Azure 应用服务中的入站和出站 IP 地址Inbound and outbound IP addresses in Azure App Service

Azure 应用服务是一个多租户服务(应用服务环境除外)。Azure App Service is a multi-tenant service, except for App Service Environments. 不在应用服务环境中(不在隔离层中)的应用与其他应用共享网络基础结构。Apps that are not in an App Service environment (not in the Isolated tier) share network infrastructure with other apps. 因此,应用的入站和出站 IP 地址可能不同,在某些情况下甚至可能会更改。As a result, the inbound and outbound IP addresses of an app can be different, and can even change in certain situations.

应用服务环境使用专用网络基础结构,因此,应用服务环境中运行的应用将获取静态专用 IP 地址用于入站和出站连接。App Service Environments use dedicated network infrastructures, so apps running in an App Service environment get static, dedicated IP addresses both for inbound and outbound connections.

IP 地址在应用服务中的工作原理How IP addresses work in App Service

应用服务应用在应用服务计划中运行,而应用服务计划部署到 Azure 基础结构中的一个部署单元(内部称为 Web 空间)。An App Service app runs in an App Service plan, and App Service plans are deployed into one of the deployment units in the Azure infrastructure (internally called a webspace). 为每个部署单元分配最多 5 个虚拟 IP 地址,其中包含 1 个公共入站 IP 地址和 4 个出站 IP 地址。Each deployment unit is assigned up to five virtual IP addresses, which includes one public inbound IP address and four outbound IP addresses. 同一部署单元中的所有应用服务计划和在其中运行的应用实例共享同一组虚拟 IP 地址。All App Service plans in the same deployment unit, and app instances that run in them, share the same set of virtual IP addresses. 对于应用服务环境(隔离层中的应用服务计划),应用服务计划是部署单元本身,因此虚拟 IP 地址专用的。For an App Service Environment (an App Service plan in Isolated tier), the App Service plan is the deployment unit itself, so the virtual IP addresses are dedicated to it as a result.

由于不允许在部署单元之间移动应用服务计划,因此分配给应用的虚拟 IP 地址通常保持不变,但也有例外。Because you're not allowed to move an App Service plan between deployment units, the virtual IP addresses assigned to your app usually remain the same, but there are exceptions.

入站 IP 更改时When inbound IP changes

不管横向扩展的实例数如何,每个应用只有一个入站 IP 地址。Regardless of the number of scaled-out instances, each app has a single inbound IP address. 执行以下操作之一时,入站 IP 地址可能会更改:The inbound IP address may change when you perform one of the following actions:

  • 删除应用,然后在其他资源组中重新创建它(部署单元可能会更改)。Delete an app and recreate it in a different resource group (deployment unit may change).
  • 删除资源组和区域组合中的最后一个应用,然后重新创建它(部署单元可能会更改)。Delete the last app in a resource group and region combination and recreate it (deployment unit may change).
  • 删除现有基于 IP 的 TLS/SSL 绑定,例如在证书续订期间(请参阅续订证书)。Delete an existing IP-based TLS/SSL binding, such as during certificate renewal (see Renew certificate).

找到入站 IPFind the inbound IP

只需在本地终端中运行以下命令:Just run the following command in a local terminal:

nslookup <app-name>.chinacloudsites.cn

获取静态入站 IPGet a static inbound IP

有时,你可能需要对应用使用专用静态 IP 地址。Sometimes you might want a dedicated, static IP address for your app. 若要获取静态入站 IP 地址,需要保护自定义域To get a static inbound IP address, you need to secure a custom domain. 如果并不真正需要使用 TLS 功能来保护应用,甚至可以上传一个自签名证书来实现此绑定。If you don't actually need TLS functionality to secure your app, you can even upload a self-signed certificate for this binding. 在基于 IP 的 TLS 绑定中,证书绑定到 IP 地址本身。因此,应用服务会预配一个静态 IP 地址来实现此目的。In an IP-based TLS binding, the certificate is bound to the IP address itself, so App Service provisions a static IP address to make it happen.

出站 IP 更改时When outbound IPs change

不管横向扩展的实例数如何,每个应用在任意给定时间具有指定数目的出站 IP 地址。Regardless of the number of scaled-out instances, each app has a set number of outbound IP addresses at any given time. 从应用服务应用发起的任何出站连接(例如,与后端数据库的连接)使用某个出站 IP 地址作为源 IP 地址。Any outbound connection from the App Service app, such as to a back-end database, uses one of the outbound IP addresses as the origin IP address. 要使用的 IP 地址是在运行时随机选择的,因此后端服务必须对应用的所有出站 IP 地址打开其防火墙。The IP address to use is selected randomly at runtime, so your back-end service must open its firewall to all the outbound IP addresses for your app.

执行以下操作之一时,应用的出站 IP 地址集将更改:The set of outbound IP addresses for your app changes when you perform one of the following actions:

  • 删除应用,然后在其他资源组中重新创建它(部署单元可能会更改)。Delete an app and recreate it in a different resource group (deployment unit may change).
  • 删除资源组和区域组合中的最后一个应用,然后重新创建它(部署单元可能会更改)。Delete the last app in a resource group and region combination and recreate it (deployment unit may change).
  • 在较低层(“基本”、“标准”和“高级”)与“高级 V2”层之间缩放应用(可从该集添加或减去 IP 地址) 。Scale your app between the lower tiers ( Basic , Standard , and Premium ) and the Premium V2 tier (IP addresses may be added to or subtracted from the set).

无论是哪个定价层,你都可以通过查找 possibleOutboundIpAddresses 属性或者在 Azure 门户的“属性”边栏选项卡中的“其他出站 IP 地址”字段中查找你的应用可以使用的所有可能的出站 IP 地址。You can find the set of all possible outbound IP addresses your app can use, regardless of pricing tiers, by looking for the possibleOutboundIpAddresses property or in the Additional Outbound IP Addresses field in the Properties blade in the Azure portal. 请参阅查找出站 IPSee Find outbound IPs.

查找出站 IPFind outbound IPs

若要在 Azure 门户中查找应用当前使用的出站 IP 地址,请单击应用左侧导航窗格中的“属性”。To find the outbound IP addresses currently used by your app in the Azure portal, click Properties in your app's left-hand navigation. 它们列出在“出站 IP 地址”字段中。They are listed in the Outbound IP Addresses field.

在 Azure CLI 中运行以下命令也可以找到相同的信息。You can find the same information by running the following command in the Azure CLI.

az webapp show --resource-group <group_name> --name <app_name> --query outboundIpAddresses --output tsv
(Get-AzWebApp -ResourceGroup <group_name> -name <app_name>).OutboundIpAddresses

若要查找你的应用可能使用的所有出站 IP 地址(无论是哪个定价层),请在你的应用的左侧导航栏中单击“属性”。To find all possible outbound IP addresses for your app, regardless of pricing tiers, click Properties in your app's left-hand navigation. 它们列出在“其他出站 IP 地址”字段中。They are listed in the Additional Outbound IP Addresses field.

在 Azure CLI 中运行以下命令也可以找到相同的信息。You can find the same information by running the following command in the Azure CLI.

az webapp show --resource-group <group_name> --name <app_name> --query possibleOutboundIpAddresses --output tsv
(Get-AzWebApp -ResourceGroup <group_name> -name <app_name>).PossibleOutboundIpAddresses

后续步骤Next steps

了解如何按源 IP 地址限制入站流量。Learn how to restrict inbound traffic by source IP addresses.