0

I am wondering how people handle the situation where an Azure Web App is configured with Auto-Scale that relies on services where IP whitelists have been configured.

For example, lets say I have a Website (Web A) and another App Service (App B) that is providing an API. I would like to set the firewall rules on App B such that Web A only has access to it using IP Whitelisting.

In this scenario, if Web A satisfies the Auto-Scale rules, there is a potential that the newly scaled instance will have a different outbound IP (from my understanding of the documentation there is a chance of receiving a different outbound IP at least). How would I ensure that App B includes this new outbound IP?

In this scenario we already have username/password authentication, but as an added layer of security I would also like to configure IP whitelisting.

j_r
  • 83
  • 6
  • 1
    @AnasBinNazeer whenever you can, do more within a suggested edit than just removing thanks. Posts like [this](https://stackoverflow.com/review/suggested-edits/19348121) should be flagged as Too Broad, rather than put into another review queue. – Glorfindel Apr 06 '18 at 07:16
  • I've just put a flavour of an answer to this here https://stackoverflow.com/a/50909095/861315 – Steve Newstead Jun 19 '18 at 12:38

3 Answers3

0

If Web A satisfies the Auto-Scale rules there is a potential that the newly scaled instance will have a different outbound IP [...]

No. All scale out operations take place within the scale unit (stamp), meaning same outbound IP addresses for all your instances.

Secure your service to service calls with OAuth 2.0 client credential grant (access tokens), or X509 client certificates. The IP address way isn't a very cloud way of restricting access, you should look at IP addresses as ephemeral by nature in the cloud and deal with access at a higher layer in the OSI model.

evilSnobu
  • 24,582
  • 8
  • 41
  • 71
0

just had the same question and found this lately in the docs: enter image description here

Link to the microsoft docs

So in a nutshell: If you scale out it should work out, if you scale up between app service plan tiers the outbound ip adresses will change

Sebs030
  • 566
  • 2
  • 4
  • 19
-1

What you describe here is exactly how this service works.

There is no way to tell exactly from which IP a request will be coming to you API. The web app might, without any further notice, transfer the app to a different instance, hence the request will be coming from there.

However, there are also other ways to secure your API.

I recommend you have a look at adding AzureAD authorization in-front of your API and require all requests to be authorized before they can interact with your API.

See e.g. how to

kim
  • 3,385
  • 2
  • 15
  • 21