Configuring a permanent OUTBOUND IP (for Whitelisting)
Goal: Ensure every request leaving your Azure Function comes from one specific, unchanging Public IP address.
Supported Hosting Plans
- Flex Consumption: (Newest, most cost-effective for scaling).
- Elastic Premium (EP): (High performance, pre-warmed instances).
- Dedicated (App Service Plan): (Basic, Standard, Premium v2/v3).
- Note: The “Consumption” (Y1) plan is not supported.
Step 1: Create a Static Public IP Address
- In the Azure Portal, search for Public IP addresses.
- Click + Create.
- SKU: Select Standard (Required for NAT Gateway).
- Tier: Regional.
- IP Address Assignment: Select Static.
- Name:
func-outbound-static-ip. - Click Review + Create, then Create.
Step 2: Create the NAT Gateway
- Search for NAT gateways and click + Create.
- Name:
func-nat-gateway. - Region: Must be the same region as your Function App.
- Outbound IP tab: Select the Static IP you created in Step 1.
- Click Review + Create, then Create.
Step 3: Configure the VNet and Subnet (Crucial Step)
To avoid the “Grayed Out” error in the portal, your subnet must meet these specific criteria:
- Navigate to your Virtual Network (or create a new one).
- Select Subnets > + Subnet.
- Name:
snet-func-integrated. - Address Range:
- Flex Consumption: Requires at least a
/28(16 IPs). - Premium/Dedicated: Requires at least a
/29(8 IPs). - Recommendation: Use a
/26(64 IPs) to allow for future scaling.
- Flex Consumption: Requires at least a
- Subnet Delegation: Select
Microsoft.Web/serverFarms. - NAT Gateway: Select the
func-nat-gatewayyou created in Step 2. - Click Save.
Step 4: Enable VNet Integration on the Function App
- Go to your Function App in the Azure portal.
- On the left menu, under Settings, select Networking.
- Under Outbound Traffic, select VNet integration.
- Click Add VNet integration.
- Select your Virtual Network and the subnet (
snet-func-integrated) from Step 3. - Click Connect/Apply.
Step 5: Configure Routing (Plan-Specific Requirements)
This is where the configuration differs depending on your plan:
- For Flex Consumption:
- No action needed. Flex Consumption automatically routes all internet-bound traffic through the VNet by default.
- For Premium (EP) or Dedicated Plans:
- By default, these plans only route “Private” traffic (internal IPs) through the VNet. You must force “Internet” traffic through it.
- Go to Configuration (under Settings) in your Function App.
- Click + New application setting.
- Name:
WEBSITE_VNET_ROUTE_ALL - Value:
1 - Click Save.
Step 6: Verification (Test the Static IP)
- In the Function App portal, go to Development Tools > Console (or SSH for Linux).
- Type the following command:
curl https://ifconfig.me - The Result: The IP address returned must match the Static Public IP from Step 1.
- Wait 1 minute and run it again. It should remain identical.
Summary Table: Outbound Static IP
| Feature | Flex Consumption | Premium / Dedicated |
|---|---|---|
| Min Subnet Size | /28 |
/29 |
| Subnet Delegation | Microsoft.Web/serverFarms |
Microsoft.Web/serverFarms |
| Route All Traffic | Automatic (Default) | Requires WEBSITE_VNET_ROUTE_ALL=1 |
| Fixed IP Source | NAT Gateway | NAT Gateway |