Restrict Web App Outbound IP Addresses

Question

Hi,

I deployed a Python flask app using Azure Web App. This app will access another system that requires IP whitelisting. Instead of providing all outbound IP addresses of my app, I want to restrict the outbound IP address to only a few.

I have added a Virtual Network with 16 addresses and added NAT gateway. Also, in my Virtual Network Integration, "Outbound internet traffic" is selected. However, when I tried running this app. The IP used was not from either my virtual network nor NAT gateway.

How can I solve my problem? Also, how can I know the current IP that my app is using among all the outbound IP addresses?

Thanks

Answer 1

To restrict the outbound IP address of your Azure Web App, you can use regional VNet integration together with a virtual network NAT gateway to direct traffic through a static public IP address*2. Here are the steps you can follow:

1. Create a Virtual Network (VNet): You can keep the values as default and create a subnet within this VNet.
2. Create a NAT Gateway: Associate this NAT gateway with the subnet of the VNet.
3. Set the Outbound IP in the NAT Gateway: You can set this as one of the outbound IPs of the web app*2.

Ensure that "Route All" is enabled in your regional VNet integration settings. This setting, enabled by default, tells the App Service to route all outbound traffic through the integrated virtual network*1.

To check the current outbound IP address that your app is using among all the outbound IP addresses, you can do the following:

1. Azure Portal: Go to the Properties section of your Azure App Service on the Azure portal. The outbound IP addresses are listed in the "Outbound IP Addresses" field.
2. Azure CLI: Use the following command:

az webapp show --resource-group <group_name> --name <app_name> --query outboundIpAddresses --output tsv

Replace <group_name> with your resource group name and <app_name> with your app name.

Please note that these outbound IP addresses can change under certain conditions, such as when you delete an app and recreate it in a different resource group.

I hope this helps! Let me know if you have any other questions.

(1) App Service outbound traffic control with Azure Firewall - Azure App .... https://learn.microsoft.com/en-us/azure/app-service/network-secure-outbound-traffic-azure-firewall.

(2) Inbound/Outbound IP addresses - Azure App Service. https://learn.microsoft.com/en-us/azure/app-service/overview-inbound-outbound-ips.

Answer 2

Hi Bryon,

In step 3 "Set the Outbound IP in the NAT Gateway", when I open my NAT gateway, there are two sections: Public IP addresses and Public IP Prefixes. The Public IP addresses is unchangable and it's set with a random(?) IP address when I create a new Public IP addresses. I have set Public IP Prefixes to /31.

How can I enable ""Route All"? My web app has a B3 service plan, and when I click on "Networking" -> "Virtual Network Integration", it only has four sections:

1. Virtual network configuration (including name, subnet name, subnet ip address availability)
2. Application routing (Outbound internet traffic is enabled)
3. Configuration routing (None of the option is enabled)
4. Virtual network routing
   1. Network security group (not configured)
   2. Route table (not configured)
   3. NAT gateway (selected my NAT gateway)

The outbound IP addresses didn't change with all the changes I created.

Answer 3

@Violet Zeng Thanks for reaching here! As suggested by Byron its suggested to Enable regional virtual network integration for your app and to enable route all refer to below document-

Manage Azure App Service virtual network integration routing