Share via

Outbound IP addresses for Azure Function App

Francisco Dominguez 386 Reputation points
2022-05-11T06:36:34.503+00:00

Hi,

I'm using certain API that needs IP whitelisting to be able to use it. I've built a couple of Azure Functions inside my Azure Function App and both of them make requests to that API. I have whitelisted the outbound IP addresses of the Azure Function App.

Today, when the trigger of the Azure Functions ran, they were using a different IP out of the list of the outbound IP addresses, and therefore, it was not whitelisted in the API:

200809-screenshot-from-2022-05-11-08-33-29.png

My list of outbound IP addresses does not include an IP similar to that one sending the request to the API.

Could you please guide me on what's going on here?

Regards,
Francisco.

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
5,936 questions
0 comments
Accepted answer
  1. MughundhanRaveendran-MSFT 12,506 Reputation points
    2022-05-11T07:38:03.747+00:00

    @Francisco Dominguez ,

    Thanks for reaching out to Q&A forum.

    Please note that, the ip adresses of the function app shown in the portal (networking section) is actually the datacenter outbound ip address. So you might want to add the function apps' data center (Azure region) to an allowlist. You can download a JSON file that lists IP addresses for all Azure data centers.

    Reference: https://learn.microsoft.com/en-us/azure/azure-functions/ip-addresses?msclkid=ada8be7ed0fb11ecb04d1cc6c5e3a0cd&tabs=portal#data-center-outbound-ip-addresses

    The outbound ip addresses can change at any time if you are on Consumption or premium plan due to the Autoscale behavior. For a dedicated plan, the outbound ip address can change if you take any action that can change the inbound IP address or change your Dedicated (App Service) plan pricing tier.

    You can control the IP address of outbound traffic from your functions by using a virtual network NAT gateway to direct traffic through a static public IP address. You can use this topology when running in a Premium plan or in a Dedicated (App Service) plan. Another option is to deploy the function in an App Service Environment.

    Reference: https://learn.microsoft.com/en-us/azure/azure-functions/ip-addresses?msclkid=ada8be7ed0fb11ecb04d1cc6c5e3a0cd&tabs=portal#outbound-ip-address-changes

    2 people found this answer helpful.

5 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ethan Witherington 0 Reputation points
    2024-09-10T15:15:56.4166667+00:00

    I have been debugging / tracking this for months.

    We have a large collection of function apps on the consumption plan. All of them are using 5-minute timer triggers; either every execution is a "scaling event" or none of them are.

    The outbound address is random. Sometimes it is in the "outbound" list, sometimes it is in the "possible outbound" list, and sometimes (most of the time) it is in neither.

    What I find most concerning is that the "possible outbound" list has never updated or refreshed. It is identical to when the functions were deployed.

    We satisfied our use-case with regional service tags, but this obviously does not help anyone using a 3rd party service.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.