feat: per-region + direction CIDR feeds

README.md

@@ -12,6 +12,7 @@ A Python utility that retrieves, processes, and organizes the official [Databric
 - Processes and organizes IP ranges by **cloud** (AWS, Azure, GCP) and **type** (inbound / outbound)
 - Creates individual text files per cloud and type (e.g. `aws.txt`, `azure-outbound.txt`, `gcp.txt`)
 - **Per-region feeds** at `<cloud>-<region>.txt` (e.g. `aws-us-east-1.txt`, `azure-eastus.txt`) — emitted only when the region has ≥1 CIDR, so consumers can scope firewall rules to their actual workspace regions without parsing JSON
+- **Per-region + direction feeds** at `<cloud>-<region>-<inbound|outbound>.txt` (e.g. `aws-us-east-1-outbound.txt`, `azure-eastus-outbound.txt`) — emitted only when that region+direction has ≥1 CIDR, ideal for targets that accept only one direction (Azure Storage Account network rules, AWS KMS key policies)
 - Format compatible with **Palo Alto Networks (PA)** devices (one CIDR per line)
 - **Terraform module** at [`terraform/`](terraform/) — exposes the per-region CIDR list as a sorted, deduplicated output you can wire into any TF resource (managed prefix list, IP group, storage account network rules, Cloud SQL authorized networks, etc.). No new compute infrastructure required.
 - Maintains a history of JSON files
@@ -79,7 +80,7 @@ python extract-databricks-ips.py --cloud aws --region us-east-1,eu-west-1 --outp
 
 ## Implementation Notes
 
-The script produces output in a format compatible with Palo Alto Networks (PA) devices. Each cloud/type combination is available as a separate TXT file (e.g. `aws-outbound.txt`, `azure.txt`) for easy import into firewall rules or automation. Per-region feeds (`<cloud>-<region>.txt`) let consumers scope to their actual workspace regions — recommended in production to avoid allowlisting the entire cloud.
+The script produces output in a format compatible with Palo Alto Networks (PA) devices. Each cloud/type combination is available as a separate TXT file (e.g. `aws-outbound.txt`, `azure.txt`) for easy import into firewall rules or automation. Per-region feeds (`<cloud>-<region>.txt`) let consumers scope to their actual workspace regions — recommended in production to avoid allowlisting the entire cloud. Per-region + direction feeds (`<cloud>-<region>-<inbound|outbound>.txt`) further narrow the rule set for targets that only accept one direction (e.g. Azure Storage Account network rules, AWS KMS key policies).
 
 For production-grade guidance on automating firewall rule updates across AWS, Azure, GCP, and Palo Alto Networks — including Lambda/Function App code, Managed Prefix Lists, IP Groups, Hierarchical Firewall Policies, EDL configuration, and Terraform patterns — see:
 

docs/firewall-automation-guide.md

@@ -55,10 +55,13 @@ Updated weekly by the GitHub Action in this repo. Direct download:
 | Per cloud (all regions) | `…/output/<cloud>.txt` — `aws.txt`, `azure.txt`, `gcp.txt` |
 | Per cloud, by direction | `…/output/<cloud>-<inbound\|outbound>.txt` |
 | **Per region** (recommended) | `…/output/<cloud>-<region>.txt` — e.g. `aws-us-east-1.txt`, `azure-eastus.txt`, `gcp-us-central1.txt` |
+| **Per region + direction** (tightest scope) | `…/output/<cloud>-<region>-<inbound\|outbound>.txt` — e.g. `aws-us-east-1-outbound.txt`, `azure-eastus-outbound.txt`, `gcp-us-central1-outbound.txt` |
 
 Base URL: `https://bhavink.github.io/databricksIPranges`. One CIDR per line — drop it straight into a Lambda, Function, EDL, or firewall config.
 
-> Per-region files are emitted only when the region has ≥1 CIDR. Browse [output/](https://bhavink.github.io/databricksIPranges/output/) for the live list, or `--list-regions --cloud <cloud>` via the CLI.
+> Per-region and per-region+direction files are emitted only when that slice has ≥1 CIDR. Browse [output/](https://bhavink.github.io/databricksIPranges/output/) for the live list, or `--list-regions --cloud <cloud>` via the CLI.
+>
+> **When to pick which:** use the combined `<cloud>-<region>.txt` unless your target only accepts one direction. **Azure Storage Account network rules** and **AWS KMS key policies** are common cases where only outbound CP IPs apply — pin those to `<cloud>-<region>-outbound.txt` to keep the rule set tight.
 
 ### Option B — `extract-databricks-ips.py` (programmatic, region-scoped)
 

docs/index.html

@@ -18,12 +18,12 @@
 </head>
 <body>
   <h1>Databricks IP Ranges – AWS, Azure, GCP</h1>
-  <div class="last-updated">🕐 Last updated: 2026-06-01 04:45:49 UTC</div>
+  <div class="last-updated">🕐 Last updated: 2026-06-01 14:58:32 UTC</div>
 
   <h2>Source JSON Files</h2>
   <p><strong>Revision / schema version:</strong> 1.0</p>
   <p><strong>Live:</strong> <a href="https://www.databricks.com/networking/v1/ip-ranges.json">ip-ranges.json</a> — machine-readable IP ranges (AWS, Azure, GCP). <strong>Docs:</strong> <a href="https://docs.databricks.com/aws/en/resources/ip-domain-region">AWS</a> · <a href="https://learn.microsoft.com/en-us/azure/databricks/resources/ip-domain-region">Azure</a> · <a href="https://docs.databricks.com/gcp/en/resources/ip-domain-region">GCP</a></p>
-  <p><strong>Latest snapshot on this site:</strong> <a href="json-history/ip-ranges-20260601-0445.json">ip-ranges-20260601-0445.json</a></p>
+  <p><strong>Latest snapshot on this site:</strong> <a href="json-history/ip-ranges-20260601-1458.json">ip-ranges-20260601-1458.json</a></p>
   <p><strong>Previous JSON versions:</strong> <a href="json-history/">View JSON History</a></p>
 
   <h2>Inbound vs outbound IPs</h2>
@@ -48,8 +48,9 @@ <h2>Palo Alto Networks Ready Files</h2>
   <ul>
     <li><strong>Cloud + type</strong> — <code>aws.txt</code>, <code>aws-inbound.txt</code>, <code>aws-outbound.txt</code>, <code>azure.txt</code>, <code>gcp.txt</code></li>
     <li><strong>Cloud + region</strong> — <code>aws-us-east-1.txt</code>, <code>azure-eastus.txt</code>, <code>gcp-us-central1.txt</code> (emitted only when the region has ≥1 CIDR)</li>
+    <li><strong>Cloud + region + direction</strong> — <code>aws-us-east-1-outbound.txt</code>, <code>azure-eastus-inbound.txt</code>, <code>gcp-us-central1-outbound.txt</code> (emitted only when that region+direction has ≥1 CIDR)</li>
   </ul>
-  <p>Use the per-region files in production to scope firewall rules to your actual workspace regions instead of allowlisting the entire cloud. Download the file you need and import it into your PA firewall configuration, EDL, AWS Managed Prefix List, Azure IP Group, or GCP Firewall Policy.</p>
+  <p>Use the per-region files in production to scope firewall rules to your actual workspace regions instead of allowlisting the entire cloud. The direction-scoped per-region files are the right fit when the target only accepts one direction — e.g. <strong>Azure Storage Account network rules</strong> (outbound CP IPs) or <strong>AWS KMS key policies</strong> (outbound CP IPs). Download the file you need and import it into your PA firewall configuration, EDL, AWS Managed Prefix List, Azure IP Group, or GCP Firewall Policy.</p>
 
   <h2>Automation-Friendly Design</h2>
   <p>This page was created to simplify the integration of Databricks IP ranges into firewalls. The project provides a static link to the latest JSON and per-cloud TXT files so you can automate allowlisting without parsing the official API response each time.</p>
@@ -71,7 +72,7 @@ <h2>Databricks IP Ranges Script</h2>
   <h2>Contact</h2>
   <p><a href="https://www.linkedin.com/in/bhavink">Connect on LinkedIn</a> · <a href="https://github.com/bhavink/databricksIPranges">Reach on GitHub</a></p>
 
-  <p class="meta">Generated on 2026-06-01 04:45:49 UTC by GitHub Automation</p>
+  <p class="meta">Generated on 2026-06-01 14:58:32 UTC by GitHub Automation</p>
   <div class="disclaimer">This page, its contents, and the associated repository are provided "AS IS" without warranty of any kind. Please refer to the README in the repository for the full disclaimer.</div>
 </body>
 </html>

docs/json-history/index.html

@@ -6,14 +6,16 @@
 <h1>JSON History</h1>
 <p>Snapshot of the official Databricks IP ranges JSON per run. Click to download.</p>
 <div class="nav">
-  <strong>Looking for ready-to-use IP feeds?</strong> The current published feeds — including <strong>per-region</strong> files like <code>aws-us-east-1.txt</code>, <code>azure-eastus.txt</code>, <code>gcp-us-central1.txt</code> — are at <a href="../output/">output/</a>. Use those for live firewall configs.
+  <strong>Looking for ready-to-use IP feeds?</strong> The current published feeds — including <strong>per-region</strong> files like <code>aws-us-east-1.txt</code>, <code>azure-eastus.txt</code>, <code>gcp-us-central1.txt</code>, and <strong>per-region + direction</strong> variants like <code>aws-us-east-1-outbound.txt</code> — are at <a href="../output/">output/</a>. Use those for live firewall configs.
   <br/><br/>
   <em>This page</em> archives the raw <code>ip-ranges.json</code> from each run, useful for point-in-time rollback (e.g. PA EDL) and audit.
 </div>
 <ul>
+  <li><a href="ip-ranges-20260601-1458.json">ip-ranges-20260601-1458.json</a></li>
   <li><a href="ip-ranges-20260601-0445.json">ip-ranges-20260601-0445.json</a></li>
   <li><a href="ip-ranges-20260525-0416.json">ip-ranges-20260525-0416.json</a></li>
   <li><a href="ip-ranges-20260518-0406.json">ip-ranges-20260518-0406.json</a></li>
+  <li><a href="ip-ranges-20260511-1354.json">ip-ranges-20260511-1354.json</a></li>
   <li><a href="ip-ranges-20260511-0358.json">ip-ranges-20260511-0358.json</a></li>
   <li><a href="ip-ranges-20260504-1712.json">ip-ranges-20260504-1712.json</a></li>
   <li><a href="ip-ranges-20260504-0340.json">ip-ranges-20260504-0340.json</a></li>