I have a website on Azure App service and I've asked a service provider to open up for my outbound IP addresses. How can I make sure that those IPs won't change?
If there is a new IP assigned to my app service, all calls from that IP will be blocked by the service provider.
The outbound IP addresses are per stamp/scale unit that the apps are on. It is not specific to a certain webspace or resource group.
You can find the stamp/scale unit in the Properties blade under the FTP Hostname endpoint. It should list out something like "waws-prod--". All of the apps in the same stamp/scale unit number in that region will have the same outbound IP addresses, as they are per stamp/scale unit.
The list of outbound IP addresses is not completely static but normally it does not change. Check out the reasons for the IP change in the thread outlined by Ruslan.
If you need both incoming and outgoing to be static, you will need an App Service Environment. This will give you dedicated IP addresses.
For more information see: https://learn.microsoft.com/en-us/azure/app-service/environment/app-service-app-service-environment-intro and https://msdn.microsoft.com/en-us/magazine/mt793270.aspx.
I have a case where I want to migrate on-prem servers to Azure, but I should still have the local IPs pointing to these VMs. I mean by the local IPs the country-range of IPs since these VMs should be accessed using country IPs for regulatory reasons.
I heard that this is possible, but I have no idea what type of resources I should use to allow this, VNET, VPN, ExpressRoute ?? And how to do it as I have no experience in networking what so ever.
Regards,
NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device.
You can setup a site-to-site VPN between on-prem and Azure Vnet, then deploy a server on-prem run as the NAT device.
It is possible, but with some complications and constraints:
You can run these servers/VMs in Azure using their public IP addresses. You need to create the Virtual Network using these address ranges, but it is possible. The catch here is that these public IP addresses are only accessible via cross premises connectivity solutions such as Azure VPN gateway or Azure ExpressRoute. You cannon access these VMs using their "public" IP addresses directly over the Internet. For this purpose, these public IP address ranges are really treated as "private addresses".
Once you create the virtual network with the public IP addresses (as private address space) in Azure, you will also need to make sure your routing in the on premises network is configured correctly to forward the traffic to these VMs over the VPN tunnels or MPLS/WAN network if you are using ExpressRoute.
If these servers/VMs need to accept requests directly from the Internet, the traffic from the Internet will still come to your on premises network because that's where your ISPs will direct the traffic. You will need to ensure these traffic will be routed correctly over the cross premises connectivity (VPN/ExpressRoute) to Azure.
Hope this helps a bit. Please let me know if this answers your question.
Thanks,
Yushun [MSFT]
Does anyone know if its possible to have my corporate azure account to be assigned a block (e.g. subnet) of azure public IP within a region to make it easier to create firewall rules for my corporate firewall which blocks most outgoing ports.
Our customer does not want anyone sourced inside from the corporate .com account to have access to all 22 and 3389 ports out on the internet, but will limit them to a subnet if we can be assigned a subnet on which we will hang our bastion servers on.
I wouldn't know about blocks of IP's, but you can certainly create a virtual network in which you create all your resources in Azure, and hten configure a firewall in azure, which will have a permanent IP. This can then be used to set up a site-to-site VPN thing between your corporate network and the machines in Azure.
https://azure.microsoft.com/en-gb/services/virtual-network/
For public facing ports, you can add another virtual network card and rest assured that the traffic on one card cannot, in any way pass over to the other, network connected card.
This would also be a better strategy than to set up a range of VM's in Azure with public IP's.
I have an Azure Cloud Service, mywebapp.cloudapp.net, that consists of two Azure VMs - mywebappvm1 and mywebappvm2. Both VMs are in the same Availability Set and have the same DNS name.
I also have a Regional Reserved IP address assigned to the Cloud Service so that I can give our clients a guaranteed IP address that our app uses.
Part of the app uses a private background process, currently only running on one of the VMs. I want to be able to make a connection to that process over TCP running on mywebappvm1 from mywebappvm2. I could use the public IP and an endpoint on mywebappvm1 but I don't want the background service to be publicly accessible.
I'm currently using the private IP address, but is that safe? Will the private IP of each VM change if it's rebooted? I can't see an easy way of fixing the private IP of each VM - that seems like something you can do with a VNET but I can't find any information on how to do it with a cloud service and an availability group as well.
Is there perhaps another way to run a web app on multiple load-balanced VMs within an availability set that would make this easier?
What you do is absolutely safe and actually a recommended best practice. You should not go out to public IP address in order to communicate between the Virtual Machines.
It is also a recommended best practice to organize your Virtual Machines into Virtual Network and sub-nets.
This excellent blog post describes how can you even use static IP addresses for the VMs, so you are always 100% sure that mywebappvm1 always get XXX.XXX.XXX.XXX IP Address andyour mywebappvm2 always get YYY.YYY.YYY.YYY IP Address.
Please note that if you do not use Static IP Address assigned to the VM, it is guaranteed that the IP Address of the VM may change.
The IP for a webRole VM instance will not change for the lifetime of the deployment regardless of reboot, update or swapping. The IP will be released only if you delete the deployment, detailed here
I've been trying to find an answer to this for a few days.
I want to host a new azure website in either the Basic tier or Standard tier.
The site will be calling a third party service.
I need to give this service provider an IP address that they will whitelist.
So when the new azure website makes requests to this service the IP address for the request needs to always be the same, as this will be the IP whitelisted.
I read that Azure offers "Reserved IPs" for cloud services and VMs but I wanted to know if something similar can be done with Azure Websites as I really don't want to go with cloud/VM.
My knowledge of networking is limited but as I understand it, if I were to get an IP SSL cert and apply that to my Azure Website then the website would have a static IP address.
If that is the case, would any requests to the third party service be hitting the service providers external firewall with this same static IP?
Thanks for any advice people can give.
An SSL cert with Web Sites will be tied to an inbound IP address. However, Web Sites does not provide a static outbound IP address.
If you need a static IP address to align with 3rd-party services, you'd need to have something residing in Azure (e.g. Application tier) running in a cloud service / VM that your web site accesses, and then have that app tier (with static IP address) communicate with your 3rd-party services.
As David Makogon's answer points out, applying an IP-based SSL certificate only gives the website a static inbound IP address.
However, the outbound IP address a website uses when making outbound network calls can be determined based on where your website is hosted. Microsoft has a list of the these IP addresses here. The third-party service would have to whitelist all of the IP addresses used by the scale unit your website is hosted in (e.g. waws-prod-am2-005).
Correct me if I am wrong, but the information shared by Brant Bobby above shows that, in fact:
All Azure websites (/Web Apps) already have a discoverable and published outgoing IP address.
This outgoing IP address will never be unique to their own site however. So one must keep in mind if they use it for a white-list, it will be allowing in a lot of other Azure visitors hosted on the same scale unit.
Simply get the so-called "scale unit" name for your site, which is the same as what's given in your site's FTP address (and so forth), which is in the format: "waws-prod-[3LetterVar]-[3DigitNum]", e.g. waws-prod-blu-007.
As an example from that article, all the East US region Azure websites can find the four IP addresses their site may rely on as follows (so if white-listing, all 4 should be white-listed):
East US Region
Outbound IP addresses for each scale unit, currently 4 for each. They said they may add more IPs to each scale unit in the future, but these should not change.
waws-prod-blu-001: 168.62.48.13, 168.62.48.19, 168.62.48.33, 168.62.48.122
waws-prod-blu-003: 137.117.81.128, 137.117.81.142, 137.117.81.181, 137.117.81.82
waws-prod-blu-005: 137.117.80.189, 137.117.81.52, 137.117.81.90, 137.117.80.178
waws-prod-blu-007: 23.96.33.205, 23.96.34.196, 23.96.35.20, 23.96.36.229
waws-prod-blu-009: 23.96.97.203, 23.96.97.233, 23.96.97.235, 23.96.97.238
waws-prod-blu-011: 23.96.112.60, 23.96.112.117, 23.96.112.152, 23.96.112.15
waws-prod-blu-013: 191.238.8.154, 191.238.9.80, 191.238.9.94, 191.238.9.170
waws-prod-blu-015: 191.236.19.222, 191.236.19.242, 191.236.21.165, 191.236.18.160
waws-prod-blu-017: 191.238.32.104, 191.238.32.154, 191.238.34.67, 191.238.35.12
waws-prod-blu-019: 104.45.138.197, 104.45.142.87, 104.45.128.144, 104.45.142.131
waws-prod-blu-021: 191.237.24.189, 191.237.30.36, 191.237.26.164, 191.237.28.161
waws-prod-blu-023: 191.236.50.206, 191.237.30.215, 191.237.25.148, 191.237.22.195
waws-prod-blu-025: 191.237.31.86, 191.237.26.176, 191.237.20.70, 191.237.18.239
Azure now supports having static outbound IP address as well.
https://azure.microsoft.com/en-us/documentation/articles/app-service-app-service-environment-intro/
If we do not want to go for costlier App Service Environment setup, we can directly use the outbound IP addresses mentioned in the Azure portal in properties section, Azure assures that it remain 99.9% static. Nothing really changes until there is some changes data center wide. Moreover, the reserved Ip what we use in IaaS is also not 100% reserved for us and azure provides SLA of 99.9% here as well. So, In my opinion, instead of going for ASE and hosting IaaS and using reserved IP, we can just use outbound Ip provided by azure, since we get same reliability in both cases.