IP addresses used by Azure Monitor
Azure Monitor uses a number of IP addresses. Azure Monitor is made up of core platform metrics and log in addition to Log Analytics and Application Insights. You might need to know these addresses if the app or infrastructure that you are monitoring is hosted behind a firewall.
Although these addresses are static, it's possible that we will need to change them from time to time. All Application Insights traffic represents outbound traffic with the exception of availability monitoring and webhooks which require inbound firewall rules.
You can use Azure network service tags to manage access if you are using Azure Network Security Groups. If you are managing access for hybrid/on premises resources you can download the equivalent IP address lists as JSON files which are updated each week: . To cover all the exceptions in this article you would need to use the service tags:
Alternatively, you can subscribe to this page as a RSS feed by adding https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/ip-addresses.md.atom to your favorite RSS/ATOM reader to get notified of the latest changes.
You need to open some outgoing ports in your server's firewall to allow the Application Insights SDK and/or Status Monitor to send data to the portal:
|Live Metrics Stream||live.applicationinsights.azure.com
Status Monitor Configuration - needed only when making changes.
This is the list of addresses from which availability web tests are run. If you want to run web tests on your app, but your web server is restricted to serving specific clients, then you will have to permit incoming traffic from our availability test servers.
For resources located inside private virtual networks that cannot allow direct inbound communication with the availability test agents in public Azure, the only option is to create and host your own custom availability tests.
If you are using Azure Network Security Groups, simply add an inbound port rule to allow traffic from Application Insights availability tests by selecting Service Tag as the Source and ApplicationInsightsAvailability as the Source service tag.
Open ports 80 (http) and 443 (https) for incoming traffic from these addresses (IP addresses are grouped by location):
If you're looking for the actual IP addresses so you can add them to the list of allowed IP's in your firewall, please download the JSON file describing Azure IP Ranges. These files contain the most up-to-date information.
After downloading the appropriate file, open it using your favorite text editor and search for "ApplicationInsightsAvailability" to go straight to the section of the file describing the service tag for availability tests.
These addresses are listed using Classless Inter-Domain Routing (CIDR) notation. This means that an entry like
220.127.116.11/28 is equivalent to 16 IPs starting at
18.104.22.168 and ending at
Azure Public Cloud
Download Public Cloud IP addresses.
Azure US Government Cloud
Download Government Cloud IP addresses.
Azure China Cloud
Download China Cloud IP addresses.
You may also want to programmatically retrieve the current list of service tags together with IP address range details.
Application Insights & Log Analytics APIs
|Azure Pipeline annotations extension||aigs1.aisvc.visualstudio.com||dynamic||443|
Application Insights Analytics
Note: *.applicationinsights.io domain is owned by Application Insights team.
Log Analytics Portal
Note: *.loganalytics.io domain is owned by the Log Analytics team.
Application Insights Azure portal Extension
|Application Insights Extension||stamp2.app.insightsportal.visualstudio.com||dynamic||80,443|
|Application Insights Extension CDN||insightsportal-prod2-cdn.aisvc.visualstudio.com
Application Insights SDKs
|Application Insights JS SDK CDN||az416426.vo.msecnd.net
Action Group webhooks
You can query the list of IP addresses used by Action Groups using the Get-AzNetworkServiceTag PowerShell command.
Action Groups Service Tag
Managing changes to Source IP addresses can be quite time consuming. Using Service Tags eliminates the need to update your configuration. A service tag represents a group of IP address prefixes from a given Azure service. Microsoft manages the IP addresses and automatically updates the service tag as addresses change, eliminating the need to update network security rules for an Action Group.
In the Azure portal under Azure Services search for Network Security Group.
Click on Add and create a Network Security Group.
- Add the Resource Group Name and then enter Instance Details.
- Click on Review + Create and then click Create.
Go to Resource Group and then click on Network Security Group you have created.
- Select Inbound Security Rules.
- Click on Add.
A new window will open in right pane.
- Select Source: Service Tag
- Source Service Tag: ActionGroup
- Click Add.
Profiler and Snapshot Debugger share the same set of IP addresses.