SNAT Port Exhaustion

%3CLINGO-SUB%20id%3D%22lingo-sub-2435545%22%20slang%3D%22en-US%22%3ESNAT%20Port%20Exhaustion%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2435545%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20an%20app%20service%20making%20calls%20to%20other%20azure%20services%20and%20app%20services.%20We%20occasionally%20see%20this%20exception%2C%20what%20can%20be%20done%20to%20help%3F%20We%20are%20investigating%20our%20code%20and%20trying%20to%20improve%20by%20reusing%20clients%2Fconnections%20such%20as%20HTTPClient%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2435802%22%20slang%3D%22en-US%22%3ERE%3A%20SNAT%20Port%20Exhaustion%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2435802%22%20slang%3D%22en-US%22%3EBest%20guidance%20is%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fapp-service%2Ftroubleshoot-intermittent-outbound-connection-errors%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fapp-service%2Ftroubleshoot-intermittent-outbound-connection-errors%3C%2FA%3E%20.%20Beyond%20that%2C%20a%20somewhat%20more%20involved%20approach%20would%20be%20to%20switch%20the%20back-end%20connection%20to%20go%20over%20a%20vnet%20connection%20to%20the%20downstream%20endpoint.%20%3CA%20href%3D%22https%3A%2F%2Fazure.github.io%2FAppService%2F2021%2F04%2F22%2FSite-with-secure-backend-communication.html%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fazure.github.io%2FAppService%2F2021%2F04%2F22%2FSite-with-secure-backend-communication.html%3C%2FA%3E%20shows%20one%20general%20approach%2C%20and%20the%20idea%20would%20be%20to%20have%20downstream%20app%20services%20setup%20with%20private%20endpoints%20so%20the%20app%20service%20to%20app%20service%20communication%20goes%20over%20a%20vnet.%20Another%20somewhat%20less%20invasive%20approach%20would%20be%20to%20instead%20use%20Azure's%20NAT%20Gateway%20and%20route%20all%20outbound%20traffic%20from%20an%20app%20through%20a%20vnet%20and%20through%20the%20NAT%20gateway.%20That%20will%20get%20you%20a%20dedicated%20outbound%20IP%20address%20and%20a%20dedicated%20IP%20port%20space%20for%20outbound%20calls.%3C%2FLINGO-BODY%3E
Occasional Contributor

We have an app service making calls to other azure services and app services. We occasionally see this exception, what can be done to help? We are investigating our code and trying to improve by reusing clients/connections such as HTTPClient

2 Replies
Best guidance is here: https://docs.microsoft.com/en-us/azure/app-service/troubleshoot-intermittent-outbound-connection-err... . Beyond that, a somewhat more involved approach would be to switch the back-end connection to go over a vnet connection to the downstream endpoint. https://azure.github.io/AppService/2021/04/22/Site-with-secure-backend-communication.html shows one general approach, and the idea would be to have downstream app services setup with private endpoints so the app service to app service communication goes over a vnet. Another somewhat less invasive approach would be to instead use Azure's NAT Gateway and route all outbound traffic from an app through a vnet and through the NAT gateway. That will get you a dedicated outbound IP address and a dedicated IP port space for outbound calls.
Thank you for your response. We will investigate