IP addresses used by Azure Monitor
If your monitored application or infrastructure is behind a firewall, you need to configure network access to allow communication with Azure Monitor services.
Azure Monitor uses service tags, which provide a more reliable and dynamic way to manage network access. Service tags are regularly updated and can be retrieved through an API, ensuring that you have the latest available IP address information without requiring manual updates.
If you're using Azure network security groups, you can manage access with Azure network service tags. For hybrid or on-premises resources, you can download the equivalent IP address lists as JSON files, which are refreshed weekly. To cover all necessary exceptions, use the service tags ActionGroup
, ApplicationInsightsAvailability
, and AzureMonitor
. For more information, see Azure Service Tags Overview.
Note
- All Application Insights traffic represents outbound traffic except for availability monitoring and webhook action groups, which also require inbound firewall rules.
- Service tags don't replace validation/authentication checks required for cross-tenant communications between a customer's Azure resource and other service tag resources.
Outgoing ports
You need to open some outgoing ports in your server's firewall to allow the Application Insights SDK or Application Insights Agent to send data to the portal.
Note
These addresses are listed by using Classless Interdomain Routing notation. As an example, an entry like 51.144.56.112/28
is equivalent to 16 IPs that start at 51.144.56.112
and end at 51.144.56.127
.
Purpose | URL | Type | Ports |
---|---|---|---|
Telemetry | dc.applicationinsights.azure.cn dc.applicationinsights.microsoft.com dc.services.visualstudio.com {region}.in.applicationinsights.azure.cn |
Global Global Global Regional |
443 |
Live Metrics | live.applicationinsights.azure.cn rt.applicationinsights.microsoft.com rt.services.visualstudio.com {region}.livediagnostics.monitor.azure.cn Example for {region} : chinanorth2 |
Global Global Global Regional |
443 |
Note
- Application Insights ingestion endpoints are IPv4 only.
Application Insights Agent
Application Insights Agent configuration is needed only when you're making changes.
Purpose | URL | Ports |
---|---|---|
Configuration | management.core.chinacloudapi.cn |
443 |
Configuration | management.chinacloudapi.cn |
443 |
Configuration | login.chinacloudapi.cn |
443 |
Configuration | login.partner.microsoftonline.cn |
443 |
Configuration | secure.aadcdn.partner.microsoftonline-p.cn |
443 |
Configuration | auth.gfx.ms |
443 |
Configuration | login.live.com |
443 |
Installation | globalcdn.nuget.org , packages.nuget.org ,api.nuget.org/v3/index.json nuget.org , api.nuget.org , dc.services.vsallin.net |
443 |
Application Insights and Log Analytics APIs
Purpose | URI | Ports |
---|---|---|
API | api.applicationinsights.io api1.applicationinsights.io api2.applicationinsights.io api3.applicationinsights.io api4.applicationinsights.io api5.applicationinsights.io dev.applicationinsights.io dev.applicationinsights.microsoft.com dev.aisvc.visualstudio.com www.applicationinsights.io www.applicationinsights.microsoft.com www.aisvc.visualstudio.com api.loganalytics.io *.api.loganalytics.io dev.loganalytics.io docs.loganalytics.io www.loganalytics.io api.loganalytics.azure.cn |
80,443 |
Azure Pipeline annotations extension | aigs1.aisvc.visualstudio.com |
443 |
Application Insights analytics
Purpose | URI | Ports |
---|---|---|
CDN (Content Delivery Network) | applicationanalytics.azureedge.net |
80,443 |
Media CDN | applicationanalyticsmedia.azureedge.net |
80,443 |
The Application Insights team owns the *.applicationinsights.io domain.
Log Analytics portal
Purpose | URI | Ports |
---|---|---|
Portal | portal.loganalytics.io |
80,443 |
The Log Analytics team owns the *.loganalytics.io domain.
Application Insights Azure portal extension
Purpose | URI | Ports |
---|---|---|
Application Insights extension | stamp2.app.insightsportal.visualstudio.com |
80,443 |
Application Insights extension CDN | insightsportal-prod2-cdn.aisvc.visualstudio.com insightsportal-prod2-asiae-cdn.aisvc.visualstudio.com insightsportal-cdn-aimon.applicationinsights.io |
80,443 |
Application Insights SDKs (Software Development Kits)
Purpose | URI | Ports |
---|---|---|
Application Insights JS SDK CDN | az416426.vo.msecnd.net js.monitor.azure.com |
80,443 |
Action group webhooks
You can query the list of IP addresses used by action groups by using the Get-AzNetworkServiceTag PowerShell command.
Application Insights Profiler for .NET
Purpose | URI | Ports |
---|---|---|
Agent | agent.azureserviceprofiler.net *.agent.azureserviceprofiler.net profiler.monitor.azure.cn |
443 |
Portal | gateway.azureserviceprofiler.net dataplane.diagnosticservices.azure.com |
443 |
Storage | *.core.chinacloudapi.cn |
443 |
Snapshot Debugger
Note
Application Insights Profiler for .NET and Snapshot Debugger share the same set of IP addresses.
Purpose | URI | Ports |
---|---|---|
Agent | agent.azureserviceprofiler.net *.agent.azureserviceprofiler.net snapshot.monitor.azure.cn |
443 |
Portal | gateway.azureserviceprofiler.net dataplane.diagnosticservices.azure.com |
443 |
Storage | *.core.chinacloudapi.cn |
443 |
Frequently asked questions
This section provides answers to common questions.
Can I monitor an intranet web server?
Yes, but you need to allow traffic to our services by either firewall exceptions or proxy redirects.
See IP addresses used by Azure Monitor to review our full list of services and IP addresses.
How do I reroute traffic from my server to a gateway on my intranet?
Route traffic from your server to a gateway on your intranet by overwriting endpoints in your configuration. If the Endpoint
properties aren't present in your config, these classes use the default values which are documented in IP addresses used by Azure Monitor.
Your gateway should route traffic to our endpoint's base address. In your configuration, replace the default values with http://<your.gateway.address>/<relative path>
.
What if my product doesn't support service tags?
If your product doesn't support service tags, take the following steps to ensure full connectivity:
- Check the latest IP ranges in the downloadable Azure IP ranges and service tags JSON file, which updates weekly.
- Review firewall logs for blocked requests and update your allowlist as needed.
For more information, see Azure Service Tags Overview.