Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How often can MS Azure App Services Outbound IP addresses change?

I'm using Azure App Services that calls an external API that uses white-listing of IP addresses for defense-in-depth protection.

I'm aware I can find my Outbound IP addresses of my App Services under the WebApp -> Settings -> Properties -> Outbound IP addresses (showing a list of 4 comma separated IP addresses) which can be supplied to the external API whitelist. I understand Microsoft publishes a regularly updated list of Azure datacenter's IP addresses for outbound traffic that I can whitelist: https://www.microsoft.com/en-us/download/details.aspx?id=41653

The issue is the external API can only handle a number of IP addresses and not the full list of Azure datacenter IP's. Would it be safe to just provide the 4 comma separated IP addresses? Is there clear Microsoft documentation on how often or when the IP address can dynamically change?

I have tried to look for the answer and found two external sites that suggested it only changes when moving Azure regions [Ref 2] or if you scale up/down (but scale out/in is apparently fine) [Ref 1]. Is this correct information?

Is the Azure App Services Environment the only other viable alternative in my situation?

like image 920
Peter Clarke Avatar asked Aug 02 '16 00:08

Peter Clarke


People also ask

How often do Azure IP addresses change?

The set of outbound IP addresses for your app changes when you scale your app between the lower tiers (Basic, Standard, and Premium) and the Premium V2 tier. So in a nutshell if you will never scale up or down then you should be fine.

What is outbound IP address in Azure?

Any outbound connection from the applications, such as to a back-end database, uses one of the outbound public IP addresses as the origin IP address. The IP address is selected randomly at runtime, so your back-end service must open its firewall to all the outbound IP addresses.

What are outbound IPs?

The outbound addresses are what other devices/services would see if your app makes an outbound network call (calls another API etc.). There is a set of them and they are all shared by other apps, your app will use one of them on each connection.


1 Answers

Late to the party on this one but just to flesh this out:

Unless you use an Application Service Environment (ASE) you cannot guarantee that the inbound or outbound IPs will change, however there some differences between inbound and outbound IP addresses.

When does an Inbound IP change?

Inbound IP will change when:

  • Delete an app and recreate it in a different resource group.
  • Delete the last app in a resource group and region combination and recreate it.
  • Delete an existing SSL binding, such as during certificate renewal

However, this can be countered by getting a static IP for inbound connections configure an IP-based SSL binding - you can even use a self-signed cert if you're not using any SSL functionailty.

Outbound IP addresses

This is where you sit and it's the space that is a little more volitile, this is from the docs directly:

The set of outbound IP addresses for your app changes when you scale your app between the lower tiers (Basic, Standard, and Premium) and the Premium V2 tier.

So in a nutshell if you will never scale up or down then you should be fine.

Edit: Re-reading the above and with a little test it looks like it's saying that the IPs will not change unless you ramp right up to the Premium V2 tier from a lower tier (or vice versa). A cursory test backs this up so:

Running under F1 free tier and scaling up to P1v2 gave me the following IP addresses:

Scaling from F1 to P1v2

Scaling back down to any of the lower tiers reverted the IP addresses to the same as the F1 tier.

Possible remediation

A very solution specific example but in-case it helps - where I've solved this before is monitoring the outbound IP addresses for the webapp, if it notices a change then it could send those IP addresses to a whitelist for update via an API call - but this could also just cause a high priority ticket to be raised.

I should note that we could do this because it wouldn't be the end of the world for a little bit of outage and we weren't expecting to scale up and down very often.

Otherwise, as you've noted, an Application Service Environment is your only belt and braces option.

References

When do inbound IPs change?

When do outbound IPs change?

Get a static inbound IP addresses

like image 95
Steve Newstead Avatar answered Sep 21 '22 02:09

Steve Newstead