Networking

By default, apps hosted in App Service are accessible on the open internet and are only able to make requests to internet-hosted endpoints. In many situations, it is beneficial to control inbound and outbound traffic.

App Service uses two primary deployment types depending on your chosen tier

• multitenant - more than one app hosted on the same instance, split by group:
  • shared - more than one customer on the same instance, split by tier:
    • free
    • shared
  • dedicated - one customer on one instance, split by tier:
    • basic
    • standard
    • premium
    • premium v2
    • premium v3
• single-tenant - one app hosted on a single instance, split by tier:
  • isolated

Multitenant networking

Azure App Service is a distributed system. Incoming HTTP/S requests are routed and load balanced by 'roles' (overloaded term) called front-ends. 'Roles' that host customer workloads are called workers.

On any multitenanted tier, incoming traffic is handled by a shared set of front-end roles that handle all incoming traffic for the scale unit.

IP addresses

An App Service app runs in an App Service plan. A plan is deployed into a deployment unit which is the set of Azure infrastructure which is responsible for running the apps in the plan. A single deployment unit is assigned a set of virtual IP addresses:

• a single public inbound IP address
• a set of outbound IP addresses

Plans in the same deployment unit (and therefore the apps that run inside the plans) share the same set of virtual IP addresses.

Isolated plans

For an isolated tier plan, the plan is a deployment unit itself, so the assigned virtual IP addresses are dedicated to the plan.

Finding outbound IPs

You can find the outbound IP addresses currently assigned to your app using the following az command:

az webapp show \
    --resource-group <group_name> \
    --name <app_name> \ 
    --query outboundIpAddresses \
    --output tsv