I am using Azure App Service with P1V3 App Services Plan so that I can make use of Private Endpoint and vNET integration. vNET integration is configured on a subnet with NAT Gateway attached.

When my application calls outbound, my goal is to control the outbound IP and my expectation is, it should show the NAT ip as outbound ip. But, it does not! Here is my sample code-

App (.Net Core 3.1) is deployed in app service and I see IPV6 as outbound ip? Any idea why I am not seeing IPV4 (NAT ip)? You can see the result by accessing this url-

Subnet looks like-

Outgoing ip showing here-

CodePudding user response：

This is because the app has a vnet integration set up connecting to a Subnet delegated to Webservice/serverfarm.

Azure does not make it obvious that using delegated subnets forces an integrated app to use IPv6 and there does not appear to be a way to discover what v6 addresses may be in use. MS forum response suggests any firewall rule for a web app attached to a delegated subnet should allow ALL IPv6 addresses (!!) as a way of working around the problem.

If the Web App is VNET integrated with a subnet that has the Microsoft. Web Service Endpoint enabled, then this behavior is expected. It is by design that when the Microsoft. Web endpoint is enabled, the normal IPv4 outbound IP is no longer used. Instead, any communications will go through special tunneling using IPv6 outbound.

For adding this to a firewall, an easy way to do so is to add an allow rule by Subnet name to ensure all of its traffic is covered.

For the case where this firewall / other resource is outside of Azure / your subscription, one option would be to allow all IPv6 Azure addresses. This is because the IPv6 addresses which the subnet may use can be any of the addresses available to the Azure backplane.
Information on the IPv6 list is available for download here- Download Azure IP Ranges and Service Tags – Public Cloud from Official Microsoft Download Center