Azure Functions 中的 IP 地址IP addresses in Azure Functions

本文介绍以下与函数应用的 IP 地址相关的概念:This article explains the following concepts related to IP addresses of function apps:

  • 查找函数应用当前正在使用的 IP 地址。Locating the IP addresses currently in use by a function app.
  • 导致函数应用 IP 地址更改的条件。Conditions that cause function app IP addresses to changed.
  • 限制可以访问函数应用的 IP 地址。Restricting the IP addresses that can access a function app.
  • 定义函数应用的专用 IP 地址。Defining dedicated IP addresses for a function app.

IP 地址与函数应用而不是单个函数相关联。IP addresses are associated with function apps, not with individual functions. 传入的 HTTP 请求不能使用入站 IP 地址来调用单个函数;它们必须使用默认域名 ( 或自定义域名。Incoming HTTP requests can't use the inbound IP address to call individual functions; they must use the default domain name ( or a custom domain name.

函数应用的入站 IP 地址Function app inbound IP address

每个函数应用具有单个入站 IP 地址。Each function app has a single inbound IP address. 查找该 IP 地址:To find that IP address:

  1. 登录到 Azure 门户Sign in to the Azure portal.
  2. 导航到函数应用。Navigate to the function app.
  3. 在“设置”下,选择“属性” 。Under Settings, select Properties. 入站 IP 地址显示在“虚拟 IP 地址”下面。The inbound IP address appears under Virtual IP address.

函数应用的出站 IP 地址Function app outbound IP addresses

每个函数应用具有一组可用的出站 IP 地址。Each function app has a set of available outbound IP addresses. 从某个函数发起的任何出站连接(例如,与后端数据库的连接)使用某个可用的出站 IP 地址作为源 IP 地址。Any outbound connection from a function, such as to a back-end database, uses one of the available outbound IP addresses as the origin IP address. 无法事先知道给定的连接要使用哪个 IP 地址。You can't know beforehand which IP address a given connection will use. 因此,后端服务必须向函数应用的所有出站 IP 地址开放其防火墙。For this reason, your back-end service must open its firewall to all of the function app's outbound IP addresses.

可以通过 PowerShell cmdlet 查找可用的出站 IP 地址:You can find the available outbound IP addresses is by using the powershell cmdlet:

az webapp show --resource-group <group_name> --name <app_name> --query outboundIpAddresses --output tsv
az webapp show --resource-group <group_name> --name <app_name> --query possibleOutboundIpAddresses --output tsv


对按消耗计划高级计划运行的函数应用进行缩放时,可能会分配新范围的出站 IP 地址。When a function app that runs on the Consumption plan or the Premium plan is scaled, a new range of outbound IP addresses may be assigned. 按上述任一计划运行时,可能需要将整个数据中心添加到允许列表。When running on either of these plans, you may need to add the entire data center to an allow list.

数据中心出站 IP 地址Data center outbound IP addresses

如果需要将函数应用使用的出站 IP 地址添加到允许列表,可以采用另一种做法,即,将函数应用的数据中心(Azure 区域)添加到允许列表。If you need to add the outbound IP addresses used by your function apps to an allowlist, another option is to add the function apps' data center (Azure region) to an allowlist. 可以下载列出所有 Azure 数据中心 IP 地址的 JSON 文件You can download a JSON file that lists IP addresses for all Azure data centers. 然后,找到应用于运行函数应用的区域的 JSON 片段。Then find the JSON fragment that applies to the region that your function app runs in.

例如,“中国北部 2”区域的允许列表可能会如以下 JSON 片段所示:For example, the following JSON fragment is what the allowlist for China North 2 might look like:

  "name": "AzureChinaCloud.chinanorth2",
  "id": "AzureChinaCloud.chinanorth2",
  "properties": {
    "changeNumber": 9,
    "region": "chinanorth2",
    "platform": "Azure",
    "systemService": "",
    "addressPrefixes": [
      ... Some IP addresses not shown here

有关此文件何时更新以及 IP 地址何时更改的信息,请展开下载中心页的“详细信息”部分。For information about when this file is updated and when the IP addresses change, expand the Details section of the Download Center page.

入站 IP 地址更改Inbound IP address changes

如果执行以下操作,入站 IP 地址 可能 会更改:The inbound IP address might change when you:

  • 删除函数应用,然后在不同的资源组中重新创建它。Delete a function app and recreate it in a different resource group.
  • 删除资源组和区域组合中的最后一个函数应用,然后重新创建它。Delete the last function app in a resource group and region combination, and re-create it.
  • 删除 TLS 绑定(例如,在证书续订期间)。Delete a TLS binding, such as during certificate renewal.

当函数应用在消耗计划高级计划中运行时,即使你未执行任何操作(如上面列出的操作),入站 IP 地址也可能会更改。When your function app runs in a Consumption plan or in a Premium plan, the inbound IP address might also change even when you haven't taken any actions such as the ones listed above.

出站 IP 地址更改Outbound IP address changes

如果执行以下操作,函数应用可用的出站 IP 地址集可能会更改:The set of available outbound IP addresses for a function app might change when you:

  • 执行可能更改入站 IP 地址的任何操作。Take any action that can change the inbound IP address.
  • 更改应用服务计划的定价层。Change your App Service plan pricing tier. 应用可在所有定价层中使用的所有可能出站 IP 地址列表在 possibleOutboundIPAddresses 属性中指定。The list of all possible outbound IP addresses your app can use, for all pricing tiers, is in the possibleOutboundIPAddresses property. 请参阅查找出站 IPSee Find outbound IPs.

当函数应用在消耗计划高级计划中运行时,即使你未执行任何操作(如上面列出的操作),出站 IP 地址也可能会更改。When your function app runs in a Consumption plan or in a Premium plan, the outbound IP address might also change even when you haven't taken any actions such as the ones listed above.

请使用以下过程来有意强制出站 IP 地址发生更改:Use the following procedure to deliberately force an outbound IP address change:

  1. 在标准和高级 v2 定价层之间纵向缩放应用服务计划。Scale your App Service plan up or down between Standard and Premium v2 pricing tiers.

  2. 等待 10 分钟。Wait 10 minutes.

  3. 缩放回到最初的层。Scale back to where you started.

IP 地址限制IP address restrictions

可以配置允许或拒绝其访问函数应用的 IP 地址列表。You can configure a list of IP addresses that you want to allow or deny access to a function app. 有关详细信息,请参阅 Azure 应用服务静态 IP 限制For more information, see Azure App Service Static IP Restrictions.

专用 IP 地址Dedicated IP addresses

在函数应用需要静态专用 IP 地址时,可以探索多种策略。There are several strategies to explore when your function app requires static, dedicated IP addresses.

用于出站静态 IP 的虚拟网络 NAT 网关Virtual network NAT gateway for outbound static IP

可以通过使用虚拟网络 NAT 网关引导流量通过静态公共 IP 地址,从而控制来自函数的出站流量的 IP 地址。You can control the IP address of outbound traffic from your functions by using a virtual network NAT gateway to direct traffic through a static public IP address. 高级计划中运行时,可以使用此拓扑。You can use this topology when running in a Premium plan. 若要进行详细的了解,请参阅教程:使用 Azure 虚拟网络 NAT 网关控制 Azure Functions 出站 IPTo learn more, see Tutorial: Control Azure Functions outbound IP with an Azure virtual network NAT gateway.

应用服务环境App Service Environments

若要对入站和出站的 IP 地址都进行完全控制,建议使用应用服务环境(应用服务计划的独立层)。For full control over the IP addresses, both inbound and outbound, we recommend App Service Environments (the Isolated tier of App Service plans). 有关详细信息,请参阅应用服务环境 IP 地址For more information, see App Service Environment IP addresses.

确定函数应用是否在应用服务环境中运行:To find out if your function app runs in an App Service Environment:

  1. 登录到 Azure 门户Sign in to the Azure portal.
  2. 导航到函数应用。Navigate to the function app.
  3. 选择“概述”选项卡。Select the Overview tab.
  4. 应用服务计划层显示在“应用服务计划/定价层”下面。The App Service plan tier appears under App Service plan/pricing tier. 应用服务环境定价层为“隔离”。The App Service Environment pricing tier is Isolated.

或者,可以使用 PowerShell cmdlet:As an alternative, you can use the powershell cmdlet:

az webapp show --resource-group <group_name> --name <app_name> --query sku --output tsv

应用服务环境的 sku 为“Isolated”。The App Service Environment sku is Isolated.

后续步骤Next steps

IP 发生更改的常见原因之一是函数应用的规模发生更改。A common cause of IP changes is function app scale changes. 详细了解函数应用的缩放Learn more about function app scaling.