Outbound IP addresses for Azure Function App

Francisco Dominguez 386 Reputation points
2022-05-11T06:36:34.503+00:00

Hi,

I'm using certain API that needs IP whitelisting to be able to use it. I've built a couple of Azure Functions inside my Azure Function App and both of them make requests to that API. I have whitelisted the outbound IP addresses of the Azure Function App.

Today, when the trigger of the Azure Functions ran, they were using a different IP out of the list of the outbound IP addresses, and therefore, it was not whitelisted in the API:

200809-screenshot-from-2022-05-11-08-33-29.png

My list of outbound IP addresses does not include an IP similar to that one sending the request to the API.

Could you please guide me on what's going on here?

Regards,
Francisco.

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
4,325 questions
0 comments
Accepted answer
  1. MughundhanRaveendran-MSFT 12,436 Reputation points
    2022-05-11T07:38:03.747+00:00

    @Francisco Dominguez ,

    Thanks for reaching out to Q&A forum.

    Please note that, the ip adresses of the function app shown in the portal (networking section) is actually the datacenter outbound ip address. So you might want to add the function apps' data center (Azure region) to an allowlist. You can download a JSON file that lists IP addresses for all Azure data centers.

    Reference: https://learn.microsoft.com/en-us/azure/azure-functions/ip-addresses?msclkid=ada8be7ed0fb11ecb04d1cc6c5e3a0cd&tabs=portal#data-center-outbound-ip-addresses

    The outbound ip addresses can change at any time if you are on Consumption or premium plan due to the Autoscale behavior. For a dedicated plan, the outbound ip address can change if you take any action that can change the inbound IP address or change your Dedicated (App Service) plan pricing tier.

    You can control the IP address of outbound traffic from your functions by using a virtual network NAT gateway to direct traffic through a static public IP address. You can use this topology when running in a Premium plan or in a Dedicated (App Service) plan. Another option is to deploy the function in an App Service Environment.

    Reference: https://learn.microsoft.com/en-us/azure/azure-functions/ip-addresses?msclkid=ada8be7ed0fb11ecb04d1cc6c5e3a0cd&tabs=portal#outbound-ip-address-changes

    2 people found this answer helpful.

4 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Christophe 1 Reputation point
    2022-11-22T21:29:21.603+00:00

    Hi

    @Francisco Dominguez , I can see you did not have a proper answer to your question.

    I have exactly the same problem, after hours debugging because I thought it was highly improbable that microsoft is giving us a wrong list of ip addresses, I found out the ip adress for my function 20.23.189.180 is not in the list of what is on the Networking section of the function app (or returned through Azure CLI https://learn.microsoft.com/en-us/azure/azure-functions/ip-addresses?msclkid=ada8be7ed0fb11ecb04d1cc6c5e3a0cd&tabs=azurecli#find-outbound-ip-addresses) :

    51.124.49.60,51.124.49.105,51.124.49.198,51.124.51.136,51.124.52.134,51.124.52.172,51.124.52.248,51.124.54.120,51.124.54.195,51.124.55.21,51.124.55.117,51.124.55.209,20.50.231.46,20.54.184.164,20.54.184.181,20.54.185.23,20.54.185.49,20.54.185.144,20.93.245.248,20.93.246.58,20.93.246.81,20.93.246.195,20.93.242.96,20.93.246.235,20.50.2.8

    @MughundhanRaveendran-MSFT can we please have a convincing explanation of what is happening here and how to fix because the ip is changing in a range we do not know about : now it is 20.8.56.92

    0 comments
  2. Christophe 1 Reputation point
    2022-11-22T21:52:21.53+00:00

    Ok I just found the ranges containing 20.23.189.180 and the one of 10.8.56.92 are in a "Service Tag" called "AzureCloud.westeuropeAzureCloud.westeurope"
    I could add the ServiceTah to my Network security group instead of a list of IP addresses.

    Still I dont't undestand what is the list in the Networking section of the function app and when calling :
    az functionapp show --resource-group <GROUP_NAME> --name <APP_NAME> --query outboundIpAddresses --output tsv
    az functionapp show --resource-group <GROUP_NAME> --name <APP_NAME> --query possibleOutboundIpAddresses --output tsv

    It currently seems to me the documentation is wrong when it says :"s. Any outbound connection from a function, such as to a back-end database, uses one of the available outbound IP addresses as the origin IP address"
    In https://learn.microsoft.com/en-us/azure/azure-functions/ip-addresses?msclkid=ada8be7ed0fb11ecb04d1cc6c5e3a0cd&tabs=azurecli#find-outbound-ip-addresses

    0 comments
  3. Christophe 1 Reputation point
    2022-11-22T22:07:00.043+00:00

    @Francisco Dominguez The range 20.236.192.0/18 containing 20.236.200.108 is in AzureCloud.centralus.
    You should be able to use the ranges of this ServiceTag or add the service tag name in a Network Security Group like I did

    0 comments
  4. Christophe 1 Reputation point
    2022-11-22T22:14:32.453+00:00

    Reading this paragraph
    "When a function app that runs on the Consumption plan or the Premium plan is scaled, a new range of outbound IP addresses may be assigned. When running on either of these plans, you can't rely on the reported outbound IP addresses to create a definitive allowlist. To be able to include all potential outbound addresses used during dynamic scaling, you'll need to add the entire data center to your allowlist."
    I understand that the outbound address list is not reliable. "definitive" could be removed as all the time I run individually my function (no scale up involved) the ip is outside of the list.
    This list is highly misleading in Consumption plan and Premium plan cases, there should be a warning on the Networking tab of the function app under the list

    0 comments