Search code examples
azure-app-service-envrmnt

Why does isolated V3 App service Environment have 2 outbound IP?

Version 2 App service environment gives 1 outbound IP

But with ver,3 isolated App service Environment I get 2 outbound IP. background : I need to whitelist the outbound IP, and I would prefer to just whitelist 1 IP instead of 2.

Can i delete one of the outbound IP?

With isolated, seems like i cannot use virtual network NAT gateway to direct traffic through a static public IP address (app service
vnet integration is greyed out)? Thanks, Peter

Solution

  • Can i delete one of the outbound IP?

    There are 2 outbound IPs because there are 2 load balancers in the infra vnet for ASEv3. One IP is for the infra roles (Multi,FE, etc) and the other is for the workers outbound connection. We provide both as outbound ips because outbound traffic could come from the workers (in the case of app outbound traffic) or from the infra layer (like getting KV references in custom dns suffix).

    Below is an ASEv3 architecture diagram. enter image description here

    You should account for both IPs or you may run the risk of blocking necessary traffic.

    With isolated, seems like i cannot use virtual network NAT gateway to direct traffic through a static public IP address (app service vnet integration is greyed out)?

    enter image description here

    For more details see: https://learn.microsoft.com/en-us/azure/app-service/networking/nat-gateway-integration