each VM has it's own unique IP address that it can't get to. So this leads me to think that this IP address is linked to a service that is published on that IP, but how do I find out what that service is and thus find it's IP address? The VMs don't have PIP so it's not this address. I thought it might be the IP of the AAD application but that is the usual 51.x.x..x range IP.
Any help gratefully received.
RobC_CTL on Mon, 04 Dec 2017 13:06:46
Just to answer my own question the IPs are relating to MSOnline. There a number of ports that need to be opened to allow Key Vault/Encryption to work. Full detail here - https://docs.microsoft.com/en-us/azure/key-vault/key-vault-access-behind-firewall