Azure App Service Auto-Scaling - handle new outbound IP
Question
I am wondering how people handle the situation where an Azure Web App is configured with Auto-Scale that relies on services where IP whitelists have been configured.
For example, lets say I have a Website (Web A) and another App Service (App B) that is providing an API. I would like to set the firewall rules on App B such that Web A only has access to it using IP Whitelisting.
In this scenario, if Web A satisfies the Auto-Scale rules, there is a potential that the newly scaled instance will have a different outbound IP (from my understanding of the documentation there is a chance of receiving a different outbound IP at least). How would I ensure that App B includes this new outbound IP?
In this scenario we already have username/password authentication, but as an added layer of security I would also like to configure IP whitelisting.
3 answers
solution1
0 2018-04-06 09:04:14
If Web A satisfies the Auto-Scale rules there is a potential that the newly scaled instance will have a different outbound IP [...]
No. All scale out operations take place within the scale unit (stamp), meaning same outbound IP addresses for all your instances.
Secure your service to service calls with OAuth 2.0 client credential grant (access tokens), or X509 client certificates. The IP address way isn't a very cloud way of restricting access, you should look at IP addresses as ephemeral by nature in the cloud and deal with access at a higher layer in the OSI model.
solution2
0 2021-11-28 18:59:38
just had the same question and found this lately in the docs:
Link to the microsoft docs
So in a nutshell: If you scale out it should work out, if you scale up between app service plan tiers the outbound ip adresses will change
solution3
-1 2018-04-06 06:38:55
What you describe here is exactly how this service works.
There is no way to tell exactly from which IP a request will be coming to you API. The web app might, without any further notice, transfer the app to a different instance, hence the request will be coming from there.
However, there are also other ways to secure your API.
I recommend you have a look at adding AzureAD authorization in-front of your API and require all requests to be authorized before they can interact with your API.
See eg how to
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.