Skip to content

Document Azure CLI firewall/proxy requirements #25558

New issue
New issue
Open
Open
Document Azure CLI firewall/proxy requirements#25558

Description

@janegilring

janegilring
openedon Feb 23, 2023

Related commands

  • az login
  • az login -identity
  • az ssh

Is your feature request related to a problem? Please describe.
No

Describe the solution you'd like
For the Azure portal, there are documentation for which URLs needs to be allowed when working behind a network proxy or firewall:
Allow the Azure portal URLs on your firewall or proxy server - Azure portal

It would be good to have similar documentation for the Azure CLI.

Suggested text for the documentation

Azure CLI is a command-line tool used to manage and interact with Azure services from the command line. Depending on the specific commands you're using and the Azure services you're interacting with, different firewall requirements may apply. However, here are some general guidelines that may help:

  • Authentication: Azure CLI uses Azure Active Directory (Azure AD) for authentication and authorization. If your organization has a restrictive firewall policy that blocks outbound traffic to external services, you may need to configure your firewall to allow outbound traffic to Azure AD:
    • URL: https://login.microsoftonline.com
      • If using Azure Firewall or Network Security Groups, it is also possible to allow traffic to the Service Tag AzureActiveDirectory as an alternative to whitelisting the URL.
  • Management plane: Azure CLI communicates with the Azure Resource Manager REST API
    • URL: https://management.azure.com
      • If using Azure Firewall or Network Security Groups, it is also possible to allow traffic to the Service Tag AzureResourceManager as an alternative to whitelisting the URL.
  • Data plane
    • Virtual machines: If you're using Azure CLI to manage virtual machines, you may need to allow inbound traffic to the virtual machine for the specific ports and protocols required by the application or service running on the VM.
    • Azure Storage: If you're using Azure CLI to manage Azure Storage accounts, you may need to allow outbound traffic to the specific endpoints used by Azure Storage (such as blob.core.windows.net and queue.core.windows.net).
    • Azure Key Vault: Accessing and managing objects (keys and secrets) stored in a Key Vault is going through individual Key Vault-specific endpoints (for example, https://yourvaultname.vault.azure.net).

This is not an exhaustive list of all data planes.
You should review the Azure documentation for the specific Azure services you're working with to determine the exact firewall requirements.
It's also important to note that these are just general guidelines, and the specific firewall requirements for Azure CLI will depend on your specific use case and configuration.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

Labels

AADAccountaz login/accountAuto-AssignAuto assign by botAzure CLI TeamThe command of the issue is owned by Azure CLI teamSSHService AttentionThis issue is responsible by Azure service team.VM SSHfeature-requestneeds-team-attentionThis issue needs attention from Azure service team or SDK team

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions