Use the ipv6_is_in_any_range function to determine whether a given IPv6 address belongs to any of a specified set of IPv6 CIDR ranges. This function is particularly useful in log enrichment, threat detection, and network analysis tasks that involve validating or filtering IP addresses against allowlists or blocklists.

You can use this function to:

  • Detect whether traffic originates from known internal or external networks.
  • Match IPv6 addresses against predefined address ranges for compliance or security auditing.
  • Filter datasets based on whether requesters fall into allowed or disallowed IP zones.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.

Usage

Syntax

ipv6_is_in_any_range(ipv6_address, ipv6_ranges)

Parameters

NameTypeDescription
ipv6_addressstringAn IPv6 address in standard format (e.g., 2001:db8::1).
ipv6_rangesdynamic arrayA JSON array of IPv6 CIDR strings to compare against.

Returns

A bool value:

  • true if the given IPv6 address is within any of the provided CIDR ranges.
  • false otherwise.

Example

You want to detect HTTP requests from a specific internal IPv6 block.

Query

['sample-http-logs']
| extend inRange = ipv6_is_in_any_range('2001:db8::1234', dynamic(['2001:db8::/32', 'fd00::/8']))
| project _time, uri, method, status, inRange

Run in Playground

Output

_timeurimethodstatusinRange
2025-06-30T01:00:00Z/api/loginPOST200true
2025-06-30T01:01:00Z/healthcheckGET204true
  • ipv4_is_in_any_range: Use this function when working with IPv4 addresses instead of IPv6.
  • ipv6_compare: Compares two IPv6 addresses. Use this for sorting or deduplication rather than range matching.
  • ipv6_is_match: Checks whether an IPv6 address matches a specific range. Use this if you need to test against a single CIDR block.