Depending on connectivity and routing requirements there may be a need to create firewall policy or ACLs, a Web Proxy filter configuration or PAC file or some type or routing distribution filters on the network somewhere. If you’re unable to dynamically ingest the MS BGP Community prefixes and you have to manually enter it then it’s going to become a risky challenge around MS altering the IP addresses along the way on top of already being an operational challenge to manage in itself.
This issue of IP whitelisting and changing addresses I’ve seen become a bit of a problem theme in the last few years when services require you to whitelist specific FQDN and on top of that FQDN with wildcard on top. Whilst some platforms have matured in being able to provide some support for this approach (such as L7 filtering for instance so you can filter on URL or even specifics in the URN), there will probably be requirement for some time to come for IP whitelisting to be used or maybe manual generation of proxy configuration or routing information as well.
Microsoft have provided some relief for instance around the Office 365 endpoint information by publishing a Web Service for Office 365 IP address and URL. The web service with accompanying script itself in both PowerShell and Python is quite useful for assessing for changes and raising an alert along with the latest information that can be used to update systems. They’re probably not the only ones to have provided some dynamic access to changing information, they do also provide you ability to fetch Azure BGP Community information via Az module Powershell commands.
A script at https://github.com/roity57/Azure-Gather-and-Compare-Info/blob/master/AzBGPCommunities.ps1 will help with regards to fetching the data and storing it in text format and then flagging it for changes. This script can either be set to query a certain community by name or just allowed to enumerate all of them and capture each community into it’s own sub-folder. It also can be used to either capture the full community information that Microsoft publishes or just filter down to the CIDR prefix list.
The gathered information could then be used by further scripts to perhaps convert them to ACLs or firewall policies or similar for further use elsewhere via additional scripts utilising what options the platforms offer such as REST API calls. Alternately some additional PowerShell script could be added to generate email alerts or similar. Overview of the script:
- Setup file environment and Import the compare function
- Specify/Choose communities or enumerate all
- Designate output folder and create if require
- Setup filename format
- Loop through specified or all communities
- Output default command info or just CIDR prefix list
- Run the compare function for the community exported
- The compare function script is at https://github.com/roity57/Azure-Gather-and-Compare-Info/blob/master/Modules/CompareFunc.ps1
https://github.com/roity57/Azure-Gather-and-Compare-Info/blob/master/AzBGPCommunities.ps1