Azure Public IP Range to CIDR Notation
Convert Microsoft Azure public IP address ranges to CIDR notation. Learn how Azure publishes IP ranges and how to use them in NSG and firewall rules.
Detailed Explanation
Azure Public IP Ranges
Microsoft publishes Azure IP ranges weekly as a downloadable JSON file organized by region and service tag. These ranges are essential for configuring Network Security Groups (NSGs), Azure Firewall, and on-premises firewalls.
Example Range
Range: 20.33.0.0 - 20.33.255.255
CIDR: 20.33.0.0/16
Non-Aligned Range Example
Azure ranges may not always align to a single CIDR:
Range: 20.150.0.0 - 20.150.31.255
CIDR: 20.150.0.0/19 (8,192 addresses)
Azure Service Tags
Azure uses "service tags" to group IP ranges by service:
| Service Tag | Description |
|---|---|
| AzureCloud | All Azure datacenter IPs |
| AzureCloud.EastUS | East US region only |
| Storage | Azure Storage service IPs |
| Sql | Azure SQL Database IPs |
| AzureActiveDirectory | Azure AD IPs |
NSG Rule Configuration
When creating NSG rules, you can use service tags directly. But for on-premises firewalls that don't support Azure service tags, you need the actual CIDR blocks:
# Azure SQL - East US (example)
Range: 40.79.152.0 - 40.79.159.255
CIDR: 40.79.152.0/21
# Azure Storage - West US 2 (example)
Range: 52.239.148.0 - 52.239.151.255
CIDR: 52.239.148.0/22
Downloading Azure IP Ranges
Azure publishes ranges at a URL like:
https://www.microsoft.com/en-us/download/details.aspx?id=56519
The JSON file contains all service tags with their CIDR prefixes. When you receive ranges from other sources in start-end format, use this converter tool.
Use Case
An IT administrator receives a list of Azure IP ranges from their cloud team in start-end format. They need to convert these to CIDR notation for the corporate Palo Alto firewall rules that restrict outbound traffic to only approved Azure services.