Azure Static Outbound Private IP

Question

I've the following scenario:

There's a VNET which has a few services (Azure Container Apps + Azure Functions) which are internal services (do not acccept any external traffic). This VNET is connected to On-Prem using ExpressRoute. There's a service (API) hosted On-Prem, which we want to call from ContainerApps/Functions that is only accessible internally. This service is behind firewall. The administrators of this On-Prem service wants us to provide the private IP(s) of the services which will call the On-Prem service - the important part is that we want this IP(s) to be static, so we do not need to change any firewall settings frequently. As far as I know, there's no way to control the private IP of neither ContainerApp nor Azure Function. I've considered Azure NAT Gateway, but it seems to be only working with public IP(s). Are there any other alternatives ?

score 1 · Answer 1 · answered Oct 13 '22 at 19:35

1

Looking at the latest specification (api-version=2022-06-01-preview), it supposed to be possible.

In the vnetConfiguration block, you can specify the outbound type and the virtual applicance IP:

vnetConfiguration: {
  ...
  outboundSettings: {
    outBoundType: 'UserDefinedRouting'
    virtualNetworkApplianceIp: 'X.X.X.X' 
  }
}

This required a Premium sku:

sku: {
  name: 'Premium'
}

Found also this interesting article about locking down the VNET:

answered Oct 13 '22 at 19:35

Thomas

1

Thanks a lot. It's interesting, because I cannot find any information about the premium tier of Azure Container Apps. It seems it's not available yet - when I try to create a Managed Env with Premium SKU, I get PremiumManagedEnvironmentCreationNotEnabled. I am going to open a ticket in Github. – macpak Oct 14 '22 at 12:14
@macpak I had a chat with MS and still private preview so you will have to request access to the preview. – Thomas Oct 16 '22 at 23:57

1 Answers1