Site recovery service

Hi santosh150,

Firewall URLs and Ports for Azure Site Recovery

Required URLs

To enable Azure Site Recovery (ASR), you need to whitelist specific URLs and ports. Here are the primary URLs you should whitelist:

1. Azure Service URLs:
• *.hypervrecoverymanager.windowsazure.com
• *.servicebus.windows.net
• *.backup.windowsazure.com
• *.blob.core.windows.net
• *.store.core.windows.net
• *.queue.core.windows.net

2. Azure Authentication URLs:
• https://login.microsoftonline.com
• https://login.windows.net
• https://login.microsoft.com
• https://sts.windows.net

Required Ports

The following ports need to be open to ensure proper communication for Azure Site Recovery:

1. Outbound Ports:
• HTTPS (TCP 443): Required for all ASR communication.
• HTTP (TCP 80): Required for initial setup and metadata exchange.
• Inbound Ports: Typically, no inbound ports need to be opened for ASR as it primarily uses outbound connections.

Microsoft 365 IP Range and Ports

For configuring firewall rules for Microsoft 365, Microsoft provides a dynamic and regularly updated list of IP addresses and URLs. Here’s how you can obtain and configure them:

1. Microsoft 365 URLs and IP Addresses:
• Microsoft maintains a comprehensive list of IP addresses and URLs that can be accessed at the following link:
• Microsoft 365 URLs and IP address ranges
• This document is updated regularly and includes specific services like Exchange Online, SharePoint Online, and Microsoft Teams.
2. Downloadable Lists:
• Microsoft also provides downloadable XML files and a web service for automating the retrieval of the latest IP ranges. This can be integrated into your firewall configuration scripts to ensure they stay up-to-date.
3. Example Configuration:
• For example, to whitelist the IP ranges for Exchange Online, you would refer to the section in the document specific to Exchange and ensure all listed IP ranges and URLs are whitelisted.

Steps to Configure Firewall for Azure Site Recovery

1. Identify and List URLs and IP Ranges:
• Compile the necessary URLs and IP ranges from the Azure and Microsoft 365 documentation.
2. Configure Outbound Rules:
• In your firewall settings, create outbound rules to allow traffic on ports 80 and 443 to the specified URLs and IP ranges.
3. Regular Updates:
• Set up a process to regularly update your firewall rules with the latest Microsoft 365 IP ranges. You can use scripts to automate this process if your firewall supports it.

Example Script for Updating Firewall (PowerShell)

If your firewall supports PowerShell scripting, you can use a script to automatically update the IP ranges:

# Example PowerShell script to update firewall rules for Microsoft 365

$ipRangesUrl = "https://endpoints.office.com/endpoints/worldwide"
$outputFile = "C:\path\to\output\microsoft365-ips.xml"

# Download the latest IP ranges
Invoke-WebRequest -Uri $ipRangesUrl -OutFile $outputFile

# Parse the XML file and extract IP ranges
[xml]$xmlData = Get-Content -Path $outputFile
$ipRanges = $xmlData.endpoints.ipAddress

# Update firewall rules (example for Windows Firewall)
foreach ($ip in $ipRanges) {
New-NetFirewallRule -DisplayName "Microsoft 365 IP $ip" -Direction Outbound -RemoteAddress $ip -Action Allow -Protocol TCP -LocalPort 80,443
}

Ensure you customize the script based on your firewall management tools and environment.

Conclusion

By following these guidelines, you should be able to configure your firewall to support Azure to Azure Site Recovery effectively. Regularly updating your rules with the latest Microsoft 365 IP ranges is crucial to maintaining seamless operation.

I hope this helps! If you have any more questions or need further assistance, feel free to ask.