DNS records for Azure regions used by Azure Automation
The Azure Automation service uses a number of DNS records for features to connect to the service. If you have an Automation account that's defined for a specific region, you can restrict communication to that regional datacenter. You might need to know these records to allow the following Automation features to work when it is hosted behind a firewall:
- Hybrid Runbook Worker
- State Configuration
- Webhooks
Note
Linux Hybrid Runbook Worker registration will fail with the new records unless it is version 1.6.10.2 or higher. You must upgrade to a newer version of the Log Analytics agent for Linux in order for the machine to receive an updated version of the worker role and use these new records. Existing machines will continue working without any issues.
DNS records per region
The following table provides the DNS record for each region.
Support for Private Link
To support Private Link in Azure Automation, the DNS records for every supported datacenter have been updated. Instead of region-specific URLs, the URLs are Automation account specific.
| Region | DNS record |
|---|---|
| China East 2 | https://<accountId>.webhook.sha2.azure-automation.cnhttps://<accountId>.agentsvc.sha2.azure-automation.cnhttps://<accountId>.jrds.sha2.azure-automation.cn |
| China North | https://<accountId>.webhook.bjb.azure-automation.cnhttps://<accountId>.agentsvc.bjb.azure-automation.cnhttps://<accountId>.jrds.bjb.azure-automation.cn |
| China North 2 | https://<accountId>.webhook.bjs2.azure-automation.cnhttps://<accountId>.agentsvc.bjs2.azure-automation.cnhttps://<accountId>.jrds.bjs2.azure-automation.cn |
Replace <accountId> in the DNS record with GUID representing your Automation Account ID from the value URL. You can get the ID required from Keys under Account Settings in the Azure portal.
Copy the value after accounts/ from the URL field - https://<GUID>.agentsvc.<region>.azure-automation.cn/accounts/<GUID>
Note
All of the Webhook and agentservice DNS records have been updated to the new style DNS records to support Private Link. For JRDS DNS records, both old and new style DNS records are supported. If you are not using Private Link, you will see the old style DNS records, while those using Private Link will see new style of DNS records.
We recommend that you use the addresses listed when defining exceptions. For a list of region IP addresses instead of region names, download the JSON file from the Microsoft Download Center:
The IP address file lists the IP address ranges that are used in the Azure datacenters. It includes compute, SQL, and storage ranges, and reflects currently deployed ranges and any upcoming changes to the IP ranges. New ranges that appear in the file aren't used in the datacenters for at least one week.
It's a good idea to download the new IP address file every week. Then, update your site to correctly identify services running in Azure.
Note
If you're using Azure ExpressRoute, remember that the IP address file is used to update the Border Gateway Protocol (BGP) advertisement of Azure space in the first week of each month.
Next steps
To learn how to troubleshoot your Hybrid Runbook Workers, see Troubleshoot Hybrid Runbook Worker issues.
To learn how to troubleshoot issues with State Configuration, see Troubleshoot State Configuration issues.