When an application is running in Azure App Service (multi-tenant service), the inbound and outbound IP addresses of the application are dynamic because the application shares network infrastructure with other apps. Having a random public IP can raise problems especially integration that requires IP whitelisting. Customers who doesn’t make large number of outbound connection from Azure App Service usually don’t run into this problem.
Reason for using static outbound IP Address
Consider a scenario where an application hosted in Azure App service wants to invoke the public endpoint of a service sitting behind an application gateway interface. The application gateway WAF has a custom rule which allows only whitelisted IP addresses to get through the firewall. Since, the outbound IP address of the app service can change in certain situations such as changing pricing tier, whitelisting it in the WAF custom rule is not the best idea.
The solution to this problem can be implemented through these simple steps
- Enable Regional VNet Integration in your Azure App Service. Regional VNet Integration is available on Standard, Premium, PremiumV2 and PremiumV3 App Service plans.
- Ensure Route All is enabled for your virtual network integration so the Internet bound traffic will be forced to route via the virtual network.
- Provision a new public static IP Address.
- Provision a NAT gateway and associate it with the virtual network integration subnet.
- NAT Gateway is a fully managed and highly resilient Network Address Translation (NAT) service. Virtual Network NAT simplifies outbound Internet connectivity for virtual networks. When configured on a subnet, all outbound connectivity uses the Virtual Network NAT’s static public IP addresses.
- Regional virtual network integration supports connecting to a virtual network in the same region and doesn’t require a gateway.
- When Route All is enabled, outbound traffic from your app is still sent from the addresses that are listed in your app properties, unless you provide routes that direct the traffic elsewhere.
Step for configuring NAT gateway integration
Go to the Networking UI in the App Service portal and select virtual network integration in the Outbound Traffic section. Ensure Route All is enabled for your virtual network integration so the Internet-bound traffic will be affected by routes in your virtual network.
Click on VNet Integration –> Add VNet button to add an existing virtual network. Select an existing subnet or create a new subnet within the selected virtual network. Click OK.
On the Azure portal menu or from the Home page, select Create a resource. The New window appears.
Search for “NAT gateway” and select it from the list of results.
Fill in the Basics information and pick the region where your app is located.
In the Outbound IP tab, create a new or select an existing public IP.
In the Subnet tab, select the subnet used for virtual network integration.
After the NAT gateway is provisioned, go to the newly created NAT gateway. We can see the public IP that the app will use for outbound Internet-facing traffic in the Outbound IP blade.
Scaling NAT Gateway
The same NAT gateway can be used across multiple subnets in the same Virtual Network allowing a NAT gateway to be used across multiple apps and App Service plans.
NAT gateway supports both public IP addresses and public IP prefixes. A NAT gateway can support up to 16 IP addresses across individual IP addresses and prefixes. Each IP address allocates 64,000 ports (SNAT ports) allowing up to 1M available ports.