To restrict the outbound IP address of your Azure Web App, you can use regional VNet integration together with a virtual network NAT gateway to direct traffic through a static public IP address*2. Here are the steps you can follow:
- Create a Virtual Network (VNet): You can keep the values as default and create a subnet within this VNet.
- Create a NAT Gateway: Associate this NAT gateway with the subnet of the VNet.
- Set the Outbound IP in the NAT Gateway: You can set this as one of the outbound IPs of the web app*2.
Ensure that "Route All" is enabled in your regional VNet integration settings. This setting, enabled by default, tells the App Service to route all outbound traffic through the integrated virtual network*1.
To check the current outbound IP address that your app is using among all the outbound IP addresses, you can do the following:
- Azure Portal: Go to the Properties section of your Azure App Service on the Azure portal. The outbound IP addresses are listed in the "Outbound IP Addresses" field.
- Azure CLI: Use the following command:
az webapp show --resource-group <group_name> --name <app_name> --query outboundIpAddresses --output tsv
Replace <group_name>
with your resource group name and <app_name>
with your app name.
Please note that these outbound IP addresses can change under certain conditions, such as when you delete an app and recreate it in a different resource group.
I hope this helps! Let me know if you have any other questions.
(1) App Service outbound traffic control with Azure Firewall - Azure App .... https://learn.microsoft.com/en-us/azure/app-service/network-secure-outbound-traffic-azure-firewall.
(2) Inbound/Outbound IP addresses - Azure App Service. https://learn.microsoft.com/en-us/azure/app-service/overview-inbound-outbound-ips.