IP addresses used by Azure Monitor

Azure Monitor uses a number of IP addresses. Azure Monitor is made up of core platform metrics and log in addition to Log Analytics and Application Insights. You might need to know these addresses if the app or infrastructure that you are monitoring is hosted behind a firewall.


Although these addresses are static, it's possible that we will need to change them from time to time. All Application Insights traffic represents outbound traffic with the exception of availability monitoring and webhooks which require inbound firewall rules.


You can use Azure network service tags to manage access if you are using Azure Network Security Groups. If you are managing access for hybrid/on premises resources you can download the equivalent IP address lists as JSON files which are updated each week. To cover all the exceptions in this article you would need to use the service tags: ActionGroup, ApplicationInsightsAvailability, and AzureMonitor.

Alternatively, you can subscribe to this page as a RSS feed by adding https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/ip-addresses.md.atom to your favorite RSS/ATOM reader to get notified of the latest changes.

Outgoing ports

You need to open some outgoing ports in your server's firewall to allow the Application Insights SDK and/or Status Monitor to send data to the portal:

Purpose URL IP Ports
Telemetry dc.applicationinsights.azure.com
Live Metrics Stream live.applicationinsights.azure.com

Status Monitor

Status Monitor Configuration - needed only when making changes.

Purpose URL IP Ports
Configuration management.core.windows.net 443
Configuration management.azure.com 443
Configuration login.windows.net 443
Configuration login.microsoftonline.com 443
Configuration secure.aadcdn.microsoftonline-p.com 443
Configuration auth.gfx.ms 443
Configuration login.live.com 443
Installation globalcdn.nuget.org, packages.nuget.org ,api.nuget.org/v3/index.json nuget.org, api.nuget.org, dc.services.vsallin.net 443

Availability tests

This is the list of addresses from which availability web tests are run. If you want to run web tests on your app, but your web server is restricted to serving specific clients, then you will have to permit incoming traffic from our availability test servers.


For resources located inside private virtual networks that cannot allow direct inbound communication with the availability test agents in public Azure, the only option is to create and host your own custom availability tests.

Service tag

If you are using Azure Network Security Groups, simply add an inbound port rule to allow traffic from Application Insights availability tests by selecting Service Tag as the Source and ApplicationInsightsAvailability as the Source service tag.

Under settings select Inbound security rules and then select add at the top of the tab

Add inbound security rule tab

Open ports 80 (http) and 443 (https) for incoming traffic from these addresses (IP addresses are grouped by location):

IP Addresses

If you're looking for the actual IP addresses so you can add them to the list of allowed IP's in your firewall, please download the JSON file describing Azure IP Ranges. These files contain the most up-to-date information. For Azure public cloud, you may also look up the IP address ranges by location using the table below.

After downloading the appropriate file, open it using your favorite text editor and search for "ApplicationInsightsAvailability" to go straight to the section of the file describing the service tag for availability tests.


These addresses are listed using Classless Inter-Domain Routing (CIDR) notation. This means that an entry like is equivalent to 16 IPs starting at and ending at

Azure Public Cloud

Download Public Cloud IP addresses.

Azure US Government Cloud

Download Government Cloud IP addresses.

Azure China Cloud

Download China Cloud IP addresses.

Addresses grouped by location (Azure Public Cloud)

Australia East

Brazil South

France Central (Formerly France South)

France Central

East Asia

North Europe

Japan East

West Europe

UK South

UK West

Southeast Asia

West US

Central US

North Central US

South Central US

East US

Discovery API

You may also want to programmatically retrieve the current list of service tags together with IP address range details.

Application Insights & Log Analytics APIs

Purpose URI IP Ports
API api.applicationinsights.io
Azure Pipeline annotations extension aigs1.aisvc.visualstudio.com dynamic 443

Application Insights Analytics

Purpose URI IP Ports
Analytics Portal analytics.applicationinsights.io dynamic 80,443
CDN applicationanalytics.azureedge.net dynamic 80,443
Media CDN applicationanalyticsmedia.azureedge.net dynamic 80,443

Note: *.applicationinsights.io domain is owned by Application Insights team.

Log Analytics Portal

Purpose URI IP Ports
Portal portal.loganalytics.io dynamic 80,443
CDN applicationanalytics.azureedge.net dynamic 80,443

Note: *.loganalytics.io domain is owned by the Log Analytics team.

Application Insights Azure portal Extension

Purpose URI IP Ports
Application Insights Extension stamp2.app.insightsportal.visualstudio.com dynamic 80,443
Application Insights Extension CDN insightsportal-prod2-cdn.aisvc.visualstudio.com
dynamic 80,443

Application Insights SDKs

Purpose URI IP Ports
Application Insights JS SDK CDN az416426.vo.msecnd.net
dynamic 80,443

Action Group webhooks

You can query the list of IP addresses used by Action Groups using the Get-AzNetworkServiceTag PowerShell command.

Action Groups Service Tag

Managing changes to Source IP addresses can be quite time consuming. Using Service Tags eliminates the need to update your configuration. A service tag represents a group of IP address prefixes from a given Azure service. Microsoft manages the IP addresses and automatically updates the service tag as addresses change, eliminating the need to update network security rules for an Action Group.

  1. In the Azure portal under Azure Services search for Network Security Group.

  2. Click on Add and create a Network Security Group.

    1. Add the Resource Group Name and then enter Instance Details.
    2. Click on Review + Create and then click Create.

    Example on how to create a Network Security Group.

  3. Go to Resource Group and then click on Network Security Group you have created.

    1. Select Inbound Security Rules.
    2. Click on Add.

    Example on how to add a service tag.

  4. A new window will open in right pane.

    1. Select Source: Service Tag
    2. Source Service Tag: ActionGroup
    3. Click Add.

    Example on how to add service tag.


Purpose URI IP Ports
Agent agent.azureserviceprofiler.net
Portal gateway.azureserviceprofiler.net dynamic 443
Storage *.core.windows.net dynamic 443

Snapshot Debugger


Profiler and Snapshot Debugger share the same set of IP addresses.

Purpose URI IP Ports
Agent agent.azureserviceprofiler.net
Portal gateway.azureserviceprofiler.net dynamic 443
Storage *.core.windows.net dynamic 443