How to fix outbound IPs for App Service

Published May 04 2021 10:05 AM 10.8K Views

App Service are powerful features to retrieve Azure computer resources as PaaS platform. In other hands, PaaS is shared services for multi-tenant, so it might be caused as issues to collaborate with legacy applications. As one of such issues, external services sometimes require to fixed IP addresses from your applications. It was not allowed to fix outbound IPs for App Service except for App Service Environment in past, because the IPs are randomly selected by runtime from assigned ones like below.


In addition that, the outbound IPs might be changed. Refer to Inbound and outbound IP addresses in Azure App Service for the detail.


Here is brief architecture to fix outbound IPs for App Service. It's required to utilize NAT Gateway and VNet Integration of App Service. You can fix outbound IP as Public IP on NAT Gateway by using this architecture. 


Follow steps below to setup.

  1. Create VNET and NAT Gateway
  2. Associate NAT Gateway to a subnet 
  3. Enable VNet Integration
  5. Confirm outbound IP with Kudu

You can setup to fix outbound IP on your App Service by following this post. NAT Gateway usage also brings other great benefit that you can avoid intermittent outbound connection errors caused by SNAT ports.


1. Create VNET and NAT Gateway

Follow Quickstart: Create a virtual network using the Azure portal to create a VNET.  Next, Create NAT Gateway by following Tutorial: Create a NAT gateway using the Azure portal. It's required to specify Public IP like below and the Public IP will be an outbound IP for your App Service.



2. Associate NAT Gateway to a subnet 

It's required to integrate your App Service with VNET to utilize NAT Gateway, so visit your NAT Gateway and choose "Subnets" menu from left side. Choose a subnet which your will enable VNet Integration for your App Service in later.



3. Enable VNet Integration

Visit your App Service and enable VNet Integration by choosing a subnet which you have already associated NAT Gateway.




Next, it's also required to route all your outbound traffic to your VNET, so visit your App Service and choose configuration menu from left side. Put WEBSITE_VNET_ROUTE_ALL = 1 like below. Refer to Integrate your app with an Azure virtual network for the detail.



5. Confirm outbound IP with Kudu

App Service offers useful feature as Kudu not only development usage. Visit your App Service and open Kudu on it. Run curl command and you can confirm returned IP is same with Public IP on your NAT Gateway.



Version history
Last update:
‎Jun 04 2021 10:57 AM
Updated by: