We welcome user feedback and feature requests!

Add static IP address for outbound traffic without the use of App Service Environment

There are many reasons you may want to have a static IP address for outbound connections. For example, you may be accessing a system which requires you to whitelist IP address in a firewall, such as SQL Database or an external service.

Currently, the only way to get a static IP address for outbound connections is to use App Service Environment. App Service Environments are quite complex, and has a very high price tag. You need at least 4 instances, 2 of which must be P2, meaning you'll pay at least 1000 EUR/month. Paying 1000 EUR/month just because you want a static IP address is obviously ridiculous.

I'm looking forward to being able to use a static IP address without an App Service Environment.

774 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Nitramafve shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    24 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...
      • RMD commented  ·   ·  Flag as inappropriate

        If your site uses SSL and you're at least using the "Production" tier, you can assign the SSL cert using IP based bindings. This will lock down your IP address so that it won't change.

      • Pedro Feio commented  ·   ·  Flag as inappropriate

        Defining our outbound IPs is key feature for us. At least something that allows us to do some NAT equivalent for our App Services. What we can't do is ask our partners to whitelist 4-8 outbound IPs per app service. It's not secure, governable or practical.

        I'm now on the verge of having to abandon a solution using App services because of this. The ASE is not economically viable, and makes no sense for financially. We don't need to scale to that level, we just need outbound IP isolation.

      • George commented  ·   ·  Flag as inappropriate

        This is a must. You cannot have web apps without static outbound IPs. My apps are behind a WAF and i have a single inbound IP. But outbound IP changes just drives everyone crazy because i cant keep up with updating suppliers to update their firewalls (for a cost) because outbound connections to their APis are not routed through the WAF but the web app outbound IPs which change when scale up or down etc. Please add static outbound IPs for whatever reasonable cost or add an option to be able to route my web apps traffic through the WAF. Thank you.

      • Anonymous commented  ·   ·  Flag as inappropriate

        On way of solving this that we have looked into is to setup a forward proxy on it's own VNET with a load balancer and attach an outbound static ip address to the VNET. The load balancer should manage outbound connections too. You then setup a point-to-site vpn between your app services and your VNET and route the traffic from your app instances through your forward proxy which will route the traffic to where ever you like. We haven't tried this out yet, but we will tell you more once it is up and running.

      • KachenAr commented  ·   ·  Flag as inappropriate

        I need this feature. Because I need to connect to IP filtered Government web service.

        As lease I need static possible outbound IP for 2-3 IP address.

      • Anonymous commented  ·   ·  Flag as inappropriate

        We really need this for basic security. My personal use case doesn't need a static external IP, but we use a SQL Azure database and not being able to limit the SQL Azure firewall to just our app service is a terrible limitation - instead we have to open SQL Azure to "All of azure". So a static external IP may be a solution to this, but any solution that allows me to put the Web App on a VNET for internal traffic would also work, Basic security..

      • DubStep commented  ·   ·  Flag as inappropriate

        Wouldn't using a VM instead of an app service accomplish this? More expensive than a app service sure, but not more than a ASE, which is tailored towards multiple apps rather than a single one, hence the price tag. Also off the top of my head, setting up a site to site VPN connection then giving your app service access to that vnet would also be a way to accomplish this in my mind. Also extra cost, but probably better than whitelisting an internet IP address to have access to your SQL server IMO.

      • Anonymous commented  ·   ·  Flag as inappropriate

        Currently we are on cloud services due to this limitation and we cannot justify 4-6x the cost to move to ASE. This is preventing us from fully engaging with a CSP account.

      • Shane Milton commented  ·   ·  Flag as inappropriate

        I too am looking for this to be implemented for all of the same reasons! In our case, we want to have web apps, webjobs, and functions, all of which need static IP addresses. In fact, we just had one of our async processes go down because a third-party dependency *ADDED* the need for whitelisted IPs. I've temporarily had them whitelist the dynamic IPs our App Service has registered, but it's a 48-72-hour whitelisting process so every time these IPs change, we'll have 2-3 days of downtime unless we rewrite these "Serverless" functions to actually run in a VM or something, which is dumb.

      • Anonymous commented  ·   ·  Flag as inappropriate

        Hi,
        Do you have any update on supporting static outbound ip for apps? We also have a vendor who needs to white list our ip. And using VM for the purpose seems to be self defeating.

      • Andreas Paulsson commented  ·   ·  Flag as inappropriate

        I agree as well, we have a large app that will be deployed to a number of App Services but a few external dependencies (web services) that wants whitelist our outgoing IP in their firewall.

        Is it possible to solve this (until we get a real solution) using a VM with IIS rewriting and/or ARR (Application Request Routing) that has a fixed outgoing fixed IP that we can route out traffic through? It is absolutely not ideal but it is far cheaper than an ASE.

      • Olivier B commented  ·   ·  Flag as inappropriate

        hi, it's also a very important feature for us.
        Not only the ASE costs a lot, but its does not answer all security filtering requirements,.
        With an ASE in VNET, one must allow all webapp to connect to all DB (= any webapp to any DB), as you cannot identify each ASE webapp by it's IP individually (the ILB does not solve the issue, as the ILB would still need access to all DB for all WebApps)

      • cto commented  ·   ·  Flag as inappropriate

        I would like to migrate our asp.net ecommerce sites to Azure, but we use payment gateways that require whitelisted IP addresses. The absence of this feature prevents me from using Azure hosting.

      • AdminAzure App Service team (Admin, Microsoft Azure) commented  ·   ·  Flag as inappropriate

        Hi all,

        Thanks for all the comments. We still don't have a solution here other than ASE right now, but we have this on the feature request list and we will look on ways to accommodate in the future. We will update the item once there is more information to share.

        Thanks,
        Oded

      • Simon Michaud commented  ·   ·  Flag as inappropriate

        Not being able to have static Outbound IP is a blocker. To use App Services in our case it would mean x4 the cost (plus complexity of setting it up), so we must use VMs / VM ScaletSets instead. Please consider a more cost effective-solution, ASE is not a viable option for most.

      • Helio commented  ·   ·  Flag as inappropriate

        Spending $15k to $20K that an ASE cost can't be Microsoft's answer to a simple request, that at the same time is quite necessary for too many scenarios! Microsoft should seriously reconsider this.

      ← Previous 1

      Feedback and Knowledge Base