Allow list IPs for Azure Function App on consumption tier

Question

We're publishing some events to Azure Service Bus and using Azure Function App as an event handler. From the Azure Function App we need to make some outbound calls to a partner API, but the partner wants to configure some firewall restrictions. I know we can use premium tier Function App and implement virtual network NAT gateway, to control the outbound IP, but we're trying to do this on the cheap with consumption tier Function App... I can see the list of outboundIpAddresses and possibleOutboundIpAddresses IP addresses in Azure Resource Explorer under subscriptions > {your subscription} > providers > Microsoft.Web > sites.

In Azure addresses in Azure Functions, it says:

The set of outboundIpAddresses is currently available to the function app. The set of possibleOutboundIpAddresses includes IP addresses that will be available only if the function app scales to other pricing tiers.

The relative stability of the outbound IP address depends on the hosting plan.

Because of autoscaling behaviors, the outbound IP can change at any time when running on a Consumption plan or in a Premium plan.

Seems like I shouldn't use outboundIpAddresses for the allow list when using consumption tier Function App, but is doesn't say anything explicitly about possibleOutboundIpAddresses... Would it be OK to add the IP list from possibleOutboundIpAddresses to the allow list? Is it possible that this list will change?

FWIW If I look at 2 different function apps (same region), they both have 10 IPs listed for possibleOutboundIpAddresses, and they were completely different lists.

Answer 1

Both outboundIpAddresses and possibleOutboundIpAddresses do not apply to consumption function apps. It is possible that outbound IP address can be outside the possibleOutboundIpAddresses list.

For consumption tier function App the solution in this scenario will be to add to the allow list all Data center outbound IP addresses as described in the documentation.