Merge pull request #310867 from domainname/main

prmerger-automator[bot] · web-flow · commit 76714863e977 · 2026-01-26T22:21:38.000Z
Azure Spring Apps - Update RP outbound IPs
diff --git a/articles/spring-apps/basic-standard/how-to-custom-domain.md b/articles/spring-apps/basic-standard/how-to-custom-domain.md
@@ -33,16 +33,13 @@ Certificates encrypt web traffic. These TLS/SSL certificates can be stored in Az
 
 ## Key Vault private link considerations
 
-The IP addresses for Azure Spring Apps management aren't yet part of the Azure Trusted Microsoft services. Therefore, to enable Azure Spring Apps to load certificates from a Key Vault protected with private endpoint connections, you must add the IP addresses of Azure Spring Apps control plane **AND** the service tag to Azure Key Vault firewall.
+The IP addresses for Azure Spring Apps management aren't yet part of the Azure Trusted Microsoft services. Therefore, to enable Azure Spring Apps to load certificates from a Key Vault protected with private endpoint connections, you must add the IP addresses of Azure Spring Apps control plane **or** the service tag to Azure Key Vault firewall.
 
 | Cloud    | IP Addresses                                                 | Service Tag                                  |
 | -------- | ------------------------------------------------------------ | -------------------------------------------- |
-| Public   | - `20.99.204.111`<br/>- `20.201.9.97`<br/>- `20.74.97.5`<br/>- `52.235.25.35`<br/>- `20.194.10.0`<br/>- `20.59.204.46`<br/>- `104.214.186.86`<br/>- `52.153.221.222`<br/>- `52.160.137.39`<br/>- `20.39.142.56`<br/>- `20.199.190.222`<br/>- `20.79.64.6`<br/>- `20.211.128.96`<br/>- `52.149.104.144`<br/>- `20.197.121.209`<br/>- `40.119.175.77`<br/>- `20.108.108.22`<br/>- `102.133.143.38`<br/>- `52.226.244.150`<br/>- `20.84.171.169`<br/>- `20.93.48.108`<br/>- `20.75.4.46`<br/>- `20.78.29.213`<br/>- `20.106.86.34`<br/>- `20.193.151.132` | `SystemServiceAzureSpringAppsResourceProvider` |
+| Public   | - `4.186.89.33`<br/>- `4.160.57.129`<br/>- `4.191.124.229`<br/>- `4.182.146.65`<br/>- `172.213.203.129`<br/>- `48.210.102.65`<br/>- `4.230.169.161`<br/>- `4.195.181.97`<br/>- `4.204.23.33`<br/>- `48.211.55.36`<br/>- `40.84.117.225`<br/>- `135.224.49.225`<br/>- `4.208.161.161`<br/>- `4.222.212.225`<br/>- `57.155.138.97`<br/>- `135.225.68.129`<br/>- `74.242.224.129`<br/>- `74.243.196.97`<br/>- `172.187.45.193`<br/>- `72.154.50.1`<br/>- `68.218.188.65`<br/>- `4.229.70.193`<br/>- `48.214.139.1`<br/>- `4.178.163.129`<br/>- `72.147.143.225`<br/>- `74.242.38.225`<br/>- `4.158.183.225`<br/>- `48.209.101.161`<br/>- `172.178.153.65`<br/>- `57.154.102.161` | `SystemServiceAzureSpringAppsResourceProvider` |
 | Mooncake | - `52.131.254.89`<br/>- `52.131.41.48`<br/>- `159.27.26.25`  | N/A                                          |
 
-> [!NOTE]
-> For security compliance, Azure Spring Apps is going to replace these IP addresses in the public cloud with new IP addresses tagged with `SystemServiceAzureSpringAppsResourceProvider`. To avoid service disruption, add the service tag in your firewall as soon as possible.
-
 ## Import certificate
 
 ### Prepare your certificate file in PFX (optional)
diff --git a/articles/virtual-network/service-tags-overview.md b/articles/virtual-network/service-tags-overview.md
@@ -148,6 +148,7 @@ By default, service tags reflect the ranges for the entire cloud. Some service t
 | **[Storage](/azure/storage/file-sync/file-sync-networking-overview#configuring-firewalls-and-service-tags)** | Azure Storage. <br/><br/>**Note**: This tag represents the service, but not specific instances of the service. For example, the tag represents the Azure Storage service, but not a specific Azure Storage account. | Outbound | Yes | Yes |
 | **[StorageSyncService](/azure/storage/file-sync/file-sync-networking-overview#configuring-firewalls-and-service-tags)** | Storage Sync Service. | Both | No | Yes |
 | **StorageMover** | Storage Mover. | Outbound | Yes | Yes |
+| **[SystemServiceAzureSpringAppsResourceProvider](../spring-apps/basic-standard/how-to-custom-domain.md?tabs=Azure-portal#key-vault-private-link-considerations)** | Azure Spring Apps.<br/><br/>This tag represents the IP addresses used for Azure Spring Apps Resource Provider outbound traffic. | Inbound | Yes | Yes |
 | **[WindowsAdminCenter](/windows-server/manage/windows-admin-center/azure/manage-vm#networking-requirements)** | Allow the Windows Admin Center backend service to communicate with customers' installation of Windows Admin Center. | Outbound | No | Yes |
 | **[WindowsVirtualDesktop](/azure/virtual-desktop/required-fqdn-endpoint?tabs=azure#service-tags-and-fqdn-tags)** | Azure Virtual Desktop (formerly Windows Virtual Desktop). | Both | No | Yes |
 | **[VideoIndexer](/azure/azure-video-indexer/network-security)** | Video Indexer.</br> Used to allow customers opening up their NSG to Video Indexer service and receive callbacks to their service. | Both | No | Yes |
