I have a cloud service that opens a socket externally and requires a whitelisted IP address. Nothing will externally initiate a connection with my service.
When I attempt to publish it with an associated ReservedIP address I get the following error: Validation Errors: Error validating the .cscfg file against the .csdef file. Severity:Error, message:ReservedIP 'xxxx' was not mapped to an endpoint. The service definition must contain atleast one endpoint that maps to the ReservedIP..
<?xml version="1.0" encoding="utf-8"?>
<ServiceConfiguration serviceName="Gateway" xmlns="http://schemas.microsoft.com/ServiceHosting/2008/10/ServiceConfiguration" osFamily="5" osVersion="*" schemaVersion="2015-04.2.6">
<Role name="WorkerRole1">
<Instances count="1" />
<Setting name="Microsoft.WindowsAzure.Plugins.Diagnostics.ConnectionString" value="yyyyy" />
<Setting name="APPINSIGHTS_INSTRUMENTATIONKEY" value="xxx" />
<Setting name="ASPNETCORE_ENVIRONMENT" value="dev" />
<ReservedIP name="xxxxx"/>
Looks like ReservedIP is only supported with services containing an external endpoint. What you can do is add an external endpoint but firewall it off with the NSG (Network Security Group).
On help defining an endpoint see
Also, if you use a port that is actually not bound to in the machine, it should not be a vulnerability; but adding a deny rule in NSG would cover for any change in future as well.
[Aside] If your service does not have any incoming connections, you should consider using a worker role instead of a web role. Long running threads can get terminated in web role instances.