I am trying to solve a problem. I have to access APIs that are hosted on my on premises server (on-prem) from Azure hosted Web API.

The problem is that my on-prem server only allows white listed IPs. I know we can get outbound IPs from our Web App (Azure hosted). But I am not sure whether they are static or will change based on scaling.

Another Solution is to create VNET and add that Web app into that VNET. But I would like someone to suggest better solutions.

There are couple of choices you have.

First, you can have a look at the possibleOutboundIpAddress of your App Service and whitelist this IPs. This however also opens up the door for IPs not really in use by your App Service.

az webapp show --resource-group <group_name> --name <app_name> --query possibleOutboundIpAddresses --output tsv

Secondly, you can put a NAT Gateway in-front of your App Service. This however requires an App Service Plan that supports virtual network integration.

1. Configure regional virtual network integration from within your app service.
2. Force all outbound traffic originating from that app to travel through the virtual network. This is done by setting WEBSITE_VNET_ROUTE_ALL=1 property in your web app configuration
3. Create a public IP address.
4. Add a NAT gateway, attach it to the subnet that contains the app service and make use of the public IP created in step 3.

If you would also like to use a static inbound IP you can find more information here

The outbound IPs for Azure App service are generally static and will not change on scaling. There are normally 4 outbound IPs and they only change if you change the SKU or there is a need at MS end to increase the capacity of their data center (rare or may never happen in near future).

I would recommend creating a VNET as that is more secure than whitelisting IPs at your on prem service. But if you want to want list the outbound IPs, I would recommend creating a wrapper for your on prem APIs in Azure and whitelist IPs for these in your on prem firewall. This will ensure that you don't have to whitelist every time you want to create an API in Azure that needs to access on prem APIs.

Unfortunately there is no straight forward way to do this in Azure for App Services, I also had this issue recently. The only solution (for now anyway) is to add the list of outbound IPs of the App Service to your allow rules.

Just be careful with scaling between the tiers because it will change the outbound IP addresses. (https://learn.microsoft.com/en-us/azure/app-service/overview-inbound-outbound-ips#when-outbound-ips-change)

The simplest way would be to use an Azure VM with a static public IP which is used for both inbound and outbound. Sam Cogan has a good blog post where he does go through a couple of options. (https://samcogan.com/obtaining-a-static-outbound-ip-from-an-azure-virtual-network/)

A hybrid connection might be a solution https://learn.microsoft.com/en-us/azure/app-service/app-service-hybrid-connections? I think they are designed for accessing on premise services.