cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
How to Find Azure Resources with Public IP Addresses
By
wernerrall
Published Feb 13 2022 11:00 PM 34.1K Views
wernerrall
Microsoft
‎Feb 13 2022 11:00 PM

How to Find Azure Resources with Public IP Addresses

‎Feb 13 2022 11:00 PM

 

Overview

Creating Resources in Azure is so simple for IT teams these days but finding all the public endpoints that could be visible to the internet can be challenging. Why do I need to understand which IP's are exposed to the internet? Without a proper understanding of which Public IPs are available to the internet we cannot fully secure or protect our resources. In this article we will look at using the Azure Native Graph Explorer solution to query not only Virtual Machine Public IP Addresses but other resources containing IP addresses in our Azure Tenant. 

 

The Method

 

Using Resource Graph Explorer we can see there is already a pre-built query called "List all public IP addresses". 

 

wernerrall_0-1642680889733.png

 

looking at the results we can see this supplies us with the public IP addresses from "Resources" that has a type that contains 'publicIPAddresses'. 

 

wernerrall_1-1642681180009.png

 

but what if a resource does not contain the type 'publicIPAddresses' ? Examples of resources could be Local Network Gateways, Virtual Network Gateways, Web Sites and many others.

That is where the power of Resource Graph Explorer comes in. We can use Regex to expand our queries to look through all properties of all resources and identify IP Addresses. 

 

The query to identify anything that looks like an IP could look like this:

 

 

 

 

resources
| where properties matches regex @'\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b'
|project  name, type, location, resourceGroup, subscriptionId, properties

 

 

 

 

and our results will look something like this:

wernerrall_2-1642681615681.png

 

This is a great start, we can search anything that looks like an IP address. But this means we are also including our private IP Ranges like 10.0.0.0

 

We can also streamline the Regex query by using two websites

1. IP Range Regular Expression Builder - AnalyticsMarket

 

This website allows you to build regex expressions by entering the required IP Addresses.

For this example I will use the range 100.0.0.0 - 255.255.255.255

 

wernerrall_4-1642682027718.png

 

2. regex101: build, test, and debug regex

 

This website analyzes your regex query and allows you to test it on a string. 

 

wernerrall_5-1642682166863.png

 

Now that we have our new range, we can make a small modification to our original Resource Graph Query.

 

 

 

 

resources
| where properties matches regex @'[12]\d\d(\.([1-9]?\d|[12]\d\d)){3}'
|project  name, type, location, resourceGroup, subscriptionId, properties

 

 

 

 

and it will return only IP Addresses in our chosen range from 

 

wernerrall_6-1642682464456.png

 

With this information now retrieved we need to ask the question, "Do we need publicly accessible endpoints for these resources?". If we do then we need to secure these resources according to the best practices in the Azure Security Benchmark, if we don't then they can be removed and replaced with items like Private Endpoints, Private Link, Azure Bastion... and others. 

I hope this query can help you further explore and secure Azure resources that have Public IP addresses. 

 

Take Note: Although this query provides more information by looking at every resource type that contains an IP Address in its Properties, some resources like Storage Accounts, Key Vaults etc that does not have an IP in its properties could still be exposed to the internet and needs to be investigated. 

 

More Resources

 

Quickstart: Your first portal query - Azure Resource Graph | Microsoft Docs

Azure Resource Graph: From beginner to expert (microsoft.com)

Azure Security Benchmark overview | Microsoft Docs

 

 

 

Disclaimer
The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.

7 Comments
Co-Authors
Version history
Last update:
‎Feb 14 2022 05:42 AM
Updated by:
Labels