@MarkW We apologize for the frustration you encountered with your inbound IP address changing for your web app.
There have not been any official inbound IP address changes made to our knowledge and our internal alert system. Inbound IP change events are very rare (can only recall 1 in the last seven years) and are communicated many months in advance to customers via portal alerts, emails, and official Microsoft documentation.
When customers state their inbound IP address has changed, this is normally due to them rotating their IP based SSL certificate improperly. If you delete your old IP SSL binding and then upload your new certificate/bind the new IP SSL certificate, this is improper. When you delete the IP SSL binding, it releases the IP address back into the pool of available addresses for other customers. Your resource can continue using the old IP address so you might not notice the mistake for 1-3 weeks until the IP address is assigned to another Azure service.
The proper way to rotate certificates is to simply bind the new certificate with the old binding still in place. The Web App will automatically then apply the newer binding. Once this is complete, verify that your site is serving the newer thumbprint before deleting your old certificate.
- Upload the new certificate.
- Bind the new certificate to the same custom domain without deleting the existing (expiring) certificate. This action replaces the binding instead of removing the existing certificate binding. To do this, navigate to the TLS/SSL settings blade of your App Service and select the Add Binding button.
- Delete the existing certificate.
This limitation is called out here.
Lastly, we recommend that customers use a CNAME binding as a best practice over using an A-record. Unless you need to hard code IP addresses into your app, most customers do not need an A-record. A-records risk your sites high availability by taking them offline if a certificate/binding is rotated improperly or if there were to be an inbound IP address change in the future (rare) it would require action on your end. For more information on configuring your app via CNAME, please see here.
Please let us know if you have any further questions or concerns.