Azure NAT Gateway multiple availability zones with Azure functions

Question

I have multiple azure functions that are invoking external APIs and I want all the requests to come from a single IP or a set of IP's so that the external APIs can whitelist my azure functions.

Question: Find a way to have a small set of outbound static IPs for azure functions in a multi AZ deployment. Preferably using serverless or managed services

Attempt 1 Deployment diagram: Problem with this: NAT Gateway is only on one AZ (even if we chose no zone)

Attempt 2 According to the best practices for NAT Gateway you can have one NAT gateway per AZ if all the resources inside of that subnet are in a single AZ link

Problem: I don't know if it's possible to restrict an azure function to a specific AZ

Attempt 3 Azure Firewall is one alternative that I explored, but it is too expensive for our needs (900$ per month per instance without any traffic, if I understood correctly 1800$ for 2 AZs) while NAT Gateway cost is around 35$ per instance without any traffic.

Any suggestions? or things that I did not understood correctly?

Answer 1

Azure Consumption Plans do not offer any "advanced" networking feature. You need to look at the premium plans. Azure function premium will over multi-az feature but it will then have one "active" instance per AZ. You can then also integrate it into a vnet and control then the traffic flow.

Another Option would be to use the egress IPs of the App Service Plan (requires premium or an app service plan S1 or higher)

But Premium Functions come also at a price - but Consumption function do not offer any networking feature. https://azure.microsoft.com/en-us/pricing/details/functions/