Taken from this article.
Any outbound connection from the App Service app, such as to a back-end database, uses one of the outbound IP addresses as the origin IP address.
Why can't it just use the inbound IP address, which I thought would be the IP address of the VM or whatever it is that is running the app service?
Does this mean if my app service calls an API, that API would receive a request with one of the outbound IP addresses as the value for X-Forwarded-For?
How does it know which IP address to use?
Why does it need multiple outbound IP addresses?
CodePudding user response:
Why can't it just use the inbound IP address, which I thought would be the IP address of the VM or whatever it is that is running the app service?
The inbound IP is not a virtual machine, but a load balancer IP, otherwise, when you scale out, you would need to know multiple Inbound IP addresses and configure yourself a load balancer for the instances.
Does this mean if my app service calls an API, that API would receive a request with one of the outbound IP addresses as the value for X-Forwarded-For?
If you don't have any proxy or application gateway, then yes.
How does it know which IP address to use?
Every TCP and UDP packet contains a source port number and a destination port number. Each of those packets is encapsulated in an IP packet, whose IP header contains a source IP address and a destination IP address.
https://en.wikipedia.org/wiki/Network_address_translation
Why does it need multiple outbound IP addresses?
Depending on your SLA uptime, you may need to host your application in multiple regions / availability zones. Which means, the datacenters won't have the same IP Addresses, reason why it has many outbound ip addresses.
CodePudding user response:
There is an entire article on docs which talks about the different IP address when it comes to App Services: https://docs.microsoft.com/en-us/azure/app-service/overview-inbound-outbound-ips
To get a single outbound IP address, you could, for example, use VNet-integration your App Service and then use NAT Gateway or Azure Firewall for egress.