azure-cli icon indicating copy to clipboard operation
azure-cli copied to clipboard
verified publisher icon Azure

The outputs to "az network list-service-tags" don't have regional-specific IP prefixes

Open rickyding1010 opened this issue 3 years ago • 12 comments

The outputs to Azure CLI "az network list-service-tags" don't have regional-specific IP prefixes. Let me use AzureMachineLearning as an example. The outputs contain all IP prefixes for AzureMachineLearning, but don't have regional-specific IP prefixes, such as AzureMachineLearning.AustraliaEast or AzureMachineLearning.WestUS. If this is the current limitation, can you please mention this in the description of the command "az network list-service-tags"? Thanks so much in advance!

Document Details

Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

  • ID: a1f75594-b95b-a85d-b971-c06e207e3fe2
  • Version Independent ID: 16a09479-ff9b-9029-aae4-6ba14ccc8260
  • Content: az network
  • Content Source: latest/docs-ref-autogen/network.yml
  • Service: virtual-network
  • GitHub Login: @rloutlaw
  • Microsoft Alias: routlaw

rickyding1010 avatar Apr 26 '22 10:04 rickyding1010

network

yonzhan avatar Apr 26 '22 10:04 yonzhan

@rickyding1010, sorry, I haven't caught your point. Actually, --location parameter isn't used as a filter -> it will always return all service tags: image

necusjz avatar Apr 26 '22 10:04 necusjz

Hi,

Unlike the json file downloaded from https://www.microsoft.com/en-us/download/details.aspx?id=56519, the outputs to the command simply list all IP prefixes for the services and it's not sorted by regions.

Azure CLI outputs

@.***

Downloaded json file

@.***

Appreciate it much!

My working hours are 9:00-18:00 Mon-Fri UTC+8. If you need any urgent support during my non-working hours, please contact my backup @.*** and one engineer will contact you.

Best Regards, Ricky Ding

From: necusjz @.> Sent: Tuesday, April 26, 2022 6:44 PM To: Azure/azure-cli @.> Cc: Ricky Ding @.>; Mention @.> Subject: Re: [Azure/azure-cli] The outputs to "az network list-service-tags" don't have regional-specific IP prefixes (Issue #22190)

@rickyding1010https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Frickyding1010&data=05%7C01%7Crickyding%40microsoft.com%7Cac6221bff7ba435d389408da2771a4e3%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637865666330035691%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=4AM98WEwO1tWY511B5SrM%2BmJjGkAx7pumy2KM7Jp8fM%3D&reserved=0, sorry, I haven't caught your point. Actually, --location parameter isn't used as a filter -> it will always return all service tags: [image]https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fuser-images.githubusercontent.com%2F12371639%2F165282915-c6c9d88d-d51d-47f1-b7da-986c51dbc320.png&data=05%7C01%7Crickyding%40microsoft.com%7Cac6221bff7ba435d389408da2771a4e3%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637865666330035691%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=n6wlWns%2Be%2BuIVnTTHqk4uGqblhmwsrsWCSzD4XPLMJ4%3D&reserved=0

Reply to this email directly, view it on GitHubhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FAzure%2Fazure-cli%2Fissues%2F22190%23issuecomment-1109640510&data=05%7C01%7Crickyding%40microsoft.com%7Cac6221bff7ba435d389408da2771a4e3%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637865666330035691%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=esP5SrTMDbtLS7i2UtHLC623qSakJmG9Z%2F7yhsLqZi0%3D&reserved=0, or unsubscribehttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAY4SWTD7ZAEGVMY2IKAZ4KTVG7CGHANCNFSM5ULKDXYQ&data=05%7C01%7Crickyding%40microsoft.com%7Cac6221bff7ba435d389408da2771a4e3%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637865666330035691%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=EYO1qWOhIisYBlh6nYQsZRmigPwn2uhBt1NBH2SO6ss%3D&reserved=0. You are receiving this because you were mentioned.Message ID: @.@.>>

rickyding1010 avatar Apr 26 '22 10:04 rickyding1010

@rickyding1010, I see..., but there are some resources already grouped by region: image

necusjz avatar Apr 27 '22 08:04 necusjz

@necusjz To avoid the confusion, can we make the outputs to Azure CLI the same as that download json file?

rickyding1010 avatar Apr 27 '22 12:04 rickyding1010

@rickyding1010, these two query methods have different scopes.

And, take ApiManagement.AustraliaCentral as an example, there is no obvious difference between them (the core information is the same): image

Currently, we have no plan to change the output.

necusjz avatar Apr 28 '22 08:04 necusjz

Hello

Perhaps a better example in this scenario would be AzureMachineLearning, the azure-cli response does not contain the region specific CIDRs only the "global" ones

On the LEFT is the JSON from the MSFT public download page and on the RIGHT is the output from the az CLI command image

The difference is significant

Global AzureMachineLearning has 219 addresses
AzureMachineLearning.AustraliaEast has 7 addresses
AzureMachineLearning.AustraliaSoutheast has 2 addresses

We use these CIDR ranges to control egress from our internal VNets to MSFT services - primarily because the NVA we use is unaware of azure service-tags. This approach works fine for services that are "regional", but for the ones which aren't, we end up using the GA address ranges - which adds a lot of CIDRs, something we wish to avoid where possible.

The obvious solution is to use the public JSON, however, having the azure cli return the same information is not unreasonable.

a30004053 avatar May 02 '22 02:05 a30004053

why was this closed as completed? as per above it's neither closed nor resolved? is this issue being tracked elsewhere?

a30000931 avatar May 23 '22 22:05 a30000931

As the result of CLI is consistent with the response from Azure service, let's involve service team for help. The key point is: Why does "AzureMachineLearning" not contain region-related information in the response?

necusjz avatar May 24 '22 07:05 necusjz

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @aznetsuppgithub.

Issue Details

The outputs to Azure CLI "az network list-service-tags" don't have regional-specific IP prefixes. Let me use AzureMachineLearning as an example. The outputs contain all IP prefixes for AzureMachineLearning, but don't have regional-specific IP prefixes, such as AzureMachineLearning.AustraliaEast or AzureMachineLearning.WestUS. If this is the current limitation, can you please mention this in the description of the command "az network list-service-tags"? Thanks so much in advance!

Document Details

Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

  • ID: a1f75594-b95b-a85d-b971-c06e207e3fe2
  • Version Independent ID: 16a09479-ff9b-9029-aae4-6ba14ccc8260
  • Content: az network
  • Content Source: latest/docs-ref-autogen/network.yml
  • Service: virtual-network
  • GitHub Login: @rloutlaw
  • Microsoft Alias: routlaw
Author: rickyding1010
Assignees: necusjz
Labels:

Network, Service Attention, customer-reported, Auto-Assign
Milestone: Backlog

ghost avatar May 24 '22 07:05 ghost

nearly a year - any updates?

a30000931 avatar Mar 27 '23 10:03 a30000931

any update on this? having to whitelist 100 ip addresses rather than 5 regional ones isn't ideal

leemallon avatar May 01 '24 13:05 leemallon