Azure NAT Gateway, gives more control over the outbound traffic from the virtual network. It will allow you to have static outbound public IP for PaaS services. There could be many use cases of this service but here I am interested in controlling Azure Web App outbound traffic.
The issue addressed: As we know, the inbound and outbound IP is not the same for the Azure App Service. There is a list of outbound IPs that are not static(got change when SKU changes or auto-scale) for Azure Web App and that causes many issues. One of the common issues is for e-commerce applications that have to communicate with third-party payment systems and in payment systems, you need to whitelist the IPs of the web app. The issue occurs when your application scale (probably in pick hour) and the outbound IPs got changed and payment systems stop accepting the request from your web app. Generally, the IPs don't get changed but as per the experience I have seen they get changed in a critical situation. Another solution is ASE (App Service Environment) but it has its own problem, it has a very long scale time.
Solution: Integrate Web App with VNet for the empty subnet and attach NAT Gateway for that subnet. By default, the web app only forwards RFC 1918 (private IP) traffic to VNet. We need to do some application settings to route all the traffic to the virtual network using app settings
WEBSITE_VNET_ROUTE_ALL. After that, outbound traffic flow will be
web app->VNet/Subnet->NAT Gateway static outbound public IP. You can whitelist that IP in the third-party payment systems. After that, even, if the web app outbound IP got changed there will be no distribution in service.
Step by step configuration
- Assume the web app has been created and has a minimum standard app service plan.
- Create a virtual network and subnet. It's better to name the subnet like XXX-WEBAPP-SUBNET. The subnet must be empty.
- The feature requires an unused subnet that's a /28 or larger in an Azure Resource Manager VNet.
- The app and the VNet must be in the same region.
3. Navigate to the web app->Networking and click on Click here to configure.
4. Click on Add VNet.
5. Select the VNet and subnet.
6. You can see the configuration below.
7. You can see the subnet has delegated to Microsoft.web/serversfarms as below.
Create NAT Gateway
9. On Azure portal, All services->search for nat gateway->click on NAT gateway.
10. Click on the Add button as highlighted.
11. Provide basic information like resource group name, and NAT gateway name, and leave other details default. On the Public IP tab.
12. On the Subnet tab. After that review the configuration and click Create.
13. After that, you can see NAT gateway has attached for the subnet.
Configure Web App
To route traffic to VNet, add app settings WEBSITE_VNET_ROUTE_ALL with value 1.
14. Navigate to web app->Configuration->Application Settings->New Application Settings.
15. Provide the value as below.
Now, you all set. The application's outbound traffic will go through the NAT gateway's public IP. There are multiple tools to test outbound traffic. Please contact me @sakaldeep on Twitter for any queries.