question

Chavvcaldwell-8657 avatar image
0 Votes"
Chavvcaldwell-8657 asked JayaC-MSFT edited

Ip Ranges used for function apps (westus)

Hey Team I created some function apps that is sending data outbound, how do we determine which ip ranges its coming from? Does anyone know if “function apps” within Azure is under a specific service? We are trying to find the Ip ranges to the westus region for azure data centers for function apps. Just making sure that we have the right range of Ips labeled by services before we submit a ticket for them. I checked the JSON Download listed with all the services but I just want to confirm where I should be looking. Thank you!

Charvano Caldwell

azure-functionsazure-webapps-ip-addresses
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

JayaC-MSFT avatar image
0 Votes"
JayaC-MSFT answered JayaC-MSFT edited

Hello @Chavvcaldwell-8657 ,
I would recommend you to consider using service tags : https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview#available-service-tags
However, I believe you have downloaded the JSON file from the following URL: https://www.microsoft.com/en-us/download/details.aspx?id=56519

The IPs published under AppService.WestEurope are IPs with AppService tagged. All AppService inbound are tagged IP to allow App Service to limit its access to (say) from VNET. Unlike inbound, not all AppService outbound are tagged with AppService.
Now regarding outbound IP:

Each function app has a set of available outbound IP addresses. Any outbound connection from a function, such as to a back-end database, uses one of the available outbound IP addresses as the origin IP address. But we don't know which IP would be consumed for the connection.


For this reason, your back-end service must open its firewall to all of the function app's outbound IP addresses.


Where to find the Outbound IP:


  1. Sign in to the Azure Resource Explorer.
    Select subscriptions > {your subscription} > providers > Microsoft.Web > sites.

  2. In the JSON panel, find the site with an id property that ends in the name of your function app.

  3. See outboundIpAddresses and possibleOutboundIpAddresses.

    The set of outboundIpAddresses is currently available to the function app. The set of possibleOutboundIpAddresses includes IP addresses that will be available only if the function app scales to other pricing tiers.

The set of available outbound IP addresses for a function app might change when you:


• Take any action that can change the inbound IP address.
• Change your App Service plan pricing tier. The list of all possible outbound IP addresses your app can use, for all pricing tiers, is in the possibleOutboundIPAddresses property.


When your function app runs in a Consumption plan, the outbound IP address might also change even when you haven't taken any actions such as the ones listed above.


Now when function app is running on Consumption plan , we better need to whitelist the entire datacenter( Azure region) IP range to use the outbound Ips.

83585-image.png

Here is how to do so:


https://docs.microsoft.com/en-us/azure/azure-functions/ip-addresses#data-center-outbound-ip-addresses ( which you have already done)


If you need static, dedicated IP addresses, we recommend App Service Environments (the Isolated tier of App Service plans).


https://docs.microsoft.com/en-us/azure/azure-functions/ip-addresses#dedicated-ip-addresses


Please let me know if this helps. If yes , please "Accept the answer" and "Up-vote" so that it helps others in the community.


image.png (438.0 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.