4

I am new on azure. I have multiple web apps on my azure subscription. Strangely, I have found two of them have the same external IP. They are now sharing any resources with each other. How this is possible, and how to change it, if there is away?

Md Farid Uddin Kiron
  • 16,817
  • 3
  • 17
  • 43
Bedair
  • 420
  • 4
  • 12
  • The web app is a [sanbox](https://github.com/projectkudu/kudu/wiki/Azure-Web-App-sandbox), if you host them in the same service plan, the service plan is a VM, they are in the same VM. – Joy Wang Aug 28 '18 at 00:58
  • @JoyWang - you can't think of App Services as being in a VM. The concept of VM is abstracted away. And the pool of inbound IP addresses are for the Web App Service (with a specific ip address pool per region), not for a given deployment (unless there's an SSL certificate attached to a Web App). – David Makogon Aug 28 '18 at 01:04
  • @DavidMakogon Thanks for sharing, if service plan is not a vm, how to understand service plan now? – Joy Wang Aug 28 '18 at 01:09
  • 1
    @JoyWang - there is a lot of documentation about Web Apps (app services), including how to deploy, overall file structure, etc. Just realize that a VM provides nearly all resources that an OS would normally provide, and a Web App does not. Aside from published docs, you can look at my answer [here](https://stackoverflow.com/a/10941526/272109). While that answer is contrasting web/worker roles with Web Apps, it still gives a good all-around picture of the restrictions/limitations. – David Makogon Aug 28 '18 at 01:24

1 Answers1

2

Azure App Services are deployed to scale units. A scale unit is a collection of servers inside an azure datacenter. A default scale unit can contain up to 1000 servers (or more). Servers inside a scale unit can have different roles, the most important are the worker role and the front end role. Servers with the worker role run customers applications while servers with the front end role act as load balancer and distribute incoming requests to the applications running on the servers with the worker role.

It is important to note here that each scale unit has only one inbound virtual IP address. This means that when you are running applications in an app service plan these applications do not only share the IP with other applications of this app service plan, but also with applications from other customers whose apps run inside the scale unit.

For SSL connections, usually SNI (Server Name Indication) is used, which is supported by all major web browsers.

Now if you want to get a dedicated IP address for your web app, there are two ways you can achieve this:

  • When using a custom domain, you can bind a certificate with IP SSL to your app service. In this case, the app service generates a static IP address for you and you have to remap the A record of your custom domain to this new address. Beware that your IP address can change when you delete this binding.

  • Use an App Service environment which enables to run your apps in your own Azure Virtual Network. To make use of this you need to pay for an isolated app service plan which can be quite cost intensive.

Tobias von Falkenhayn
  • 1,355
  • 5
  • 26
  • 59