Why is my Linux Function App sending requests from IPs outside of the Possible Outbound IP range?

joshuareadeharris 25 Reputation points
2023-03-21T20:08:54.9933333+00:00

We have a Linux function app and we are trying to whitelist the outbound IPs with a third-party API. However, the API service reports that IPs outside of both the Outbound IP and Possible Outbound IP ranges (as reported by az functionapp show --query possibleOutboundIpAddresses and in the portal).

I have been in touch with Azure support and the support engineer says the IPs reported by are Microsoft IPs outside of the East US center.

The API service reports that it has seen requests from our app from 40+ IPs, including the following examples – none of which are in the list of outbound addresses or the East US datacenter addresses as reported here:

52.186.166.227, 20.124.143.202, 64.188.16.140, 20.242.158.32

Can you advise on why this might be and how we can we give the correct IP addresses for our Function App to the API service?

We also have a limited number of characters we can whitelist (200 total), so it would be helpful if the list of possible IPs could fit within that constraint. If it's not possible, other possible solutions would be appreciated!

Thanks!

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
4,917 questions
0 comments No comments
{count} votes

Accepted answer
  1. TP 91,336 Reputation points
    2023-03-22T00:09:08.8766667+00:00

    Hi,

    What type of plan are you hosting your functions under? How do you have networking configured? Is your plan configured as Zone redundant?

    I checked first IP example you gave, 52.186.166.227, and it is in the linked json file under "AzureCloud.eastus" section as "52.186.0.0/16". I didn't check your other sample addresses. So it does belong to East US region according to documentation.

    Unsure why traffic is originating from pubic IPs outside of the possible list. There is disclaimer in portal that says "outbound traffic may use an address not found in the list depending on routing and virtual network configuration". I would think this disclaimer would apply to more advanced networking configurations.

    One option to gain control over the outbound IP address would be to integrate with a VNet with NAT gateway and set Outbound public IP in your NAT gateway configuration. In this way all outbound traffic will go to the virtual network and then out using the NAT gateway public IP(s).

    Outbound IP restrictions

    https://learn.microsoft.com/en-us/azure/azure-functions/functions-networking-options?tabs=azure-cli#outbound-ip-restrictions

    If the above was helpful please click Accept Answer.

    Thanks.

    -TP

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.