When you set up an Azure feed in Google SecOps, you copy a credential into the config — a storage account key, or an Event Hub connection string. By default, that credential has a problem: no IP restriction, no expiry, and full rights to the resource it came from.
So if it ever leaks — a screenshot in a ticket, an old wiki page, a CI log — anyone who finds it can use it from anywhere on the internet until you rotate it.
The fix is simple: put a network firewall on the Azure resource and only allow Google's IP ranges through.
After that, the credential still works, and your feed keeps running — but it's useless to anyone outside Google's address space. That removes basically all the opportunistic risk.
How it works, in three moves:
- Turn on the Azure firewall (deny by default) on the Storage Account or Event Hub Namespace that backs your feed.
- Allow-list Google's published IP ranges from
https://www.gstatic.com/ipranges/goog.json. - Set up a monthly refresh, because that list changes over time.
I wrote a full walkthrough that covers both feed types (Storage and Event Hubs), the portal + CLI + PowerShell commands, and an optional automation runbook that automatically keeps the allow-list in sync for you.
Full guide here: https://blueaisecurity.com/hardening-azure-feeds-into-google-secops
Hope it's useful — happy to answer questions.
