Azure 应用服务中的入站和出站 IP 地址Inbound and outbound IP addresses in Azure App Service

Azure 应用服务是一个多租户服务(应用服务环境除外)。Azure App Service is a multi-tenant service, except for App Service Environments. 不在应用服务环境中(不在隔离层中)的应用与其他应用共享网络基础结构。Apps that are not in an App Service environment (not in the Isolated tier) share network infrastructure with other apps. 因此,应用的入站和出站 IP 地址可能不同,在某些情况下甚至可能会更改。As a result, the inbound and outbound IP addresses of an app can be different, and can even change in certain situations.

应用服务环境使用专用网络基础结构,因此,应用服务环境中运行的应用将获取静态专用 IP 地址用于入站和出站连接。App Service Environments use dedicated network infrastructures, so apps running in an App Service environment get static, dedicated IP addresses both for inbound and outbound connections.

入站 IP 更改时When inbound IP changes

不管横向扩展的实例数如何,每个应用只有一个入站 IP 地址。Regardless of the number of scaled-out instances, each app has a single inbound IP address. 执行以下操作之一时,入站 IP 地址可能会更改:The inbound IP address may change when you perform one of the following actions:

  • 删除应用,然后在不同的资源组中重新创建它。Delete an app and recreate it in a different resource group.
  • 删除资源组和区域组合中的最后一个应用,然后重新创建它。Delete the last app in a resource group and region combination and recreate it.
  • 删除现有的 TLS 绑定,例如在证书续订期间(请参阅续订证书)这样做。Delete an existing TLS binding, such as during certificate renewal (see Renew certificate).

找到入站 IPFind the inbound IP

只需在本地终端中运行以下命令:Just run the following command in a local terminal:

nslookup <app-name>.chinacloudsites.cn

获取静态入站 IPGet a static inbound IP

有时,你可能需要对应用使用专用静态 IP 地址。Sometimes you might want a dedicated, static IP address for your app. 若要获取静态入站 IP 地址,需要保护自定义域To get a static inbound IP address, you need to secure a custom domain. 如果并不真正需要使用 TLS 功能来保护应用,甚至可以上传一个自签名证书来实现此绑定。If you don't actually need TLS functionality to secure your app, you can even upload a self-signed certificate for this binding. 在基于 IP 的 TLS 绑定中,证书绑定到 IP 地址本身。因此,应用服务会预配一个静态 IP 地址来实现此目的。In an IP-based TLS binding, the certificate is bound to the IP address itself, so App Service provisions a static IP address to make it happen.

出站 IP 更改时When outbound IPs change

不管横向扩展的实例数如何,每个应用在任意给定时间具有指定数目的出站 IP 地址。Regardless of the number of scaled-out instances, each app has a set number of outbound IP addresses at any given time. 从应用服务应用发起的任何出站连接(例如,与后端数据库的连接)使用某个出站 IP 地址作为源 IP 地址。Any outbound connection from the App Service app, such as to a back-end database, uses one of the outbound IP addresses as the origin IP address. 无法预先知道给定的应用实例要使用哪个 IP 地址来发起出站连接,因此,后端服务必须向应用的所有出站 IP 地址开放其防火墙。You can't know beforehand which IP address a given app instance will use to make the outbound connection, so your back-end service must open its firewall to all the outbound IP addresses of your app.

在较低层(“基本”、“标准”和“高级”)与“高级 V2”层之间缩放应用时,应用的出站 IP 地址集会发生更改。 The set of outbound IP addresses for your app changes when you scale your app between the lower tiers (Basic, Standard, and Premium) and the Premium V2 tier.

无论是哪个定价层,你都可以通过查找 possibleOutboundIpAddresses 属性或者在 Azure 门户的“属性”边栏选项卡中的“其他出站 IP 地址”字段中查找你的应用可以使用的所有可能的出站 IP 地址。You can find the set of all possible outbound IP addresses your app can use, regardless of pricing tiers, by looking for the possibleOutboundIpAddresses property or in the Additional Outbound IP Addresses field in the Properties blade in the Azure portal. 请参阅查找出站 IPSee Find outbound IPs.

查找出站 IPFind outbound IPs

若要在 Azure 门户中查找应用当前使用的出站 IP 地址,请单击应用左侧导航窗格中的“属性”。To find the outbound IP addresses currently used by your app in the Azure portal, click Properties in your app's left-hand navigation. 它们列出在“出站 IP 地址”字段中。They are listed in the Outbound IP Addresses field.

在 Azure CLI 中运行以下命令也可以找到相同的信息。You can find the same information by running the following command in the Azure CLI.

az webapp show --resource-group <group_name> --name <app_name> --query outboundIpAddresses --output tsv
(Get-AzWebApp -ResourceGroup <group_name> -name <app_name>).OutboundIpAddresses

若要查找你的应用可能使用的所有出站 IP 地址(无论是哪个定价层),请在你的应用的左侧导航栏中单击“属性”。To find all possible outbound IP addresses for your app, regardless of pricing tiers, click Properties in your app's left-hand navigation. 它们列出在“其他出站 IP 地址”字段中。They are listed in the Additional Outbound IP Addresses field.

在 Azure CLI 中运行以下命令也可以找到相同的信息。You can find the same information by running the following command in the Azure CLI.

az webapp show --resource-group <group_name> --name <app_name> --query possibleOutboundIpAddresses --output tsv
(Get-AzWebApp -ResourceGroup <group_name> -name <app_name>).PossibleOutboundIpAddresses

后续步骤Next steps

了解如何按源 IP 地址限制入站流量。Learn how to restrict inbound traffic by source IP addresses.