Azure OIDC IP Automation for GitHub Enterprise

Our organization leverages Azure Entra ID to manage federated authentication for critical services, including AWS SSO and our self-hosted GitHub Enterprise instance. We faced a persistent operational challenge where developer access to GitHub Enterprise was frequently blocked. The root cause was the dynamic and non-region-specific nature of the IP addresses used by Azure’s OIDC service, which conflicted with our AWS WAF security rules.

To resolve this, I developed a fully automated solution to dynamically update our WAF rules with Azure’s current IP ranges, ensuring seamless and secure access.

Tech Stack

• Cloud Services: AWS Lambda, AWS WAF
• Languages & Libraries: Python, Requests, BeautifulSoup

The Automated Solution

The solution extends our existing Infrastructure as Code (IaC) setup, which is managed in AWS CDK (TypeScript). The core of the project is a Python-based AWS Lambda function that runs when the AWS Pipeline executes.

The automation process works as follows:

1. Scrape for the IP List URL: Unlike AWS, which provides a static URL for its IP ranges, Microsoft publishes its list on a webpage where the direct download link changes with each update. My script first sends an HTTP request to this main download page using the Requests library.
2. Parse the HTML: It then uses BeautifulSoup to parse the page’s HTML, locate all <a> tags, and extract the specific URL for the latest JSON file containing the IP address list.
3. Filter the IP Ranges: Once the JSON file is downloaded, the script executes a JQ query to parse the large dataset. It filters for IP addresses tagged specifically with the AzureCloud service, ensuring we only whitelist the necessary ranges.
4. Update the WAF IP Set: The final, filtered list of IP addresses is then passed to a pre-existing function that programmatically updates the designated IP Set in AWS WAF. This IP Set is attached to the WAF protecting our GitHub Enterprise instance.

Challenges & Lessons Learned

A key technical hurdle was bypassing the connection blocking on Microsoft’s download page. The server rejected standard programmatic requests, which I resolved by correctly configuring the User-Agent header in my Python script to mimic a legitimate browser session.

Crafting the JQ query was also a valuable learning experience. The complexity of the JSON data required a precise filter to isolate the correct IP ranges without being overly permissive, thereby strengthening my skills in advanced data manipulation.

Outcomes & Impact

The result is a robust, serverless function that guarantees our WAF rules are always synchronized with Azure’s active IP addresses.

• Increased Reliability: The solution has eliminated access-related disruptions for our development teams, ensuring consistent availability of GitHub Enterprise.
• Reduced Operational Overhead: It has completely automated a previously manual and time-consuming task, freeing up engineering resources.
• Enhanced Security Posture: By dynamically maintaining a precise whitelist, we ensure our security rules are neither too restrictive (blocking access) nor too permissive (exposing the system to unnecessary risk).

• 2025 4