Merge pull request #107752 from wmgries/afs-service-tags

megvanhuygen · web-flow · commit e8c10bd080ad · 2020-03-16T12:23:48.000-07:00
Enhance service tag section for AFS
diff --git a/articles/storage/files/storage-sync-files-firewall-and-proxy.md b/articles/storage/files/storage-sync-files-firewall-and-proxy.md
@@ -141,53 +141,120 @@ For business continuity and disaster recovery (BCDR) reasons you may have specif
 > - https:\//tm-kailani.one.microsoft.com (discovery URL of the primary region)
 
 ### Allow list for Azure File Sync IP addresses
-If your on-premises firewall requires adding specific IP addresses to an allow list to connect to Azure File Sync, you can add the following IP address ranges based on the regions that you are connecting to.
-
-| Region | IP address ranges |
-|--------|-------------------|
-| Central US | 52.176.149.179/32, 20.37.157.80/29 |
-| East US 2 | 40.123.47.110/32, 20.41.5.144/29 |
-| East US | 104.41.148.238/32, 20.42.4.248/29 |
-| North Central US | 65.52.62.167/32, 40.80.188.24/29 |
-| South Central US | 104.210.219.252/32, 13.73.248.112/29 |
-| West US 2 | 52.183.27.204/32, 20.42.131.224/29 |
-| West Central US | 52.161.25.233/32, 52.150.139.104/29 |
-| West US | 40.112.150.67/32, 40.82.253.192/29 |
-| Canada Central | 52.228.42.41/32, 52.228.81.248/29 |
-| Canada East | 52.235.36.119/32, 40.89.17.232/29 |
-| Brazil South | 191.237.253.115/32, 191.235.225.216/29 |
-| North Europe | 40.113.94.67/32, 20.38.85.152/29 |
-| West Europe | 104.40.191.8/32, 20.50.1.0/29 |
-| France Central | 52.143.166.54/32, 20.43.42.8/29 |
-| France South | 52.136.131.99/32, 51.105.88.248/29 |
-| UK South | 51.140.67.72/32, 51.104.25.224/29 |
-| UK West | 51.140.202.34/32, 51.137.161.240/29 |
-| Switzerland North | 51.107.48.224/29 |
-| Switzerland West | 51.107.144.216/29 |
-| Norway West | 51.120.224.216/29 |
-| Norway East | 51.120.40.224/29 |
-| East Asia | 23.102.225.54/32, 20.189.108.56/29 |
-| Southeast Asia | 13.76.81.46/32, 20.43.131.40/29 |
-| Australia Central | 20.37.224.216/29 |
-| Australia Central 2 | 20.36.120.216/29 |
-| Australia East | 13.75.153.240/32, 20.37.195.96/29 |
-| Australia Southeast | 13.70.176.196/32, 20.42.227.128/29 |
-| South India | 104.211.231.18/32, 20.41.193.160/29 |
-| West India | 52.136.48.216/29 |
-| Japan East | 104.41.161.113/32, 20.43.66.0/29 |
-| Japan West | 23.100.106.151/32, 40.80.57.192/29 |
-| Korea Central | 52.231.67.75/32, 20.41.65.184/29 |
-| Korea South | 52.231.159.38/32, 40.80.169.176/29 |
-| US DoD East | 20.140.72.152/29 |
-| US Gov Arizona | 20.140.64.152/29 |
-| US Gov Arizona | 52.244.75.224/32, 52.244.79.140/32 |
-| US Gov Iowa | 52.244.79.140/32, 52.244.75.224/32 |
-| US Gov Texas | 52.238.166.107/32, 52.238.79.29/32 |
-| US Gov Virginia | 13.72.17.152/32, 52.227.153.92/32 |
-| South Africa North | 102.133.175.72/32 |
-| South Africa West | 102.133.75.173/32, 102.133.56.128/29, 20.140.48.216/29 |
-| UAE Central | 20.45.71.151/32, 20.37.64.216/29, 20.140.48.216/29 |
-| UAE North | 40.123.216.130/32, 20.38.136.224/29, 20.140.56.136/29 |
+Azure File Sync supports the use of [service tags](../../virtual-network/service-tags-overview.md), which represent a group of IP address prefixes for a given Azure service. You can use service tags to create firewall rules that enable communication with the Azure File Sync service. The service tag for Azure File Sync is `StorageSyncService`.
+
+If you are using Azure File Sync within Azure, you can use name of service tag directly in your network security group to allow traffic. To learn more about how to do this, see [Network security groups](../../virtual-network/security-overview.md).
+
+If you are using Azure File Sync on-premises, you can use the service tag API to get specific IP address ranges for your firewall's allow list. There are two methods for getting this information:
+
+- The current list of IP address ranges for all Azure services supporting service tags are published weekly on the Microsoft Download Center in the form of a JSON document. Each Azure cloud has its own JSON document with the IP address ranges relevant for that cloud:
+    - [Azure Public](https://www.microsoft.com/download/details.aspx?id=56519)
+    - [Azure US Government](https://www.microsoft.com/download/details.aspx?id=57063)
+    - [Azure China](https://www.microsoft.com/download/details.aspx?id=57062)
+    - [Azure Germany](https://www.microsoft.com/download/details.aspx?id=57064)
+- The service tag discovery API (preview) allows programmatic retrieval of the current list of service tags. In preview, the service tag discovery API may return information that's less current than information returned from the JSON documents published on the Microsoft Download Center. You can use the API surface based on your automation preference:
+    - [REST API](https://docs.microsoft.com/rest/api/virtualnetwork/servicetags/list)
+    - [Azure PowerShell](https://docs.microsoft.com/powershell/module/az.network/Get-AzNetworkServiceTag)
+    - [Azure CLI](https://docs.microsoft.com/cli/azure/network#az-network-list-service-tags)
+
+Because the service tag discovery API is not updated as frequently as the JSON documents published to the Microsoft Download Center, we recommend using the JSON document to update your on-premises firewall's allow list. This can be done as follows:
+
+```PowerShell
+# The specific region to get the IP address ranges for. Replace westus2 with the desired region code 
+# from Get-AzLocation.
+$region = "westus2"
+
+# The service tag for Azure File Sync. Do not change unless you're adapting this
+# script for another service.
+$serviceTag = "StorageSyncService"
+
+# Download date is the string matching the JSON document on the Download Center. 
+$possibleDownloadDates = 0..7 | `
+    ForEach-Object { [System.DateTime]::Now.AddDays($_ * -1).ToString("yyyyMMdd") }
+
+# Verify the provided region
+$validRegions = Get-AzLocation | `
+    Where-Object { $_.Providers -contains "Microsoft.StorageSync" } | `
+    Select-Object -ExpandProperty Location
+
+if ($validRegions -notcontains $region) {
+    Write-Error `
+            -Message "The specified region $region is not available. Either Azure File Sync is not deployed there or the region does not exist." `
+            -ErrorAction Stop
+}
+
+# Get the Azure cloud. This should automatically based on the context of 
+# your Az PowerShell login, however if you manually need to populate, you can find
+# the correct values using Get-AzEnvironment.
+$azureCloud = Get-AzContext | `
+    Select-Object -ExpandProperty Environment | `
+    Select-Object -ExpandProperty Name
+
+# Build the download URI
+$downloadUris = @()
+switch($azureCloud) {
+    "AzureCloud" { 
+        $downloadUris = $possibleDownloadDates | ForEach-Object {  
+            "https://download.microsoft.com/download/7/1/D/71D86715-5596-4529-9B13-DA13A5DE5B63/ServiceTags_Public_$_.json"
+        }
+    }
+
+    "AzureUSGovernment" {
+        $downloadUris = $possibleDownloadDates | ForEach-Object { 
+            "https://download.microsoft.com/download/6/4/D/64DB03BF-895B-4173-A8B1-BA4AD5D4DF22/ServiceTags_AzureGovernment_$_.json"
+        }
+    }
+
+    "AzureChinaCloud" {
+        $downloadUris = $possibleDownloadDates | ForEach-Object { 
+            "https://download.microsoft.com/download/9/D/0/9D03B7E2-4B80-4BF3-9B91-DA8C7D3EE9F9/ServiceTags_China_$_.json"
+        }
+    }
+
+    "AzureGermanCloud" {
+        $downloadUris = $possibleDownloadDates | ForEach-Object { 
+            "https://download.microsoft.com/download/0/7/6/076274AB-4B0B-4246-A422-4BAF1E03F974/ServiceTags_AzureGermany_$_.json"
+        }
+    }
+
+    default {
+        Write-Error -Message "Unrecognized Azure Cloud: $_" -ErrorAction Stop
+    }
+}
+
+# Find most recent file
+$found = $false 
+foreach($downloadUri in $downloadUris) {
+    try { $response = Invoke-WebRequest -Uri $downloadUri -UseBasicParsing } catch { }
+    if ($response.StatusCode -eq 200) {
+        $found = $true
+        break
+    }
+}
+
+if ($found) {
+    # Get the raw JSON 
+    $content = [System.Text.Encoding]::UTF8.GetString($response.Content)
+
+    # Parse the JSON
+    $serviceTags = ConvertFrom-Json -InputObject $content -Depth 100
+
+    # Get the specific $ipAddressRanges
+    $ipAddressRanges = $serviceTags | `
+        Select-Object -ExpandProperty values | `
+        Where-Object { $_.id -eq "$serviceTag.$region" } | `
+        Select-Object -ExpandProperty properties | `
+        Select-Object -ExpandProperty addressPrefixes
+} else {
+    # If the file cannot be found, that means there hasn't been an update in
+    # more than a week. Please verify the download URIs are still accurate
+    # by checking https://docs.microsoft.com/azure/virtual-network/service-tags-overview
+    Write-Verbose -Message "JSON service tag file not found."
+    return
+}
+```
+
+You can then use the IP address ranges in `$ipAddressRanges` to update your firewall. Check your firewall/network appliance's website for information on how to update your firewall.
 
 ## Test network connectivity to service endpoints
 Once a server is registered with the Azure File Sync service, the Test-StorageSyncNetworkConnectivity cmdlet and ServerRegistration.exe can be used to test communications with all endpoints (URLs) specific to this server. This cmdlet can help troubleshoot when incomplete communication prevents the server from fully working with Azure File Sync and it can be used to fine tune proxy and firewall configurations.
