DNS records for Azure regions used by Azure Automation

The Azure Automation service uses many DNS (Domain Name System) records for features to connect to the service. If you have an Automation account configured for a specific region, you can restrict communication to that regional datacenter. You might need to know these records to allow the following Automation features to work when it's hosted behind a firewall:

  • Hybrid Runbook Worker
  • State Configuration
  • Webhooks

Note

Linux Hybrid Runbook Worker registration will fail with the new records unless it is version 1.6.10.2 or higher. You must upgrade to a newer version of the Log Analytics agent for Linux in order for the machine to receive an updated version of the worker role and use these new records. Existing machines will continue working without any issues.

DNS records per region

The following table provides the DNS record for each region.

To support Private Link in Azure Automation, the DNS records for every supported datacenter have been updated. Instead of region-specific URLs, the URLs are Automation account specific.

Region DNS record Location Code
China East 2 https://<accountId>.webhook.sha2.azure-automation.cn
https://<accountId>.agentsvc.sha2.azure-automation.cn
https://<accountId>.jrds.sha2.azure-automation.cn
sha2
China North https://<accountId>.webhook.bjb.azure-automation.cn
https://<accountId>.agentsvc.bjb.azure-automation.cn
https://<accountId>.jrds.bjb.azure-automation.cn
bjb
China North 2 https://<accountId>.webhook.bjs2.azure-automation.cn
https://<accountId>.agentsvc.bjs2.azure-automation.cn
https://<accountId>.jrds.bjs2.azure-automation.cn
bjs2
China North 3 https://<accountId>.webhook.cnn3.azure-automation.cn
https://<accountId>.agentsvc.cnn3.azure-automation.cn
https://<accountId>.jrds.cnn3.azure-automation.cn
cnn3

Replace <accountId> in the DNS record with GUID representing your Automation Account ID from the value URL. You can get the ID required from Keys under Account Settings in the Azure portal.

Automation account primary key page

Copy the value after accounts/ from the URL field - https://<GUID>.agentsvc.<region>.azure-automation.cn/accounts/<GUID>

Note

All of the Webhook and agentservice DNS records have been updated to the new style DNS records to support Private Link. For JRDS DNS records, both old and new style DNS records are supported. If you are not using Private Link, you will see the old style DNS records, while those using Private Link will see new style of DNS records.

We recommend that you use the addresses listed when defining exceptions. For a list of region IP addresses instead of region names, download the JSON file from the Microsoft Download Center:

The IP address file lists the IP address ranges that are used in the Azure datacenters. It includes compute, SQL, and storage ranges, and reflects currently deployed ranges and any upcoming changes to the IP ranges. New ranges that appear in the file aren't used in the datacenters for at least one week.

It's a good idea to download the new IP address file every week. Then, update your site to correctly identify services running in Azure.

Note

If you're using Azure ExpressRoute, remember that the IP address file is used to update the Border Gateway Protocol (BGP) advertisement of Azure space in the first week of each month.

Next steps