Automating Azure Storage Account IP Restrictions with Power Automate

When managing Azure Storage Accounts, it’s essential to control access by restricting allowed IP addresses. Manually updating these restrictions can be cumbersome, especially when dealing with frequently changing IP ranges. To address this challenge, I developed a Power Automate custom connector that automates fetching and processing Azure IP ranges using Microsoft’s Azure IP Ranges and Service Tags JSON files.

• Azure IP Ranges and Service Tags – Public Cloud
• Azure IP Ranges and Service Tags – US Government Cloud
• Azure IP Ranges and Service Tags – China Cloud

While my initial use case focused on automating Azure IP Ranges and Service Tags, this solution can also be adapted to work with custom lists of IP addresses. Many of the actions in this connector, such as reducing CIDR blocks and generating IP rules, can be applied to any list of IP addresses. This allows users to integrate their own IP management workflows and leverage the Azure Management API to dynamically update firewall rules.

I collaborated with Chris Chin to refine this idea, ultimately simplifying the process of updating storage account firewall rules dynamically.

The Challenge

I needed to update an Azure Storage Container’s IP restrictions to allow specific Azure service IPs. The IP addresses I required were within Microsoft’s downloadable JSON file for Azure IP Ranges and Service Tags (available here). The problem?

• The file name changes monthly, making it impossible to use a static link.
• The storage account IP restriction rules have a maximum CIDR prefix of /30, requiring filtering.
• The JSON file includes overlapping CIDR ranges, which needed optimization.
• Azure Storage Accounts only support 400 IP rules (limit reference), so it’s necessary to check for and eliminate overlapping CIDRs to reduce the number of rules.

The Solution: A Power Automate Custom Connector

To automate this process, I created a Power Automate custom connector that performs the following:

1. Fetches the latest download link from the Microsoft website by scraping the URL dynamically.
2. Downloads the JSON file and extracts the IP ranges associated with specified service tags.
3. Filters CIDR blocks to ensure no prefixes larger than /30 are included.
4. Reduces redundant CIDR ranges, keeping only the most efficient set.
5. Generates an array of IP Rules formatted for use in Azure Management API.
6. Updates the Azure Storage Account’s firewall rules using an HTTP PATCH request.

How It Works

The Power Automate flow consists of the following steps:

1. Retrieve the latest download URL using the GetDirectDownloadUrl action.
   
2. Extract service tags and IP addresses using the GetIPAddressesByServiceTag action.
   
3. Filter CIDR ranges using CIDRReducer, ensuring only /30 or smaller prefixes are included.  This action also included an output for Reduced Count, so you can check to make sure your IP addresses are less than 400 at this point.
   
4. Generate IP rules using GenerateIPRules, formatting them for Azure Storage firewall.
   
5. Compose the request body for the Azure Management API with defaultAction set to Deny and ipRules containing the allowed list.
   
6. Call the Azure Management API via an HTTP PATCH request to update the storage account settings.
   

Overall flow diagram generated using PowerDocu

API Call Example

To update the storage account firewall, I used the following API request:

PATCH https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Storage/storageAccounts/{storageAccountName}?api-version=2024-01-01

For GCC or GCCH, use:

PATCH https://management.usgovcloudapi.net/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Storage/storageAccounts/{storageAccountName}?api-version=2024-01-01

The authentication method used was App Registration, with the Storage Account Contributor role assigned.

Prerequisites

Before using this solution, you’ll need to set up an App Registration in Entra ID and assign it the necessary permissions on the Azure Storage Account.

1. Create an App Registration

1. Navigate to Entra Id in the Azure Portal.
2. Select App registrations > New registration.
3. Enter a name and select the appropriate supported account types.
4. Click Register.

2. Generate Client Credentials

1. In the App Registration, navigate to Certificates & secrets.
2. Click New client secret, enter a description, and set an expiration date.
3. Copy the generated secret value (it won’t be shown again).

3. Assign Role to the Storage Account

1. Navigate to your Azure Storage Account.
2. Go to Access Control (IAM) > Role assignments.
3. Click Add role assignment.
4. Select Storage Account Contributor.
5. Assign the role to your App Registration.

Once set up, this App Registration will authenticate API calls to update storage firewall rules.

Deploying the Connector in Power Platform

You can install this solution by downloading and importing the provided solution file or by manually using the PACONN or PAC CLI tools.

1. Install Using Solution File

You can directly download and import the Power Platform solution file:

• Download Solution File: AzureIPAddressesCustomConnector_1_0_0_1.zip
• Import into Power Automate:
  1. Go to Power Apps > Solutions.
  2. Click Import Solution.
  3. Upload the downloaded .zip file.
  4. Follow the prompts to complete the import.

2. Manually Import Using PACONN

If you prefer using the PACONN CLI tool, follow these steps:

• Install the Power Platform CLI (paconn) following this guide.
• Use the following command to import the connector:

  paconn create --api-definition apiDefinition.swagger.json --icon icon.png --script script.c
  

  This connector includes a code file, so you must use the --script option.

3. Manually Import Using PAC CLI

Alternatively, you can use the Power Platform CLI (PAC CLI):

• Install the PAC CLI following this guide.
• Use the following command:

  pac connector create --api-definition apiDefinition.swagger.json --script-file script.c
  

  The --script-file option is required since this connector includes a custom script.

👉 GitHub Repository

Conclusion

By leveraging Power Automate and a custom connector, I eliminated the need for manual updates to Azure Storage firewall rules. This solution dynamically fetches the latest IP ranges, optimizes CIDR blocks, and seamlessly updates the storage account via API—all without requiring user intervention.

Big thanks to Chris Chin for helping refine this approach!

Original Post http://www.richardawilson.com/2025/03/automating-azure-storage-account-ip.html