0

I trying to assign a static ip-address ,or at least control the out bound traffic, for an azure app service with out having to invest in app service environment (it’s very expensive and not very flexible option). Reading up on "vnet integration"( https://learn.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet )

in the offical azure doc there exist options to force traffic to the vnet. From there it should be possible to route the all traffic using UDRs through NAT-gateway. Has any one here been able to make this work? I have read conflicting reports.

UPDATE Details of the scenario is as following. I want to communicate with a system behind an internet facing firewall that have rules based on internet routable ips. I want to leaverge app services and PaaS services in azure.

enter image description here

magnarwium
  • 235
  • 2
  • 14

2 Answers2

0

This it not possible with azure NAT Gateway or any other native PaaS servie in azure. There are several open feedback items related to this issue (fixed outbound ip and Nat gateway with function app

I have created a ticket ticket in the microsoft documention hoping that they will clarify this in their offical doc on vnet integration.

One solution would be to leverage IaaS and install a custom reverse proxy on VM or container such as nginx. This is not a option in my scenario due to the maintenance this wil requiere over time.

UPDATE

This is now supported https://azure.github.io/AppService/2020/11/15/web-app-nat-gateway.html. Microsoft announced support last week! I have tested the solution and it works great.

magnarwium
  • 235
  • 2
  • 14
-1

It is possible, here is how to do it: https://sakaldeep.com.np/1159/azure-nat-gateway-and-web-app-vnet-integration-to-get-static-outbound-ip

The route rule should have the vnet range in the address prefix and the outbound ip in the Next hop address.

Also answered here: Web App outbound response not going through application gateway

CoolkcaH
  • 205
  • 3
  • 7
  • It might be possible to do with virtual appliance. You will not however be able to control the the out-bound traffic and app service will use it's range of public ip when connecting to it. This means that virtual appliance will need to have a public ip for inbound traffic and that defeats the purpose. The blog you refer to does not answer the readers that have asked the author about how to acctauly follow the steps it outlines – magnarwium Nov 03 '20 at 07:22
  • 1
    This is not true. Microsoft support recommended this approach to me, I tested it and it works. The question is about outbound traffic, not inbound. This configuration makes all outbound connections use the static ip, I have tested it myself. The only step that is not clear is the Route Rule, that I addressed in my answer. – CoolkcaH Nov 13 '20 at 14:18
  • That is great news. Could you provide details on how you configured the virtual appliance? – magnarwium Nov 15 '20 at 12:57
  • Just to be clear; When a wrote inbound I was talking about the ip of the virtual appliance. You are saying that you we're able to route out bound traffic from the app service to a private ip on the virtual appliance, right? – magnarwium Nov 15 '20 at 13:05
  • All outbound traffic will come out of the NAT Gateway always with the same static ip you buy as part of the NAT. The only thing missing in the link above is how to configure the Route table, I put 10.0.0.0/24 in the address prefix, next hop type "Virtual appliance" and the static ip in the Next hop address – CoolkcaH Nov 16 '20 at 13:56