I have one app service in Azure in a particular region with 5 outbound ip addresses and a second in the same region but there are 20 outbound ip addresses , which doesnt look right. One app is Premiumv2 the other is Premium V3
What determines the outbound ip addresses and the additional outbound ip addresses and can an outbound ip addresse be added by a user ?
App Service is a multi-tenant service (unless you use App Service Environments) and this service consists of gateway servers which accept the initial requests to App Services and forward them on to worker instances where your code actually lives. Those workers are the App Service Plans which are deployed to specific deployment units each of which are assigned a single inbound IP and multiple outbound IPs, the latter of which are chosen at random at runtime when an outbound request takes place.
This document covers all of the above and more about App Service IP addresses.
Based on which deployment unit your apps end up on you will get different IP addresses, also the SKU can affect the number of IP addresses as you've seen. If you scale up/down or redploy apps you can end up getting new IPs, the above doc has the full set of conditions as to when this might happen.
Depending on what you need to do you could consider using an App Service Environment which has single static IPs for inbound and outbound:
IP addresses don't change, as long as your App Service Environment is running
You can also use App Service VNET connectivity to give your App a private IP in a VNET so that you can connect it to resources privately in the VNET using private endpoints.
Related
An Azure support engineer suggested that I put two app services on the same VNET in order to optimize my traffic. I'm new to VNETs so I'm trying to grok how this works. So far I've successfully added both the app services to the same VNET. However, it's unclear to me if it's "working" or not. I've tried reading the docs but they are incredibly dense and difficult for me to see the forest for the trees. So here's where I'm at:
Based on what I've read it seems like if services are in the same VNET the traffic between them will be routed differently. For example, say I have two services: service1.mydomain.com and service2.mydomain.com. Service 1 makes calls to service 2 via the service2.mydomain.com url. Normally, that traffic would go all the way back out to the internet and back in. But it sounds like just by adding them to the same VNET the traffic is somehow routed differently on an optimized and cheaper path. Is that accurate or is there more configuration required? If so, how can I verify that it's working?
Thanks!
It depends on the App Service Plan you're using for your App Service. If you're using Azure App Services on an App Service Environment, you'll have your own VNet for routing and it should work like that (I'm not too familiar with ASEs)
However, if you're using a Premium or lower tier, VNet integration is only useful for outbound calls, meaning that an App Service will be able to access resources on that VNet, but other integrated App Services are not on that VNet, they are just able to access resources on it as well (https://learn.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet).
If you want the App Services to be accessed through that VNet you'll need to set up Service Endpoints or Private Endpoints. See https://learn.microsoft.com/en-us/azure/app-service/networking-features for more details
Support is correct. Since both these services are on the same VNET, traffic will not flow outside the VNET and will be optimized. This is because the default routes for all VNETs have a route with a next hop of Virtual Network.
Virtual network: Routes traffic between address ranges within the address space of a virtual network. Azure creates a route with an address prefix that corresponds to each address range defined within the address space of a virtual network. If the virtual network address space has multiple address ranges defined, Azure creates an individual route for each address range. Azure automatically routes traffic between subnets using the routes created for each address range. You don't need to define gateways for Azure to route traffic between subnets. Though a virtual network contains subnets, and each subnet has a defined address range, Azure does not create default routes for subnet address ranges, because each subnet address range is within an address range of the address space of a virtual network.
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview
Azure App Service has 2 types of outbound IP addresses:
Outbound IP Address:
Additional Outbound IP address:
I would like to know from the whitelisting perspective, which category do I need to use in my firewall?
As far as I know, you should whiteliste the Additional Outbound IP addresses:
An App Service app runs in an App Service plan, and App Service plans
are deployed into one of the deployment units in the Azure
infrastructure (internally called a webspace). Each deployment unit is
assigned up to five virtual IP addresses, which includes one public
inbound IP address and four outbound IP addresses. All App Service
plans in the same deployment unit, and app instances that run in them,
share the same set of virtual IP addresses. For an App Service
Environment (an App Service plan in Isolated tier), the App Service
plan is the deployment unit itself, so the virtual IP addresses are
dedicated to it as a result.
Because you're not allowed to move an App Service plan between
deployment units, the virtual IP addresses assigned to your app
usually remain the same, but there are exceptions.
Source.
So for some exceptions like if you scale your app between tier, one or more of the four outbound IP addresses may change (with some of the additional outbound IP addresses)
See: When outbound IPs change
I have 3 components of my architecture running in 3 separate Azure App Services. Each app service has 4 outbound IPs. So whenever I have to deploy my app onto the client's premise, I have to whitelist 12-16 IPs on their on-premise Firewall.
Is there any way I can deploy a NAT which uses only 1 public IP and I can provide just 1 IP to the client?
If I manage to make this architecture work then how would I modify my API calls to these services, since at the moment I'm using their 1 public IP to access their individual service, with just 1 IP how will I distinguish API calls made to different app service.
You can use Regional VNet Integration for your 3 App Services:
https://azure.github.io/AppService/2020/02/27/General-Availability-of-VNet-Integration-with-Windows-Web-Apps.html
Then, on the delegated subnets you can throw a User Defined Route so it goes to Azure Firewall (or any NVA) and the firewall will SNAT outbound traffic so you end up with a single outbound IP.
We are trying to set up office 365 to send email from our azure account.
Are our Outbound IPs shared with other azure users or not?
https://learn.microsoft.com/en-us/azure/app-service/overview-inbound-outbound-ips
To find out if the outbound IPs that are shown in the properties area of my portal are shared with other users or do I have to buy a dedicated static IP address to make sure no one else is using them.
It seems that you refer to the outbound IP of web service in Azure. Azure App Service is a multi-tenant service, except for App Service Environments. Apps that are not in an App Service environment (not in the Isolated tier) share network infrastructure with other apps. So the IP address lists used for the web app are possible to share with others.
Unless you use an Application Service Environment (ASE) you cannot guarantee that the inbound or outbound IPs will change, However, you could control when the IP address will change. The set of outbound IP addresses for your app changes when you scale your app between the lower tiers (Basic, Standard, and Premium) and the Premium V2 tier. For more references, you could see steve's answer here.
I have a website on Azure App service and I've asked a service provider to open up for my outbound IP addresses. How can I make sure that those IPs won't change?
If there is a new IP assigned to my app service, all calls from that IP will be blocked by the service provider.
The outbound IP addresses are per stamp/scale unit that the apps are on. It is not specific to a certain webspace or resource group.
You can find the stamp/scale unit in the Properties blade under the FTP Hostname endpoint. It should list out something like "waws-prod--". All of the apps in the same stamp/scale unit number in that region will have the same outbound IP addresses, as they are per stamp/scale unit.
The list of outbound IP addresses is not completely static but normally it does not change. Check out the reasons for the IP change in the thread outlined by Ruslan.
If you need both incoming and outgoing to be static, you will need an App Service Environment. This will give you dedicated IP addresses.
For more information see: https://learn.microsoft.com/en-us/azure/app-service/environment/app-service-app-service-environment-intro and https://msdn.microsoft.com/en-us/magazine/mt793270.aspx.