Some weeks ago i received an email from Microsoft telling me that some updates on App Services inbound and outbound ip addresses may make my websites stop working. Some of my websites were impacted with outbound ip addresses updates and I need to know quickly which new outbound ip addresses I needed to manage.

Here is the beginning of the alert email (you may have received it too!):

 

 

In this article, we will discover how to get easily outbound ip addresses of web applications impacted by the update.

 

Inbound ip addresses vs outbound ip addresses

An azure web app uses two types of ip addresse:

  • 1 Inbound addresse: It defines the identity of the web app on internet. The Ip address can be dynamic or static (if an IP based SSL binding is defined).
  • N Outbound addresses: They define the origin of outbound traffic done from the web application (for example a call to an external database…)

 

For security reasons, some external services can accept traffic coming from specific IP addresses. Azure Outbound IP adresses updates can make actual Azure App Service outbound adresses obsolete and external services can refuse connections.

Outbound IP addresses can be updated on an had hoc basis or automatically during vertical scale operations, that means that external services have to know each outbound IP addresse usable by the azure web app.

 

We have to keep in mind that we have two types of outbound IP adresses to take care about:

  • Outbound IP adresses currently used by the web app
  • Outbound IP addresses usable by the web app, we usually call them « possibleOutboundIpAdresses »

 

How to retrieve App Service outbound ip addresses?

It exists several ways to manage them !

 

Using portals

It’s quite simple to retrieve outbound ip addresses currently used by the web app, we can get them from the Azure Portal, more exactly in the App Service properties.

 

Here is a screen shot to find outbound ip addresses from the Azure portal :

 

To find possible outbound IP addresses, we have to query Azure APIs. A simple way to do it consists of using the azure resources portal where we can directly explore Azure services in json format.

Here is a screen shot showing an Azure App service possible outbound IP addresses from the https://resources.azure.com/ portal:

* From this technical portal, we can easily find the outbound ip addresses and possible ones !

 

Portals are simple to use, but if we have a lot of websites to manage, checking each website with portals can be really long (and boring!). Let’s see how we can get theses outbout IP addresses and possible one using Azure Powershell.

 

Using Azure Powershell

The script is doing the following job:

  1. Connection to target Azure subscription
  2. Retrieve all azure App Services
  3. Iterate on each web app
    1. Retrieve the properties of each web app
    2. Write on the console outbound ip addresses and possible ones

 

$subscriptionId = "*****"

Login-AzureRmAccount -SubscriptionId $subscriptionId

$webApps = Get-AzureRmWebApp

foreach($webApp in $webApps){

 $outboundIpAddresses = $webApp.OutboundIpAddresses
 $extendedConfig = Get-AzureRmResource -ResourceType Microsoft.Web/sites -ResourceName $WebApp.Name -ResourceGroupName $WebApp.ResourceGroup -ApiVersion 2015-08-01 | select -expand Properties

 $possibleOutboundIPAddresses = $extendedConfig.possibleOutboundIpAddresses

 $webApp.Name
 Write-Host `n

 if ($outboundIpAddresses.Length -gt 0){
  
    Write-Host "OutboundIpAddresses"
    Write-Host `n
    $ips = $outboundIpAddresses.Split(",") 
    
    $ips
 }

 if ($possibleOutboundIPAddresses.Length -gt 0){
    
    Write-Host `n   
    Write-Host "PossibleOutboundIPAddresses"
    Write-Host `n
    
    $possibleIps = $possibleOutboundIPAddresses.Split(",")     
    $possibleIps
       
    Write-Host _________________________________
 }
}

 

Here is a screenshot of the script output :

 

With this script we are able to consolidate two types of outbout ip addresses that external services need to know !

Happy coding 🙂


Introduction to Azure Management group Renew Azure App Service certificates using C#

Leave a Reply

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *