none
Will a Web App's outbound IP Addresses remain the same? RRS feed

  • Question

  • I am wondering whether a Web App's outbound IP addresses will remain the same, with none removed and no extra ones added? Or, if they are changed, whether we will be made aware of this well in advance, including knowing the exact new IP addresses in advance?

    I'd like to be able use these IP addresses to whitelist access to other services. However, if MS suddenly decides to add a new outbound IP Address to a web app, then the web app would fail to connect to the service. 

    Sunday, September 27, 2015 3:27 PM

All replies

  • Hi,

    The list of outbound IP addresses is not completely static but normally it does not change. The only cases when it may change are when:

    1. It becomes necessary for Azure infrastructure to increase the number of outbound IP addresses. In that case the existing IP addresses will be preserved but there will be some new ones. So far there hasn't been a need to increase number of IP addresses and if there ever be the need for that there will be an early notice about it.

    2. The Web App gets relocated to a different scale unit. Prior to that the subscription owner gets an email notification one month in advance.

    Regards,
    Azam Khan

    Sunday, September 27, 2015 5:50 PM
  • Is there a place where Microsoft has officially stated that people will be notified of changes to IP addresses? And how they will be notified?

    I ask because I have seen your exact answer in another forum post and I need to make sure that I am getting this from an original reliable source, and not something that has been copy-pasted from a source that might not be reliable. Sorry, but this is so important!

    Also, you state that this has not yet been an issue, but it was, in fact, an issue just last year when MS suddenly changed a lot of IP Addresses, causing production systems to go down. So, again, I need to verify that this information is correct and up-to-date.

    As of Oct 2014, MS did not have a solution:

    http://feedback.azure.com/forums/169385-web-apps-formerly-websites/suggestions/6428310-static-ip-addresses-inbound-and-outbound-for-a

        User: "Outbound IP communication from Azure Websites is difficult to secure as it can change addresses without notice."
        MS: "Anyways, we’re looking into this at the moment to see what solutions  we currently have..."
        
    If your answer is correct, then something must have changed since then?



    Sunday, September 27, 2015 8:24 PM

  •     My colleague and I were looking into this and he spotted that the outbound IP addresses were the same for all web apps in a service plan and then found the blog about IP addresss that had done some investigation about it being linked to the service plan.

       We looked into it a bit aswell and found that the IP address is the same across all web apps for any service plan in the same resource group.

    get-AzureRmAppServicePlan | % {$sku = $_.Sku.Name; $name = $_.Name; get-AzureRmWebApp -AppServicePlan $_} | % {$_ | select @{Name="ServicePlan"; Expression={$name}}, @{Name="Sku"; Expression={$sku}}, SiteN
    ame, OutboundIpAddresses} | ogv

       Is there any clearer explanation for how the MS assign the outbound addresses and if they can change?

    E.g. is it correct that it is per resource group?

    If so, does that meant that any new service plan in a resource group or change to the size of a service plan, in a resouce group with more than 1 service plan, preserve the outbound IP addresses. And, so, would the only way an outbound IP address change be that if it was the only service plan in the resource group?


    Thursday, July 20, 2017 11:50 AM
  • @Dead Cat Edz

    Azure App Service does not support fixed outbound IP due to its architecture considerations, instead, you have a range of IPs that could be used. The outbound address could be any address within a certain range.  However, this range is not static.

    You may refer the article How do I determine the outbound IP addresses of my Azure App Service along with FAQ’s for more details.

    -----------------------------------------------------------------------------------------------
    Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members.


    Wednesday, July 26, 2017 4:21 PM
    Moderator
  • Doesn't really explain our observation that all web apps in a resource group have the same outbound ip address list, irrespective of service plan or the service plan's size, and any web app in a different resource group has a different outbound ip address set and for service plans created at different times and have been re-sized here and there.

    Though a colleague did point out that an App in different region (under the same resource group) has to have different outbound IP addresses... so revise the observation to being under the same web-space, which can be seen in the resource explorer and is a composite of the resource group and location.

    The article, is not really an answer, and gives 2 choices; white labeling a web app or a whole region.

    Whilst white labeling a region is better than leaving things open, it does still leave it open to anyone using that Azure's region, which seems to me a big loop hole.

    White labeling a web-app by the list of outbound address is the route we have chosen, and then we found that we could apparently do that at the resource group (--> web-space) level (lot less entries!).

    As the article states the web app outbound IP addresses should not be taken in stone; which is fair enough, but with the behavior, for similarities of outbound IP addresses of different webapps, that we are seeing how strongly can we follow creating NSG IP white listing rules that only need accord with web-space rather than for every web-app?

    Thursday, July 27, 2017 5:24 PM
  • The outbound IP addresses are per stamp/scale unit that the apps are on. It is not specific to a certain webspace or resource group.

    You can find the stamp/scale unit in the Properties blade under the FTP Hostname endpoint. It should list out something like "waws-prod-<region>-<stamp #>". All of the apps in the same stamp/scale unit number in that region will have the same outbound IP addresses, as they are per stamp/scale unit.

    If you want more context of the platform, check out this post: https://msdn.microsoft.com/en-us/magazine/mt793270.aspx.

    Wednesday, August 2, 2017 3:55 PM