Automating Azure Storage Account IP Restrictions with Power Automate

Automating Azure Storage Account IP Restrictions with Power Automate

When managing Azure Storage Accounts, it’s essential to control access by restricting allowed IP addresses. Manually updating these restrictions can be cumbersome, especially when dealing with frequently changing IP ranges. To address this challenge, I developed a Power Automate custom connector that automates fetching and processing Azure IP ranges using Microsoft’s Azure IP Ranges and Service Tags JSON files.

While my initial use case focused on automating Azure IP Ranges and Service Tags, this solution can also be adapted to work with custom lists of IP addresses. Many of the actions in this connector, such as reducing CIDR blocks and generating IP rules, can be applied to any list of IP addresses. This allows users to integrate their own IP management workflows and leverage the Azure Management API to dynamically update firewall rules.

I collaborated with Chris Chin to refine this idea, ultimately simplifying the process of updating storage account firewall rules dynamically.

The Challenge

I needed to update an Azure Storage Container’s IP restrictions to allow specific Azure service IPs. The IP addresses I required were within Microsoft’s downloadable JSON file for Azure IP Ranges and Service Tags (available here). The problem?

  • The file name changes monthly, making it impossible to use a static link.
  • The storage account IP restriction rules have a maximum CIDR prefix of /30, requiring filtering.
  • The JSON file includes overlapping CIDR ranges, which needed optimization.
  • Azure Storage Accounts only support 400 IP rules (limit reference), so it’s necessary to check for and eliminate overlapping CIDRs to reduce the number of rules.

The Solution: A Power Automate Custom Connector

To automate this process, I created a Power Automate custom connector that performs the following:

  1. Fetches the latest download link from the Microsoft website by scraping the URL dynamically.
  2. Downloads the JSON file and extracts the IP ranges associated with specified service tags.
  3. Filters CIDR blocks to ensure no prefixes larger than /30 are included.
  4. Reduces redundant CIDR ranges, keeping only the most efficient set.
  5. Generates an array of IP Rules formatted for use in Azure Management API.
  6. Updates the Azure Storage Account’s firewall rules using an HTTP PATCH request.

How It Works

The Power Automate flow consists of the following steps:

  1. Retrieve the latest download URL using the GetDirectDownloadUrl action.
    image
  2. Extract service tags and IP addresses using the GetIPAddressesByServiceTag action.
    image
  3. Filter CIDR ranges using CIDRReducer, ensuring only /30 or smaller prefixes are included.  This action also included an output for Reduced Count, so you can check to make sure your IP addresses are less than 400 at this point.
    image
  4. Generate IP rules using GenerateIPRules, formatting them for Azure Storage firewall.
    image
  5. Compose the request body for the Azure Management API with defaultAction set to Deny and ipRules containing the allowed list.
    image
  6. Call the Azure Management API via an HTTP PATCH request to update the storage account settings.
    image

Overall flow diagram generated using PowerDocu
flow-detailed

API Call Example

To update the storage account firewall, I used the following API request:

PATCH https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Storage/storageAccounts/{storageAccountName}?api-version=2024-01-01

For GCC or GCCH, use:

PATCH https://management.usgovcloudapi.net/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Storage/storageAccounts/{storageAccountName}?api-version=2024-01-01

The authentication method used was App Registration, with the Storage Account Contributor role assigned.

Prerequisites

Before using this solution, you’ll need to set up an App Registration in Entra ID and assign it the necessary permissions on the Azure Storage Account.

1. Create an App Registration

  1. Navigate to Entra Id in the Azure Portal.
  2. Select App registrations > New registration.
  3. Enter a name and select the appropriate supported account types.
  4. Click Register.

2. Generate Client Credentials

  1. In the App Registration, navigate to Certificates & secrets.
  2. Click New client secret, enter a description, and set an expiration date.
  3. Copy the generated secret value (it won’t be shown again).

3. Assign Role to the Storage Account

  1. Navigate to your Azure Storage Account.
  2. Go to Access Control (IAM) > Role assignments.
  3. Click Add role assignment.
  4. Select Storage Account Contributor.
  5. Assign the role to your App Registration.

Once set up, this App Registration will authenticate API calls to update storage firewall rules.

Deploying the Connector in Power Platform

You can install this solution by downloading and importing the provided solution file or by manually using the PACONN or PAC CLI tools.

1. Install Using Solution File

You can directly download and import the Power Platform solution file:

  • Download Solution File: AzureIPAddressesCustomConnector_1_0_0_1.zip
  • Import into Power Automate:
    1. Go to Power Apps > Solutions.
    2. Click Import Solution.
    3. Upload the downloaded .zip file.
    4. Follow the prompts to complete the import.

2. Manually Import Using PACONN

If you prefer using the PACONN CLI tool, follow these steps:

  • Install the Power Platform CLI (paconn) following this guide.
  • Use the following command to import the connector:
    paconn create --api-definition apiDefinition.swagger.json --icon icon.png --script script.c
    This connector includes a code file, so you must use the --script option.

3. Manually Import Using PAC CLI

Alternatively, you can use the Power Platform CLI (PAC CLI):

  • Install the PAC CLI following this guide.
  • Use the following command:
    pac connector create --api-definition apiDefinition.swagger.json --script-file script.c
    The --script-file option is required since this connector includes a custom script.

👉 GitHub Repository

Conclusion

By leveraging Power Automate and a custom connector, I eliminated the need for manual updates to Azure Storage firewall rules. This solution dynamically fetches the latest IP ranges, optimizes CIDR blocks, and seamlessly updates the storage account via API—all without requiring user intervention.

Big thanks to Chris Chin for helping refine this approach!

Comments

Post a Comment

Popular posts from this blog

Add User As Local Administrator On Domain Controller

I recently was settting up a new Microsoft SharePoint 2010 machine and had promoted the machine to a domain controller before creating my SharePoint admin accounts.  I needed to add several of my accounts to the local Administrators group.  Unfortunately after you promote a server to a domain controller you can no longer access the GUI for Local Users and Groups.  Instead I had to use the command line to add the users. Open a command promt using the "Run as administrator" function and then run the following command. net localgroup Administrators /add {domain}\{user} Note: do not include the {} brackets.
Read more

How to Create SharePoint Items with Power Automate Desktop

Image
Overview Power Automate Desktop is a great way to automate many of your daily task so you can focus on real work. A prime example of this is getting data from one place to another, especially when those data sources do not have an API such as a legacy desktop application or a file. In this example I demonstrate several ways in which an Excel sheet containing fictitious customer data could be loaded into a SharePoint list. In order to do this I first generated some fake data for my customers using Mockaroo . I then created a new SharePoint list and added some columns to match my spreadsheet. Methods My original plan was to just use the PAD recorder , which I did, but after creating that Flow I decided to find other possible ways to accomplish the task. The list below is not a complete list but should provide some ideas. The flexibility of PAD allows for an even wider range of possibilities for carrying out tasks such as these. At the end of each section I have placed the s...
Read more

Calling Dataverse Web API in PowerShell using Client Credentials

Image
Connecting to Dataverse using PowerShell can be very helpful for data migrations and use within Azure DevOps. Connecting to an instance in a non-interactive way can be tricky though. This article will provide you the links you need for creation and App registration and adding the app user to your environment. You can then utilize the script provided to call Web API requests including ones you define using the new Custom API functionality now available. The script was written so that it is not dependent on any outside libraries such as the Microsoft.Xrm.Tooling connector. This is helpful in situation where involving an outside library will slow down your deployment time by having to be approved in a change control board. If utilizing an outside code library is not a concern you can create a connection to Dataverse utilizing the Microsoft.Xrm.Tooling connector Get-CrmConnection cmdlet. Create App Registration The first thing to do is create an App Registration within Azure AD for ...
Read more