Power Platform
Power Apps
Power Automate
Power BI
Power Virtual Agents
Dataverse
AI Builder
Dynamics 365
Sales
Marketing
Customer Service
Field Services
Project Operations
Finance and Operations
Supply Chain
Retail Commerce
Business Central
HR
Microsoft 365
Microsoft Teams
Sharepoint
Office 365
Azure
Yesterday I’ve done a webcast detailing all the new features available in Dynamics 365 Business Central and I’ve also mentioned the possibility to manage traffic access restrictions to Dynamics 365 Business Central by using Azure Service Tags.
A service tag in Azure represents a group of IP address prefixes from a given Azure service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change, minimizing the complexity of frequent updates to network security rules.
You can use service tags in place of specific IP addresses when you want to create security rules and routes and define network access controls on network security groups or Azure Firewall. By specifying the service tag name in the appropriate source or destination field of a security rule, you can allow or deny the traffic for the corresponding service.
Dynamics 365 Business Central now has its own service tag: Dynamics365BusinessCentral. If you query the Azure Service tag detail, it’s actually defined as follows:
{
"name": "Dynamics365BusinessCentral",
"id": "Dynamics365BusinessCentral",
"properties": {
"changeNumber": 5,
"region": "",
"regionId": 0,
"platform": "Azure",
"systemService": "Dynamics365BusinessCentral",
"addressPrefixes": [
"4.194.227.0/25",
"20.18.6.128/25",
"20.24.2.128/25",
"20.26.17.128/26",
"20.50.89.0/25",
"20.50.89.128/26",
"20.59.86.128/26",
"20.74.198.64/26",
"20.79.109.192/26",
"20.87.86.128/27",
"20.91.13.192/26",
"20.91.148.0/26",
"20.92.7.192/26",
"20.98.151.128/26",
"20.100.5.224/27",
"20.100.20.128/27",
"20.107.238.0/24",
"20.111.5.192/26",
"20.119.157.0/26",
"20.125.165.64/26",
"20.164.152.96/27",
"20.170.168.0/25",
"20.189.199.96/27",
"20.192.158.32/27",
"20.199.203.0/26",
"20.200.161.160/27",
"20.203.90.0/26",
"20.204.194.96/27",
"20.204.198.64/26",
"20.205.54.128/25",
"20.206.182.192/26",
"20.208.145.192/26",
"20.210.71.192/27",
"20.213.196.64/26",
"20.214.130.32/27",
"20.218.186.160/27",
"20.220.0.128/26",
"20.220.5.128/27",
"20.220.6.0/26",
"20.223.66.176/28",
"20.223.67.160/27",
"20.223.69.0/25",
"20.232.92.64/26",
"20.233.132.0/25",
"20.236.146.0/25",
"40.80.97.192/26",
"40.117.24.96/27",
"51.116.79.192/26",
"51.120.178.64/27",
"51.120.180.224/27",
"51.142.129.128/26",
"51.142.131.128/26",
"52.191.44.128/26",
"52.236.190.0/24",
"52.242.46.128/26",
"68.218.121.0/26",
"68.218.123.0/25",
"68.219.173.128/25"
],
"networkFeatures": [
"NSG",
"API"
]
}
}Please don’t rely on these IP addresses for your applications, because they can change!!! Service tags are used exactly to avoid relying on IP addresses. Please never do that!
By using this tag it’s now possible to restrict traffic to/from Business Central using your network security groups and firewalls. You can use an Azure network security group to filter network traffic between Azure resources in an Azure virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol.
To define a security rule for Dynamics 365 Business Central, in the Azure Portal select the Network Security Group and here create a new inbound or outbound policy by selecting Source = Service Tag and Source service tag = Dynamics365BusinessCentral:
Then you can define your rule.
This is a great addition when you have scenarios where you need to restrict traffic to your ERP or to external applications (for example restrict traffic coming to Dynamics 365 Business Central to a specific set of IP addresses).
