3

I have multiple azure functions that are invoking external APIs and I want all the requests to come from a single IP or a set of IP's so that the external APIs can whitelist my azure functions.

Question: Find a way to have a small set of outbound static IPs for azure functions in a multi AZ deployment. Preferably using serverless or managed services

Attempt 1 Deployment diagram: enter image description here Problem with this: NAT Gateway is only on one AZ (even if we chose no zone)

Attempt 2 According to the best practices for NAT Gateway you can have one NAT gateway per AZ if all the resources inside of that subnet are in a single AZ link

enter image description here

Problem: I don't know if it's possible to restrict an azure function to a specific AZ

Attempt 3 Azure Firewall is one alternative that I explored, but it is too expensive for our needs (900$ per month per instance without any traffic, if I understood correctly 1800$ for 2 AZs) while NAT Gateway cost is around 35$ per instance without any traffic.

Any suggestions? or things that I did not understood correctly?

Mihai
  • 155
  • 5

1 Answers1

1

Azure Consumption Plans do not offer any "advanced" networking feature. You need to look at the premium plans. Azure function premium will over multi-az feature but it will then have one "active" instance per AZ. Azure Portal showing Azure Function Zone redundancy settings You can then also integrate it into a vnet and control then the traffic flow.

Another Option would be to use the egress IPs of the App Service Plan (requires premium or an app service plan S1 or higher)

Azure Portal showing the outbound IPs from the Azure Function Network tab

But Premium Functions come also at a price - but Consumption function do not offer any networking feature. https://azure.microsoft.com/en-us/pricing/details/functions/

Julian Hüppauff
  • 233
  • 2
  • 9
  • While for app service plan you can have it multi AZ, you cannot have multi AZ for the NAT Gateway (bottleneck), and that is my problem. Having the functions as public is not acceptable from a security point of view (so I cannot use the IPs of the azure function directly) – Mihai Aug 10 '22 at 13:09
  • You can configure access restrictions on the function. But in your case, you only use EventHub Trigger? So, there is no public HTTP endpoint. Event the network integration feature of Premium functions are "public" functions. If you really need an isolated environment, you need to use an App Service Environment. – Julian Hüppauff Aug 10 '22 at 15:42