We're publishing some events to Azure Service Bus and using Azure Function App as an event handler. From the Azure Function App we need to make some outbound calls to a partner API, but the partner wants to configure some firewall restrictions.
I know we can use premium tier Function App and implement virtual network NAT gateway, to control the outbound IP, but we're trying to do this on the cheap with consumption tier Function App... I can see the list of outboundIpAddresses
and possibleOutboundIpAddresses
IP addresses in Azure Resource Explorer under subscriptions > {your subscription} > providers > Microsoft.Web > sites.
In Azure addresses in Azure Functions, it says:
The set of outboundIpAddresses is currently available to the function app. The set of possibleOutboundIpAddresses includes IP addresses that will be available only if the function app scales to other pricing tiers.
The relative stability of the outbound IP address depends on the hosting plan.
Because of autoscaling behaviors, the outbound IP can change at any time when running on a Consumption plan or in a Premium plan.
Seems like I shouldn't use outboundIpAddresses
for whitelisting when using consumption tier Function App, but is doesn't say anything explicitly about possibleOutboundIpAddresses
... Would it be OK to whitelist the IP list from possibleOutboundIpAddresses
? Is it possible that this list will change?
FWIW If I look at 2 different function apps (same region), they both have 10 IPs listed for possibleOutboundIpAddresses, and they were completely different lists.