Keeping my out bound IPs on App Service - azure

I have a website on Azure App service and I've asked a service provider to open up for my outbound IP addresses. How can I make sure that those IPs won't change?
If there is a new IP assigned to my app service, all calls from that IP will be blocked by the service provider.

The outbound IP addresses are per stamp/scale unit that the apps are on. It is not specific to a certain webspace or resource group.
You can find the stamp/scale unit in the Properties blade under the FTP Hostname endpoint. It should list out something like "waws-prod--". All of the apps in the same stamp/scale unit number in that region will have the same outbound IP addresses, as they are per stamp/scale unit.
The list of outbound IP addresses is not completely static but normally it does not change. Check out the reasons for the IP change in the thread outlined by Ruslan.
If you need both incoming and outgoing to be static, you will need an App Service Environment. This will give you dedicated IP addresses.
For more information see: https://learn.microsoft.com/en-us/azure/app-service/environment/app-service-app-service-environment-intro and https://msdn.microsoft.com/en-us/magazine/mt793270.aspx.

Related

What determines the outbound ip addresses in my app service in Azure?

I have one app service in Azure in a particular region with 5 outbound ip addresses and a second in the same region but there are 20 outbound ip addresses , which doesnt look right. One app is Premiumv2 the other is Premium V3
What determines the outbound ip addresses and the additional outbound ip addresses and can an outbound ip addresse be added by a user ?
App Service is a multi-tenant service (unless you use App Service Environments) and this service consists of gateway servers which accept the initial requests to App Services and forward them on to worker instances where your code actually lives. Those workers are the App Service Plans which are deployed to specific deployment units each of which are assigned a single inbound IP and multiple outbound IPs, the latter of which are chosen at random at runtime when an outbound request takes place.
This document covers all of the above and more about App Service IP addresses.
Based on which deployment unit your apps end up on you will get different IP addresses, also the SKU can affect the number of IP addresses as you've seen. If you scale up/down or redploy apps you can end up getting new IPs, the above doc has the full set of conditions as to when this might happen.
Depending on what you need to do you could consider using an App Service Environment which has single static IPs for inbound and outbound:
IP addresses don't change, as long as your App Service Environment is running
You can also use App Service VNET connectivity to give your App a private IP in a VNET so that you can connect it to resources privately in the VNET using private endpoints.

Azure App Service - Outbound IP addresses vs Additional Outbound IP Addresses

Azure App Service has 2 types of outbound IP addresses:
Outbound IP Address:
Additional Outbound IP address:
I would like to know from the whitelisting perspective, which category do I need to use in my firewall?
As far as I know, you should whiteliste the Additional Outbound IP addresses:
An App Service app runs in an App Service plan, and App Service plans
are deployed into one of the deployment units in the Azure
infrastructure (internally called a webspace). Each deployment unit is
assigned up to five virtual IP addresses, which includes one public
inbound IP address and four outbound IP addresses. All App Service
plans in the same deployment unit, and app instances that run in them,
share the same set of virtual IP addresses. For an App Service
Environment (an App Service plan in Isolated tier), the App Service
plan is the deployment unit itself, so the virtual IP addresses are
dedicated to it as a result.
Because you're not allowed to move an App Service plan between
deployment units, the virtual IP addresses assigned to your app
usually remain the same, but there are exceptions.
Source.
So for some exceptions like if you scale your app between tier, one or more of the four outbound IP addresses may change (with some of the additional outbound IP addresses)
See: When outbound IPs change

How to find app service that an outgoing IP address belongs to?

I have an IP address that I know belongs to one of the app services on Azure. How can I find out which app service is it?
UPDATE
Kaushal Kumar Panday's answer reveals IP Addresses on Azure do not belong to a single app service, but belong to a data centre.
Is there any way to get a list of app services in an Azure account that share an outgoing IP Address?
In Azure App Service, the Outbound IP Address do not correspond to any specific Web App. They are tied to the data centre and shared by all the apps on that data centre.
So all the sites running on that specific data centre will have the same Outbound IP Address.
There is no way to trace back to the web app using the IP. You may be able to trace it back to the specific data centre, but not the originating web app.
UPDATE
Your site on the same data centre can have different list of Outbound IP Addresses. A data centre is a logical unit, which is comprised of several physical units. For example, West Europe is a logical entity which is comprised of several physical data centres. This approach is used to scale the data centres. See this article: Inside Azure App Service Architecutre
On one scale unit (physical DC) several thousands of sites are running and you might be seeing the Outbound IP address of that specific scale unit.
Also, if you have all the apps inside the same app service plan, then their Outbound IP Address will always be the same.
If you ping the default name of the web app you will know the actual scale unit as shown below
This might help for others, but if you go into your app service and choose Properties you will see the Outbound IP Addresses and additional outbound ip addresses of that particular app service. It's a list of IPs, not just one. Pinging your service will not give you the IP you're looking for as that is your inbound IP address.
I can confirm that for the last 6 months, our IP address list hasn't changed. I know these are shared, which for some might be a security issue, so beware when opening a firewall rule.

Does azure use static ip on a standard 1 app service plan

Have one app service plan (standard 1 pricing tier) with only one web app. From what I understand I have a static ip based on this configuration / price. So when I do an nslookup on my web site and get an ip back, that ip is static correct? Just needed verification. TIA.
So when I do an nslookup on my web site and get an ip back, that ip is static correct? Just needed verification
Every Azure Web App have 1 external IP address and multi outbound addresses. What you saw from nslookup is external IP address.
The external IP address(Inbound address) is used for domain binding(A record binding). If you want to binding your custom domain, please use external IP address. You could find the external IP address from Azure portal. Web App->Custom Domains tab.
From official document, we know
If you delete and recreate your app, or change from a higher pricing tier back to the Shared tier, your app's external IP address may change. Otherwise, the external IP address won't be changed.
Traffic come from your web app will use one of the outbound addresses as IP address. There is no agreement of when the outbound IP address will change or not. They will not change from 1 day to the next, nor is there any plan or real need to change them.
will there be some type of notification from azure when the outbounds do change?
There is no official document which pointed it out. I found following words from MSDN forum. Hope it will be helpful for you.
It becomes necessary for Azure infrastructure to increase the number of outbound IP addresses. In that case the existing IP addresses will be preserved but there will be some new ones. So far there hasn't been a need to increase number of IP addresses and if there ever be the need for that there will be an early notice about it.
The Web App gets relocated to a different scale unit. Prior to that the subscription owner gets an email notification one month in advance.
From: Static outbound IP addresses for Azure Web Apps?
I'm pretty sure you are assigned 4 external IP addresses, so at the very least there are 4 ip addresses you need to consider static, but from what I can tell they are subject to change (that's how it previously was, I'm not sure if it holds now).
Also, remember that those are shared, so whitelisting those is potentially dangerous.

Access rules for SMTP services from Azure to corporate network

I would like to use my internal exchange servers for email notifications from an azure Web Role. The role is set up on the west us region. I need to allow this role, with multiple instances, access my corporate smtp server on port 25. IS there an appropriate range of IPs that I could open up on my corporate firewall, or is there a more secure option.
We have experience setting up networks in Azure as well as VPN gateways, I am not sure that this would be part of the solution as my understanding is not broad enough to see how I could implement something that would allow secure access to corporate networks while continuing to be publicly available.
Any help or direction would be appreciated.
Thanks
Your web role has a single (and fairly static) ip address of the load balancer, but this is of no use to you as the source ip address for outgoing data will be the ip address of the particular instance. You can get hold of this address, but not easily, and it is subject to change — every time an instance recycles, or is added, the ip address will change (although the incoming ip address, of the load balancer, remains static). So you can't provide instance public ip address ranges for the corporate firewall.
If you are familiar with VPNs and private networks on Azure, then that will be your simplest option. Your worker role ip addresses will still change, but the range is more predictable, and is defined by your subnet configuration. A worker role on a private network (VPN) will have both public and private ip addresses, so will be publicly accessible, but will send to a VPN ip address via the gateway.
Another option is to do some sort of smtp relay, either on a VM in Azure, or a managed hosting service, where the ip address is more static. This would require that a machine is setup, maintained, and running, but could probably be easily done on an extra small linux vm.
Your web roles will be part of an Azure Cloud Service. That cloud service is assigned a static public IP address by Azure. No matter how many roles you add/remove from the service the public IP will remain unchanged. You can set your SMTP server to only allow requests from that IP address.

Resources