IP addresses used by Azure Monitor

  • Article

If your monitored application or infrastructure is behind a firewall, you need to configure network access to allow communication with Azure Monitor services.

Azure Monitor uses service tags, which provide a more reliable and dynamic way to manage network access. Service tags are regularly updated and can be retrieved through an API, ensuring that you have the latest available IP address information without requiring manual updates.

If you're using Azure network security groups, you can manage access with Azure network service tags. For hybrid or on-premises resources, you can download the equivalent IP address lists as JSON files, which are refreshed weekly. To cover all necessary exceptions, use the service tags ActionGroup, ApplicationInsightsAvailability, and AzureMonitor. For more information, see Azure Service Tags Overview.

Note

  • All Application Insights traffic represents outbound traffic except for availability monitoring and webhook action groups, which also require inbound firewall rules.
  • Service tags don't replace validation/authentication checks required for cross-tenant communications between a customer's Azure resource and other service tag resources.

Outgoing ports

You need to open some outgoing ports in your server's firewall to allow the Application Insights SDK or Application Insights Agent to send data to the portal.

Note

These addresses are listed by using Classless Interdomain Routing notation. As an example, an entry like 51.144.56.112/28 is equivalent to 16 IPs that start at 51.144.56.112 and end at 51.144.56.127.

Purpose URL Type Ports
Telemetry dc.applicationinsights.azure.cn
dc.applicationinsights.microsoft.com
dc.services.visualstudio.com

{region}.in.applicationinsights.azure.cn

 Global
Global
Global

Regional
 443
Live Metrics live.applicationinsights.azure.cn
rt.applicationinsights.microsoft.com
rt.services.visualstudio.com

{region}.livediagnostics.monitor.azure.cn

Example for {region}: chinanorth2		 Global
Global
Global

Regional
 443

Note

  • Application Insights ingestion endpoints are IPv4 only.

Application Insights Agent

Application Insights Agent configuration is needed only when you're making changes.

Purpose URL Ports
Configuration management.core.chinacloudapi.cn 443
Configuration management.chinacloudapi.cn 443
Configuration login.chinacloudapi.cn 443
Configuration login.partner.microsoftonline.cn 443
Configuration secure.aadcdn.partner.microsoftonline-p.cn 443
Configuration auth.gfx.ms 443
Configuration login.live.com 443
Installation globalcdn.nuget.org, packages.nuget.org ,api.nuget.org/v3/index.json nuget.org, api.nuget.org, dc.services.vsallin.net 443

Application Insights and Log Analytics APIs

Purpose URI Ports
API api.applicationinsights.io
api1.applicationinsights.io
api2.applicationinsights.io
api3.applicationinsights.io
api4.applicationinsights.io
api5.applicationinsights.io
dev.applicationinsights.io
dev.applicationinsights.microsoft.com
dev.aisvc.visualstudio.com
www.applicationinsights.io
www.applicationinsights.microsoft.com
www.aisvc.visualstudio.com
api.loganalytics.io
*.api.loganalytics.io
dev.loganalytics.io
docs.loganalytics.io
www.loganalytics.io
api.loganalytics.azure.cn		 80,443
Azure Pipeline annotations extension aigs1.aisvc.visualstudio.com 443

Application Insights analytics

Purpose URI Ports
CDN (Content Delivery Network) applicationanalytics.azureedge.net 80,443
Media CDN applicationanalyticsmedia.azureedge.net 80,443

The Application Insights team owns the *.applicationinsights.io domain.

Log Analytics portal

Purpose URI Ports
Portal portal.loganalytics.io 80,443

The Log Analytics team owns the *.loganalytics.io domain.

Application Insights Azure portal extension

Purpose URI Ports
Application Insights extension stamp2.app.insightsportal.visualstudio.com 80,443
Application Insights extension CDN insightsportal-prod2-cdn.aisvc.visualstudio.com
insightsportal-prod2-asiae-cdn.aisvc.visualstudio.com
insightsportal-cdn-aimon.applicationinsights.io		 80,443

Application Insights SDKs (Software Development Kits)

Purpose URI Ports
Application Insights JS SDK CDN az416426.vo.msecnd.net
js.monitor.azure.com		 80,443

Action group webhooks

You can query the list of IP addresses used by action groups by using the Get-AzNetworkServiceTag PowerShell command.

Application Insights Profiler for .NET

Purpose URI Ports
Agent agent.azureserviceprofiler.net
*.agent.azureserviceprofiler.net
profiler.monitor.azure.cn		 443
Portal gateway.azureserviceprofiler.net
dataplane.diagnosticservices.azure.com		 443
Storage *.core.chinacloudapi.cn 443

Snapshot Debugger

Note

Application Insights Profiler for .NET and Snapshot Debugger share the same set of IP addresses.

Purpose URI Ports
Agent agent.azureserviceprofiler.net
*.agent.azureserviceprofiler.net
snapshot.monitor.azure.cn		 443
Portal gateway.azureserviceprofiler.net
dataplane.diagnosticservices.azure.com		 443
Storage *.core.chinacloudapi.cn 443

Frequently asked questions

This section provides answers to common questions.

Can I monitor an intranet web server?

Yes, but you need to allow traffic to our services by either firewall exceptions or proxy redirects.

See IP addresses used by Azure Monitor to review our full list of services and IP addresses.

How do I reroute traffic from my server to a gateway on my intranet?

Route traffic from your server to a gateway on your intranet by overwriting endpoints in your configuration. If the Endpoint properties aren't present in your config, these classes use the default values which are documented in IP addresses used by Azure Monitor.

Your gateway should route traffic to our endpoint's base address. In your configuration, replace the default values with http://<your.gateway.address>/<relative path>.

What if my product doesn't support service tags?

If your product doesn't support service tags, take the following steps to ensure full connectivity:

For more information, see Azure Service Tags Overview.