Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Azure IP Ranges and Service Tags in Meraki Firewall rules

Solved
Joseph00000
Conversationalist
‎Jan 11 2024 2:29 PM
‎Jan 11 2024 2:29 PM

Azure IP Ranges and Service Tags in Meraki Firewall rules

Hi team,

 

Azure has this feature where a service tag can be used to specific a service without a need to specify range of networks that are dynamic. This makes the rules maintainable. For example: Sql for network ranges of SQL servers and this can extend to locations e.g Sql.Australia are networks of SQL servers in Australia. The list of ip ranges and service tags are publiclly available at: https://www.microsoft.com/en-us/download/details.aspx?id=56519

 

I need to filter traffic from Azure Data Factory to a specific ip address of a remote Meraki site. The list of networks is long and would be unmaintainable if specified manually. Is there a mechanism within Meraki to do this - specify a service tag that translates to these dynamic Azure networks?

 

Otherwise, how do you manage and update dynamic list of ip networks in Meraki firewall rules?

 

thank you

 

Joseph

0 Kudos
Subscribe
1 Accepted Solution
In response to Joseph00000
Brash
Kind of a big deal
Kind of a big deal
‎Jan 11 2024 3:45 PM
‎Jan 11 2024 3:45 PM

I don't see why not.

If you can script something to trigger when Microsoft updates their IP's, you can update the Meraki firewall rules (or policy object if you're doing it that way) via the API.

 

Update Network Appliance Firewall Cellular Firewall Rules - Meraki Dashboard API v1 - Cisco Meraki D...

Update Organization Policy Object - Meraki Dashboard API v1 - Cisco Meraki Developer Hub
Update Organization Policy Objects Group - Meraki Dashboard API v1 - Cisco Meraki Developer Hub

View solution in original post

Subscribe
4 Replies 4
Brash
Kind of a big deal
Kind of a big deal
‎Jan 11 2024 2:58 PM
‎Jan 11 2024 2:58 PM

No Meraki doesn't have a way to keep on top of a dynamic list of IP addresses. You will need to manually update them on change.

 

This is the same of all firewalls I've worked with where the only 'dynamic' lookups of IP's you can have the firewall perform is using FQDN's.

 

If you are planning to add in the mega list of subnets, I suggest using policy objects.

Subscribe
Joseph00000
Conversationalist
‎Jan 11 2024 3:18 PM
‎Jan 11 2024 3:18 PM

thank you Brash! Azure list is long and changes from time to time which means manual updates can lead to oversight. Is this scriptable - watch azure updates and update the objects in Meraki anytime Microsoft publishes updates to the ip ranges and service tags? thanks again for your help.

0 Kudos
Subscribe
In response to Joseph00000
Brash
Kind of a big deal
Kind of a big deal
‎Jan 11 2024 3:45 PM
‎Jan 11 2024 3:45 PM

I don't see why not.

If you can script something to trigger when Microsoft updates their IP's, you can update the Meraki firewall rules (or policy object if you're doing it that way) via the API.

 

Update Network Appliance Firewall Cellular Firewall Rules - Meraki Dashboard API v1 - Cisco Meraki D...

Update Organization Policy Object - Meraki Dashboard API v1 - Cisco Meraki Developer Hub
Update Organization Policy Objects Group - Meraki Dashboard API v1 - Cisco Meraki Developer Hub

Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 11 2024 6:31 PM
‎Jan 11 2024 6:31 PM

Personally, I would create a network object group, and then have a firewall rule reference that.  Then create a script on a schedule (such as once a day) to run a script to update that updates the network object group.

 

Actually, now that I remember, I created a script that can import CSV files to build firewall rules and construct network objects and groups.  You could either base it on that or create another script to download the Azure data and save it in the same CSV format as I am using.

 

https://ifm.net.nz/cookbooks/mfw.html 

 

I think I originally created this to migrate firewall rule sets from other vendor firewalls to Meraki.  You just need to collect all the rules in one spreadsheet and all the objects in another.  Save as CSV.  Go home early.

Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.