Add static IP address for outbound traffic without the use of App Service Environment
There are many reasons you may want to have a static IP address for outbound connections. For example, you may be accessing a system which requires you to whitelist IP address in a firewall, such as SQL Database or an external service.
Currently, the only way to get a static IP address for outbound connections is to use App Service Environment. App Service Environments are quite complex, and has a very high price tag. You need at least 4 instances, 2 of which must be P2, meaning you'll pay at least 1000 EUR/month. Paying 1000 EUR/month just because you want a static IP address is obviously ridiculous.
I'm looking forward to being able to use a static IP address without an App Service Environment.
Thanks for the suggestion. The App Service is a multi tenant service which makes features like this more challenging. Because the App Service Environment is single tenant and runs in your VNet it makes having a static IP for outbound requests from your app possible.
Shane Milton commented
I too am looking for this to be implemented for all of the same reasons! In our case, we want to have web apps, webjobs, and functions, all of which need static IP addresses. In fact, we just had one of our async processes go down because a third-party dependency *ADDED* the need for whitelisted IPs. I've temporarily had them whitelist the dynamic IPs our App Service has registered, but it's a 48-72-hour whitelisting process so every time these IPs change, we'll have 2-3 days of downtime unless we rewrite these "Serverless" functions to actually run in a VM or something, which is dumb.
Do you have any update on supporting static outbound ip for apps? We also have a vendor who needs to white list our ip. And using VM for the purpose seems to be self defeating.
Andreas Paulsson commented
I agree as well, we have a large app that will be deployed to a number of App Services but a few external dependencies (web services) that wants whitelist our outgoing IP in their firewall.
Is it possible to solve this (until we get a real solution) using a VM with IIS rewriting and/or ARR (Application Request Routing) that has a fixed outgoing fixed IP that we can route out traffic through? It is absolutely not ideal but it is far cheaper than an ASE.
Olivier B commented
hi, it's also a very important feature for us.
Not only the ASE costs a lot, but its does not answer all security filtering requirements,.
With an ASE in VNET, one must allow all webapp to connect to all DB (= any webapp to any DB), as you cannot identify each ASE webapp by it's IP individually (the ILB does not solve the issue, as the ILB would still need access to all DB for all WebApps)
I would like to migrate our asp.net ecommerce sites to Azure, but we use payment gateways that require whitelisted IP addresses. The absence of this feature prevents me from using Azure hosting.
Thanks for all the comments. We still don't have a solution here other than ASE right now, but we have this on the feature request list and we will look on ways to accommodate in the future. We will update the item once there is more information to share.
Simon Michaud commented
Not being able to have static Outbound IP is a blocker. To use App Services in our case it would mean x4 the cost (plus complexity of setting it up), so we must use VMs / VM ScaletSets instead. Please consider a more cost effective-solution, ASE is not a viable option for most.
Spending $15k to $20K that an ASE cost can't be Microsoft's answer to a simple request, that at the same time is quite necessary for too many scenarios! Microsoft should seriously reconsider this.
Marat Gallyamov commented
One solution may be to use Cloud Service (classic) with combination with Reserved_IP. The cost will be the same as App Service. But many features of App Service will not be supported.
Uri Goldstein commented
Thank you, Christina, for reviewing this and for you reply. Please consider that while the App Service Environment feature does allow outbound static IP addresses, the issue raised here is that the feature is prohibitively expensive. The request is for a reasonably priced feature.
I'd also like to see this feature added. I'm currently looking at sending requests from our web app through a third party proxy service just to get our outbound traffic coming from a dedicated ip address that I can have whitelisted at the vendors we communicate with.