yonzhan
commented
2 years ago network
Open rickyding1010 opened 2 years ago
yonzhan
commented
2 years ago network
necusjz
commented
2 years ago @rickyding1010, sorry, I haven't caught your point. Actually, --location parameter isn't used as a filter -> it will always return all service tags:
rickyding1010
commented
2 years ago Hi,
Unlike the json file downloaded from https://www.microsoft.com/en-us/download/details.aspx?id=56519, the outputs to the command simply list all IP prefixes for the services and it's not sorted by regions.
Azure CLI outputs
@.***
Downloaded json file
@.***
Appreciate it much!
My working hours are 9:00-18:00 Mon-Fri UTC+8. If you need any urgent support during my non-working hours, please contact my backup @.*** and one engineer will contact you.
Best Regards, Ricky Ding
From: necusjz @.> Sent: Tuesday, April 26, 2022 6:44 PM To: Azure/azure-cli @.> Cc: Ricky Ding @.>; Mention @.> Subject: Re: [Azure/azure-cli] The outputs to "az network list-service-tags" don't have regional-specific IP prefixes (Issue #22190)
@rickyding1010https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Frickyding1010&data=05%7C01%7Crickyding%40microsoft.com%7Cac6221bff7ba435d389408da2771a4e3%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637865666330035691%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=4AM98WEwO1tWY511B5SrM%2BmJjGkAx7pumy2KM7Jp8fM%3D&reserved=0, sorry, I haven't caught your point. Actually, --location parameter isn't used as a filter -> it will always return all service tags: [image]https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fuser-images.githubusercontent.com%2F12371639%2F165282915-c6c9d88d-d51d-47f1-b7da-986c51dbc320.png&data=05%7C01%7Crickyding%40microsoft.com%7Cac6221bff7ba435d389408da2771a4e3%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637865666330035691%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=n6wlWns%2Be%2BuIVnTTHqk4uGqblhmwsrsWCSzD4XPLMJ4%3D&reserved=0
- Reply to this email directly, view it on GitHubhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FAzure%2Fazure-cli%2Fissues%2F22190%23issuecomment-1109640510&data=05%7C01%7Crickyding%40microsoft.com%7Cac6221bff7ba435d389408da2771a4e3%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637865666330035691%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=esP5SrTMDbtLS7i2UtHLC623qSakJmG9Z%2F7yhsLqZi0%3D&reserved=0, or unsubscribehttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAY4SWTD7ZAEGVMY2IKAZ4KTVG7CGHANCNFSM5ULKDXYQ&data=05%7C01%7Crickyding%40microsoft.com%7Cac6221bff7ba435d389408da2771a4e3%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637865666330035691%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=EYO1qWOhIisYBlh6nYQsZRmigPwn2uhBt1NBH2SO6ss%3D&reserved=0. You are receiving this because you were mentioned.Message ID: @.**@.>>
necusjz
commented
2 years ago @rickyding1010, I see..., but there are some resources already grouped by region:
rickyding1010
commented
2 years ago @necusjz To avoid the confusion, can we make the outputs to Azure CLI the same as that download json file?
necusjz
commented
2 years ago @rickyding1010, these two query methods have different scopes.
And, take ApiManagement.AustraliaCentral as an example, there is no obvious difference between them (the core information is the same):
Currently, we have no plan to change the output.
a30004053
commented
2 years ago Hello
Perhaps a better example in this scenario would be AzureMachineLearning, the azure-cli response does not contain the region specific CIDRs only the "global" ones
On the LEFT is the JSON from the MSFT public download page and on the RIGHT is the output from the az CLI command
The difference is significant
Global AzureMachineLearning has 219 addresses
AzureMachineLearning.AustraliaEast has 7 addresses
AzureMachineLearning.AustraliaSoutheast has 2 addressesWe use these CIDR ranges to control egress from our internal VNets to MSFT services - primarily because the NVA we use is unaware of azure service-tags. This approach works fine for services that are "regional", but for the ones which aren't, we end up using the GA address ranges - which adds a lot of CIDRs, something we wish to avoid where possible.
The obvious solution is to use the public JSON, however, having the azure cli return the same information is not unreasonable.
a30000931
commented
2 years ago why was this closed as completed? as per above it's neither closed nor resolved? is this issue being tracked elsewhere?
necusjz
commented
2 years ago As the result of CLI is consistent with the response from Azure service, let's involve service team for help. The key point is: Why does "AzureMachineLearning" not contain region-related information in the response?
ghost
commented
2 years ago Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @aznetsuppgithub.
| Author: | rickyding1010 |
|---|---|
| Assignees: | necusjz |
| Labels: | `Network`, `Service Attention`, `customer-reported`, `Auto-Assign` |
| Milestone: | Backlog |
a30000931
commented
1 year ago nearly a year - any updates?
leemallon
commented
2 months ago any update on this? having to whitelist 100 ip addresses rather than 5 regional ones isn't ideal
The outputs to Azure CLI "az network list-service-tags" don't have regional-specific IP prefixes. Let me use AzureMachineLearning as an example. The outputs contain all IP prefixes for AzureMachineLearning, but don't have regional-specific IP prefixes, such as AzureMachineLearning.AustraliaEast or AzureMachineLearning.WestUS. If this is the current limitation, can you please mention this in the description of the command "az network list-service-tags"? Thanks so much in advance!
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.