Blog Post

IIS Support Blog
2 MIN READ

Service Tags for Azure Bot: Simplifying IP Management

Tanya_Dhariwal's avatar
Tanya_Dhariwal
Icon for Microsoft rankMicrosoft
Feb 25, 2025

Service Tags provide a streamlined solution for managing IP addresses between your channel service and bot application/API. Instead of manually updating IP addresses, Service Tags allow you to whitelist Azure Bot Service (ABS) IPs on your bot code side. This automation ensures that you don't have to constantly update IP addresses as they change. Additionally, understanding key networking considerations is crucial for effective implementation. For more insights on network considerations, you can refer to the article: Navigating Azure Bot Networking: Key Considerations for Privatization. In this article, we will explore a step-by-step guide to implementing them for your Azure Bot Service.

 

Key Benefits:

  • Automated Updates: Service Tags automatically update IP addresses, reducing manual intervention.
  • Simplified Configuration: By adding a Service Tag, you ensure that only requests from Azure Bot Service can reach your app service.

 

Implementation Steps:

Azure Service Tags <Azure service tags overview | Microsoft Learn>:

  • Pre-requisite:
    • Bot service should be public

 

 

 

    • App service should not be having a Private endpoint, and No Virtual network should be configured with it.
  • Configuration:
  • Go to networking settings in Azure App service:

 

 

 

  • Click on Enabled with no access restrictions.
  • Select Enabled from select virtual networks and IP addresses.

 

 

  • Under Unmatched Rule Action Select “Deny” [it will deny any traffic that does not matches our rule]:  

 

 

  • Click on Add under the Unmatched rule section:

 

 

  • Add the rule to allow request from App service to Azure bot service, as shown:

 

 

 

  • Click on Add rule and you will be able to see it in the rules section:

 

 

 

  • Save the configuration.

The configuration for service tag is done, now only requests from AzureBotService should be able to reach the App service:

If you will browse the app service endpoint now you will get a 403 forbidden as the access to it is only for azure bot service.

By automating IP address updates and simplifying configuration, Service Tags ensure that only requests from Azure Bot Service can reach your app service, reducing the risk of unauthorized access. With the steps outlined in this article, you can easily configure Service Tags, thereby enhancing the security and efficiency of your bot service.

Updated Feb 03, 2025
Version 1.0
No CommentsBe the first to comment