Azure Functions with a Static IP
A few years ago I wrote an article on running AWS Lambda functions with a static IP. The gist of the solution is fairly simple and has Lambdas executing inside of a VPC with a NAT Gateway attached to one if it’s subnets that governs the outbound IP of all requests to the internet. Unbelievably, this same functionality was not available to Azure users until November 2020, which is well over 4 years since my original article on the AWS counterpart was published.
Before we dive in…
Your Azure function apps will need to be on a premium or dedicated plan, rather than the typical consumption plan which carries with it a very different and rather expensive pricing model. So, before jumping in you should definitely weigh up the trade-offs of opting for a serverless solution vs PaaS/IaaS when you need control over your outbound IP’s and you should use the pricing calculator to help you make an informed decision.
VNet Integration
The following section outlines the process of creating the required components and tying them all together.
- Create a new VNet with an address space of your choice, I used 10.2.0.0/16.
- Create a NAT Gateway with a new public IP address.
- Create a new subnet inside of the above VNet with an appropriate address range, I used 10.2.1.0/26. Attach the NAT Gateway and then delegate the subnet to Microsoft.Web/serverFarms.
- Create a new function app on the premium app service plan (remember, premium or dedicated plans are required for VNet integration) and publish your function(s) to this function app
- Integrate the function app with the VNet by selecting Networking > VNet Integration from the left-hand menu. In the configuration menu, select the VNet you created in step 1 and the subnet with the NAT Gateway attached from step 3
One more step…
Annoyingly, the above steps to integrate with the VNet aren’t enough on their own and you need to explicitly force all outgoing traffic through the attached VNet by adding the following configuration entry in the function app’s app settings: WEBSITE_VNET_ROUTE_ALL = 1