Power Community

Power Community

Azure Service Tags and Dynamics 365 Business Central

Yesterday I’ve done a webcast detailing all the new features available in Dynamics 365 Business Central and I’ve also mentioned the possibility to manage traffic access restrictions to Dynamics 365 Business Central by using Azure Service Tags.

A service tag in Azure represents a group of IP address prefixes from a given Azure service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change, minimizing the complexity of frequent updates to network security rules.

You can use service tags in place of specific IP addresses when you want to create security rules and routes and define network access controls on network security groups or Azure Firewall. By specifying the service tag name in the appropriate source or destination field of a security rule, you can allow or deny the traffic for the corresponding service.

Dynamics 365 Business Central now has its own service tag: Dynamics365BusinessCentral. If you query the Azure Service tag detail, it’s actually defined as follows:

{
      "name": "Dynamics365BusinessCentral",
      "id": "Dynamics365BusinessCentral",
      "properties": {
        "changeNumber": 5,
        "region": "",
        "regionId": 0,
        "platform": "Azure",
        "systemService": "Dynamics365BusinessCentral",
        "addressPrefixes": [
          "4.194.227.0/25",
          "20.18.6.128/25",
          "20.24.2.128/25",
          "20.26.17.128/26",
          "20.50.89.0/25",
          "20.50.89.128/26",
          "20.59.86.128/26",
          "20.74.198.64/26",
          "20.79.109.192/26",
          "20.87.86.128/27",
          "20.91.13.192/26",
          "20.91.148.0/26",
          "20.92.7.192/26",
          "20.98.151.128/26",
          "20.100.5.224/27",
          "20.100.20.128/27",
          "20.107.238.0/24",
          "20.111.5.192/26",
          "20.119.157.0/26",
          "20.125.165.64/26",
          "20.164.152.96/27",
          "20.170.168.0/25",
          "20.189.199.96/27",
          "20.192.158.32/27",
          "20.199.203.0/26",
          "20.200.161.160/27",
          "20.203.90.0/26",
          "20.204.194.96/27",
          "20.204.198.64/26",
          "20.205.54.128/25",
          "20.206.182.192/26",
          "20.208.145.192/26",
          "20.210.71.192/27",
          "20.213.196.64/26",
          "20.214.130.32/27",
          "20.218.186.160/27",
          "20.220.0.128/26",
          "20.220.5.128/27",
          "20.220.6.0/26",
          "20.223.66.176/28",
          "20.223.67.160/27",
          "20.223.69.0/25",
          "20.232.92.64/26",
          "20.233.132.0/25",
          "20.236.146.0/25",
          "40.80.97.192/26",
          "40.117.24.96/27",
          "51.116.79.192/26",
          "51.120.178.64/27",
          "51.120.180.224/27",
          "51.142.129.128/26",
          "51.142.131.128/26",
          "52.191.44.128/26",
          "52.236.190.0/24",
          "52.242.46.128/26",
          "68.218.121.0/26",
          "68.218.123.0/25",
          "68.219.173.128/25"
        ],
        "networkFeatures": [
          "NSG",
          "API"
        ]
      }
    }

Please don’t rely on these IP addresses for your applications, because they can change!!! Service tags are used exactly to avoid relying on IP addresses. Please never do that!

By using this tag it’s now possible to restrict traffic to/from Business Central using your network security groups and firewalls. You can use an Azure network security group to filter network traffic between Azure resources in an Azure virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol.

To define a security rule for Dynamics 365 Business Central, in the Azure Portal select the Network Security Group and here create a new inbound or outbound policy by selecting Source = Service Tag and Source service tag = Dynamics365BusinessCentral:

Then you can define your rule.

This is a great addition when you have scenarios where you need to restrict traffic to your ERP or to external applications (for example restrict traffic coming to Dynamics 365 Business Central to a specific set of IP addresses).

This post was originally published on this site

- Advertisement -spot_img

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisement - Advertisement

Latest News

Relationships in Dataverse managed with Power Automate

In Dataverse you can create relationships between tables, but how do you manage the relationships from a flow in...

More Articles Like This

- Advertisement -spot_img