Login/Register
Azure Website Reserved IP
Asked Answered
Solved azureazure-web-app-servicestatic-ip-address
R

4

10

I've been trying to find an answer to this for a few days.

I want to host a new azure website in either the Basic tier or Standard tier.

The site will be calling a third party service.

I need to give this service provider an IP address that they will whitelist. So when the new azure website makes requests to this service the IP address for the request needs to always be the same, as this will be the IP whitelisted.

I read that Azure offers "Reserved IPs" for cloud services and VMs but I wanted to know if something similar can be done with Azure Websites as I really don't want to go with cloud/VM.

My knowledge of networking is limited but as I understand it, if I were to get an IP SSL cert and apply that to my Azure Website then the website would have a static IP address.

If that is the case, would any requests to the third party service be hitting the service providers external firewall with this same static IP?

Thanks for any advice people can give.

Reactive answered 23/6, 2014 at 20:7 Comment(0)
E
8

An SSL cert with Web Sites will be tied to an inbound IP address. However, Web Sites does not provide a static outbound IP address.

If you need a static IP address to align with 3rd-party services, you'd need to have something residing in Azure (e.g. Application tier) running in a cloud service / VM that your web site accesses, and then have that app tier (with static IP address) communicate with your 3rd-party services.

Exudation answered 24/6, 2014 at 4:29 Comment(4)
Perfect. Just the clarification I was looking for. Thanks.Reactive
@David - I noticed that when you go to the panel to add a custom host name to an Azure website that an IP address appears, and this address did not change when I assigned an SSL cert. The address that appeared prior to assigning the cert was not static?Anethole
@Reactive May I know what option you goes with to getting static outbound IP from Azure App Service Plan?Satterfield
@KiraHao - I ended up going with an Azure Cloud Service with a reserved IP. This was some time back, so it may be that there are more recent alternative options in Azure that have become available since then.Reactive
O
7

As David Makogon's answer points out, applying an IP-based SSL certificate only gives the website a static inbound IP address.

However, the outbound IP address a website uses when making outbound network calls can be determined based on where your website is hosted. Microsoft has a list of the these IP addresses here. The third-party service would have to whitelist all of the IP addresses used by the scale unit your website is hosted in (e.g. waws-prod-am2-005).

Orjonikidze answered 16/12, 2014 at 18:16 Comment(0)
T
6

Correct me if I am wrong, but the information shared by Brant Bobby above shows that, in fact:

All Azure websites (/Web Apps) already have a discoverable and published outgoing IP address.

This outgoing IP address will never be unique to their own site however. So one must keep in mind if they use it for a white-list, it will be allowing in a lot of other Azure visitors hosted on the same scale unit.

Simply get the so-called "scale unit" name for your site, which is the same as what's given in your site's FTP address (and so forth), which is in the format: "waws-prod-[3LetterVar]-[3DigitNum]", e.g. waws-prod-blu-007.

As an example from that article, all the East US region Azure websites can find the four IP addresses their site may rely on as follows (so if white-listing, all 4 should be white-listed):

East US Region

Outbound IP addresses for each scale unit, currently 4 for each. They said they may add more IPs to each scale unit in the future, but these should not change.

waws-prod-blu-001: 168.62.48.13, 168.62.48.19, 168.62.48.33, 168.62.48.122

waws-prod-blu-003: 137.117.81.128, 137.117.81.142, 137.117.81.181, 137.117.81.82

waws-prod-blu-005: 137.117.80.189, 137.117.81.52, 137.117.81.90, 137.117.80.178

waws-prod-blu-007: 23.96.33.205, 23.96.34.196, 23.96.35.20, 23.96.36.229

waws-prod-blu-009: 23.96.97.203, 23.96.97.233, 23.96.97.235, 23.96.97.238

waws-prod-blu-011: 23.96.112.60, 23.96.112.117, 23.96.112.152, 23.96.112.15

waws-prod-blu-013: 191.238.8.154, 191.238.9.80, 191.238.9.94, 191.238.9.170

waws-prod-blu-015: 191.236.19.222, 191.236.19.242, 191.236.21.165, 191.236.18.160

waws-prod-blu-017: 191.238.32.104, 191.238.32.154, 191.238.34.67, 191.238.35.12

waws-prod-blu-019: 104.45.138.197, 104.45.142.87, 104.45.128.144, 104.45.142.131

waws-prod-blu-021: 191.237.24.189, 191.237.30.36, 191.237.26.164, 191.237.28.161

waws-prod-blu-023: 191.236.50.206, 191.237.30.215, 191.237.25.148, 191.237.22.195

waws-prod-blu-025: 191.237.31.86, 191.237.26.176, 191.237.20.70, 191.237.18.239

Tameratamerlane answered 6/5, 2015 at 21:42 Comment(1)
You can also now see the four outgoing ip addresses in the website itself, in the new portal under properties for the website.Baobaobab
F
1

Azure now supports having static outbound IP address as well.

https://azure.microsoft.com/en-us/documentation/articles/app-service-app-service-environment-intro/

If we do not want to go for costlier App Service Environment setup, we can directly use the outbound IP addresses mentioned in the Azure portal in properties section, Azure assures that it remain 99.9% static. Nothing really changes until there is some changes data center wide. Moreover, the reserved Ip what we use in IaaS is also not 100% reserved for us and azure provides SLA of 99.9% here as well. So, In my opinion, instead of going for ASE and hosting IaaS and using reserved IP, we can just use outbound Ip provided by azure, since we get same reliability in both cases.

Frye answered 24/5, 2016 at 8:42 Comment(1)
As Nicolas has pointed out, these default outbound Ip addresses are shared by other services as well, that potentially belong to others users in Azure and this will be a security concern.Tautonym

© 2022 - 2024 — McMap. All rights reserved.