azure-functions-host icon indicating copy to clipboard operation
azure-functions-host copied to clipboard

Published 20 hours ago verified publisher icon Azure

Azure Function App using outbound IP Address that is not in possibleOutboundIpAddresses

Open SOFSPEEL opened this issue 3 years ago • 10 comments

My function app is using an outbound ip address that is not in the possibleOutboundIpAddresses.

Note that I find the possibleOutboundIpAddresses the right way using the resource manager: https://resources.azure.com/subscriptions{MySubscription}/providers/Microsoft.Web/sites

Most of the calls from the Azure Function App to my Api Management Service work properly because all the Azure functions ip's in the function apps possibleOutboundIpAddresses have allowed access to the Azure Api Management Service via an ip-filter policy (I manually created the ip-filter).

Azure Function App => Azure Api Management Service (with ip-filter, where the Azure Function App's possibleOutboundIpAddresses are in the allowed list), note that the Api Management Service is just acting as a reverse proxy (i.e. pass thru proxy), access to the proxy is limited via ip-filter policy.

Occasionally however I see a CallerIpNotAllowed in app insights (AI) logs (i.e. call is not making is by the ip-filter)I even know which ip address is the culprit because I've set the DisableIpMasking to true in AI. It is shown in the screen shot below.

Note that I checked and this ip is owned by Microsoft, so I assume it is an Azure ip, and it originates from the function app.

Screen Shot 2021-01-24 at 6 26 49 PM

Investigative information

Please provide the following:

  • Timestamp:
  • Function App version: '3.0.14916.0 (~3.0.14916)'.
  • Function App name: TopRanksJunkProd
  • Invocation ID: e4248bd4-5c21-4339-b502-4162d34ade06
  • Region: South Central US
  • This is a Windows function app.

Repro steps

Have a function on a 6 hour timer, after some time, this problem will turn up

Expected behavior

Since all ip's listed in function app's possibleOutboundIpAddresses are in Api mgmt's allowed list expect no CallerIpNotAllowed from Api mgmt's ip-filter policy.

Note that calls from our App Servers don't have the same issue, i.e. they adhere to their possibleOutboundIpAddresses list , this only happens in function apps, this is the second function app with this issue.

Actual behavior

Getting many CallerIpNotAllowed including the call with the above invocation id which leads to a CallerIpNotAllowed.

Known workarounds

Haven't tried this yet, but assume I could just add the ip shown in the screenshot to the API Management servers allowed ip's.

SOFSPEEL avatar Jan 25 '21 02:01 SOFSPEEL