Is there a way of obtaining the Private IP address for Azure Functions (Linux) programatically?

Question

Is there a way of obtaining the Private IP address for Azure Functions (Linux) programatically?

JasonS-0863 0

The scenario I'm trying to solve is I have a list of Source IP addresses from Azure Monitor (Firewall logs). Some of these are private IPs which belong to Azure Functions. I'd like to either resolve the IPs to resource names via KQL and Azure Monitor, or failing that at least generate a list of Private IPs with their corresponding Azure Function name. Other details; The Azure Functions are using Private Endpoints. The IP address of the Azure Function can be found on the Advanced Tools > Environment page under the value "WEBSITE_PRIVATE_IP".

Ben Gimblett 4,560 Reputation points Microsoft Employee

2024-01-16T16:37:31.9533333+00:00

Hi - and thanks for the question

I think there's a little confusion here

A function private endpoint relates to the inbound flow - e.g. client (upstream app , or browser) connects to the function - and this can be done via a private endpoint, thus avoiding the function public endpoint (by default public ingress is shared)

On the other hand code running in the function that needs to access downstream resources, for example a database, can use regional-vnet-integration to access the vnet - for example to go via a SQL DB private endpoint (or perhaps an Oracle DB running privately on VMs in the
network)

The "WEBSITE_PRIVATE_IP" refers to the latter.

If for example you had a firewall between function and downstream dependency you should really use the subnet prefix for the source in the firewall rule and NOT an individual IP

Today plan to subnet through regional integration is 1:1 - you need a subnet per plan. There is a preview that means you can share subnet REF https://techcommunity.microsoft.com/t5/apps-on-azure-blog/announcing-app-service-multi-plan-subnet-join/ba-p/3971493

The reason you should use the subnet prefix is because the function scales out - also IPs change during maintenance ops as workers are replaced.
MuthuKumaranMurugaachari-MSFT 22,441 Reputation points Moderator

2024-01-17T16:02:07.18+00:00

JasonS-0863 Thanks for posting your question in Microsoft Q&A. As Ben Gimblett suggested, if you are looking to get a list of IP addresses for Firewall rules, you need to use subnet of Regional VNET or Gateway-required integration instead of individual IP. https://learn.microsoft.com/en-us/azure/app-service/reference-app-settings?tabs=kudu%2Cdotnet#networking

I guess you might look for IP address in Azure Monitor logs to map it to specific Azure Function for troubleshooting or other purposes and in that case, you are looking to programmatically access WEBSITE_PRIVATE_IP value. This is available as environment variable and you can read it via CLI, PowerShell or in your application code and check out https://learn.microsoft.com/en-us/azure/azure-functions/functions-how-to-use-azure-function-app-settings?tabs=azure-powershell#settings for different options.

However, WEBSITE_PRIVATE_IP value can change during scaling, or few other scenarios and hence it is advisable to map the IP address to the subnet range.

I hope this helps and let us know if any questions.
MuthuKumaranMurugaachari-MSFT 22,441 Reputation points Moderator

2024-01-18T14:35:25.51+00:00

JasonS-0863 Just checking if the above comment does help with your question. Feel free to reach out for any questions.
JasonS-0863 0 Reputation points

2024-01-18T15:14:49.75+00:00

Hi @Ben Gimblett and @MuthuKumaranMurugaachari-MSFT Thanks for your comments - useful information around the topic and always good to know about upcoming changes, so it's appreciated! Essentially I'm looking for a way (via CLI or Powershell, or even KQL) to obtain that WEBSITE_PRIVATE_IP property, and have yet to find it. Having looked at the link (https://learn.microsoft.com/en-us/azure/azure-functions/functions-how-to-use-azure-function-app-settings?tabs=azure-powershell#settings) you gave Muthu, it doesn't seem to be served up when using the Get-AzFunctionAppSetting command against the Function App. Unfortunately the solution provided by Carlos also fails to provide that IP address (both via the CLI/Powershell commands he mentioned, and the KQL Query which returns null when trying to extend to that property.
MuthuKumaranMurugaachari-MSFT 22,441 Reputation points Moderator

2024-01-18T15:49:53.0033333+00:00

JasonS-0863 Got it, let me explore more and get back to you.

2 answers

Your answer

Ben Gimblett 4,560 Reputation points Microsoft Employee

2024-01-16T16:37:31.9533333+00:00

Hi - and thanks for the question

I think there's a little confusion here

A function private endpoint relates to the inbound flow - e.g. client (upstream app , or browser) connects to the function - and this can be done via a private endpoint, thus avoiding the function public endpoint (by default public ingress is shared)

On the other hand code running in the function that needs to access downstream resources, for example a database, can use regional-vnet-integration to access the vnet - for example to go via a SQL DB private endpoint (or perhaps an Oracle DB running privately on VMs in the
network)

The "WEBSITE_PRIVATE_IP" refers to the latter.

If for example you had a firewall between function and downstream dependency you should really use the subnet prefix for the source in the firewall rule and NOT an individual IP

Today plan to subnet through regional integration is 1:1 - you need a subnet per plan. There is a preview that means you can share subnet REF https://techcommunity.microsoft.com/t5/apps-on-azure-blog/announcing-app-service-multi-plan-subnet-join/ba-p/3971493

The reason you should use the subnet prefix is because the function scales out - also IPs change during maintenance ops as workers are replaced.
MuthuKumaranMurugaachari-MSFT 22,441 Reputation points Moderator

2024-01-17T16:02:07.18+00:00

JasonS-0863 Thanks for posting your question in Microsoft Q&A. As Ben Gimblett suggested, if you are looking to get a list of IP addresses for Firewall rules, you need to use subnet of Regional VNET or Gateway-required integration instead of individual IP. https://learn.microsoft.com/en-us/azure/app-service/reference-app-settings?tabs=kudu%2Cdotnet#networking

I guess you might look for IP address in Azure Monitor logs to map it to specific Azure Function for troubleshooting or other purposes and in that case, you are looking to programmatically access WEBSITE_PRIVATE_IP value. This is available as environment variable and you can read it via CLI, PowerShell or in your application code and check out https://learn.microsoft.com/en-us/azure/azure-functions/functions-how-to-use-azure-function-app-settings?tabs=azure-powershell#settings for different options.

However, WEBSITE_PRIVATE_IP value can change during scaling, or few other scenarios and hence it is advisable to map the IP address to the subnet range.

I hope this helps and let us know if any questions.
MuthuKumaranMurugaachari-MSFT 22,441 Reputation points Moderator

2024-01-18T14:35:25.51+00:00

JasonS-0863 Just checking if the above comment does help with your question. Feel free to reach out for any questions.
JasonS-0863 0 Reputation points

2024-01-18T15:14:49.75+00:00

Hi @Ben Gimblett and @MuthuKumaranMurugaachari-MSFT Thanks for your comments - useful information around the topic and always good to know about upcoming changes, so it's appreciated! Essentially I'm looking for a way (via CLI or Powershell, or even KQL) to obtain that WEBSITE_PRIVATE_IP property, and have yet to find it. Having looked at the link (https://learn.microsoft.com/en-us/azure/azure-functions/functions-how-to-use-azure-function-app-settings?tabs=azure-powershell#settings) you gave Muthu, it doesn't seem to be served up when using the Get-AzFunctionAppSetting command against the Function App. Unfortunately the solution provided by Carlos also fails to provide that IP address (both via the CLI/Powershell commands he mentioned, and the KQL Query which returns null when trying to extend to that property.
MuthuKumaranMurugaachari-MSFT 22,441 Reputation points Moderator

2024-01-18T15:49:53.0033333+00:00

JasonS-0863 Got it, let me explore more and get back to you.

Answer 1

To obtain the private IP addresses of Azure Functions programmatically, especially when they are using Private Endpoints, you have a couple of approaches to consider: Azure CLI or PowerShell Scripts: You can write a script that iterates over your Azure Functions and queries their properties to obtain the private IP address. This script can be run programmatically as needed.

For Azure CLI, you would typically use a command like az functionapp show to get details about each function app, and then parse the output for the private IP address.
For PowerShell, you would use Azure PowerShell cmdlets like Get-AzFunctionApp to obtain similar information.

Extracting Private IP: Since the private IP address is found in the Advanced Tools > Environment page under the value "WEBSITE_PRIVATE_IP", your script needs to query this specific property.

KQL Query: Write a KQL query that joins Azure Monitor data (like firewall logs) with Azure Resource Graph data to correlate resource names with private IP addresses. The query would look something like this (simplified example):

Resources
| where type == 'microsoft.web/sites'
| extend privateIP = properties.privateIpAddress
| join kind=inner (
    AzureDiagnostics
    | where ResourceProvider == "MICROSOFT.WEB" and Category == "FunctionAppLogs"
    ) on $left.ResourceId == $right.ResourceId
This query is a basic example. You'll need to adjust it based on the exact schema of your logs and the information available in the Resource Graph.

By using these methods, you should be able to programmatically obtain the private IP addresses of your Azure Functions and possibly resolve them to resource names. Remember, the exact implementation will depend on the specifics of your Azure environment and the details you need to extract.

Answer 2

MuthuKumaranMurugaachari-MSFT 22,441 Moderator

JasonS-0863 To answer your question, currently, it is not possible to retrieve WEBSITE_PRIVATE_IP property via CLI, PowerShell or Rest API and this is available only inside the application. I did a quick test via portal C# (Linux) and able to retrieve the property (similarly should work for other languages). User's image

So, you might have to create a HTTP triggered function and expose this property like above for external callers. However, as I previously mentioned, WEBSITE_PRIVATE_IP value can change during scaling, or few other scenarios and should not rely on this. Instead, always use subnet range wherever possible.

I hope this helps and let me know if any questions.

If you found the answer to your question helpful, please take a moment to mark it as Yes for others to benefit from your experience. Or simply add a comment tagging me and would be happy to answer your questions.

JasonS-0863 0 Reputation points

2024-01-19T09:51:26.85+00:00

Thanks @MuthuKumaranMurugaachari-MSFT
I think the answer is as you said - that there isn't a way to achieve it. I appreciate the tip on exposing the property on each individual function, however that's not what I'm after at this stage. Thanks again for the time on investigating and sharing your suggestions and findings.
MuthuKumaranMurugaachari-MSFT 22,441 Reputation points Moderator

2024-01-19T14:00:35.27+00:00

JasonS-0863 sure, you are welcome.

Share via

Is there a way of obtaining the Private IP address for Azure Functions (Linux) programatically?

2 answers

Your answer