This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Azure Notifications via webhook - Source IPs?

Theodore_x86
Helper

‎04 Jun 2025 12:42 PM

Hello.

We are using DYNATRACE MANAGED and we want to create the ingestion below:

https://docs.dynatrace.com/managed/ingest-from/microsoft-azure-services/azure-integrations/azure-mon...

There is a way to unravel the source IPs (public IPs from AZURE), but what happens if they change dynamically. This is an inbound traffic so security has to apply specific rules from source IPs.

Has anyone faced the same issue?

Thanks!

Houston, we have a problem.
Labels:
0 Kudos
Reply
5 REPLIES 5

Yosi_Neuman
DynaMight Guru
DynaMight Guru

‎06 Jun 2025 09:00 AM

Hi @Theodore_x86 

Maybe you can ask security team to use the uri path (i.e. /modules/azure_monitoring/alerts_webhook) together with the token parameter value to be added to the allow list requests for all ips?

HTH

Yos  

dynatrace certificated professional - dynatrace master partner - Matrix Soft Ware Division - Israel
0 Kudos
Reply

Theodore_x86
Helper
In response to Yosi_Neuman

‎10 Jun 2025 10:58 AM

Thanks for the reply @Yosi_Neuman.

I think that the security will not accept to allow requests from any public IP, filtering with just the endpoint name. Security-wise this introduces a vulnerable entry point.

If someone has implemented this, maybe would suggest how he/she dealt with the network.

BR

Houston, we have a problem.
0 Kudos
Reply

kayjayeff1
Helper
In response to Theodore_x86

‎10 Jun 2025 12:28 PM - edited ‎10 Jun 2025 12:28 PM

@Theodore_x86 each Azure service generally has a list of public IPs you can use to put into a firewall config for on-prem.  I believe it would be region based as well.  Take a look at this link for Azure Monitor. It references a JSON file with IPs that are updated weekly. 

 

0 Kudos
Reply

Theodore_x86
Helper
In response to kayjayeff1

‎10 Jun 2025 02:39 PM

Yes @kayjayeff1, but this is preciacly the problem. That those IP change from time to time and so the Security needs to update each time the configuration.

I cannot see any other solution other than allowing every IP to send a webhook to the activegate which is a not secure way to go.

BR

Houston, we have a problem.
0 Kudos
Reply

kayjayeff1
Helper
In response to Theodore_x86

‎10 Jun 2025 02:41 PM

Well, they COULD change, but they probably do not change that often.  I have dealt with similar concerns in the past.  I am not sure you have other options.  You could check with Azure tech support on this, but I think they will tell you to do the same. 

Reply
Ask a question

Featured Posts