How do I enforce a specific outbound IP address in an App Service written in C#

Erik Stell 0 Reputation points
2024-04-02T19:50:34.1166667+00:00

I have an App Service written in .NET C# that connects via FTP to a third-party, which requires whitelisting of IP addresses as part of its access control and authentication. Currently connection attempts are timing out, presumably because the third-party hasn't whitelisted the correct IP address. (note, this app was migrated from a different host provider where it was working without issue for quite some time; it stopped working after the app was migrated to Azure).

We originally had the 3rd party whitelist the Virtual IP address of the App Service, but that did not solve the problem. After more research I noticed in the App Service properties section where there is a pool of potential outbound IP addresses, which leads me to believe that the FTP connection attempts are rotating thru them, but failing because the 3rd party has not whitelisted them. That 3rd party is reluctant to add so many addresses to its whitelist, and I have also read that the outbound pool might eventually change.

Is there a way to configure an App Service to use a static outbound IP address?

.NET
.NET
Microsoft Technologies based on the .NET software framework.
3,391 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,900 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Achraf Ben Alaya 976 Reputation points MVP
    2024-04-02T19:56:37.6666667+00:00

    hi ,

    You can control the IP address of outbound traffic from your app by using regional VNet integration together with a virtual network NAT gateway to direct traffic through a static public IP address. Regional VNet integration is available on Basic, Standard, Premium, PremiumV2 and PremiumV3 App Service plans. To learn more about this setup, see NAT gateway integration.

    ref :

    https://learn.microsoft.com/en-us/azure/app-service/overview-inbound-outbound-ips?wt.mc_id=MVP_328341

    Hope this helps.

    If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

    0 comments
  2. brtrach-MSFT 15,256 Reputation points Microsoft Employee
    2024-04-07T18:27:23.3766667+00:00

    @Erik Stell Please let us know if the below answer from Achraf was helpful by accepting it as the answer. If you have further questions or concerns, reply to this message and we will assist you further.

    To add a high-level overview of the steps provided:

    1. Create a virtual network and subnet in the same region as your App Service.
    2. Create a public IP address resource in the same region as your virtual network.
    3. Create a NAT gateway resource in the same region as your virtual network, using the public IP address you created in step 2.
    4. Configure regional VNet integration for your App Service to use the virtual network and subnet you created in step 1.
    5. Configure your App Service to use the NAT gateway you created in step 3 as the default gateway for outbound traffic.

    Once you have completed these steps, your App Service will use the static public IP address associated with the NAT gateway for all outbound traffic. This will allow you to whitelist a single IP address with your third-party FTP provider.

    0 comments