| title | description | ms.topic | ms.author | ms.date |
|---|---|---|---|---|
Control Azure Functions outbound IP with an Azure virtual network NAT gateway |
A step-by-step tutorial that shows you how to configure NAT for a function connected to an Azure virtual network |
tutorial |
kyburns |
2/26/2021 |
Virtual network address translation (NAT) simplifies outbound-only internet connectivity for virtual networks. When configured on a subnet, all outbound connectivity uses your specified static public IP addresses. An NAT can be useful for Azure Functions or Web Apps that need to consume a third-party service that uses an allowlist of IP address as a security measure. To learn more, see What is Virtual Network NAT?.
This tutorial shows you how to use virtual network NATs to route outbound traffic from an HTTP triggered function. This function lets you check its own outbound IP address. During this tutorial, you'll:
[!div class="checklist"]
- Create a virtual network
- Create a Premium plan function app
- Create a public IP address
- Create a NAT gateway
- Configure function app to route outbound traffic through the NAT gateway
The following diagram shows the architecture of the solution that you create:
Functions running in the Premium plan have the same hosting capabilities as web apps in Azure App Service, which includes the VNet Integration feature. To learn more about VNet Integration, including troubleshooting and advanced configuration, see Integrate your app with an Azure virtual network.
For this tutorial, it's important that you understand IP addressing and subnetting. You can start with this article that covers the basics of addressing and subnetting. Many more articles and videos are available online.
If you don’t have an Azure subscription, create a free account before you begin.
If you've already completed the integrate Functions with an Azure virtual network tutorial, you can skip to Create an HTTP trigger function.
-
From the Azure portal menu, select Create a resource. From the Azure Marketplace, select Networking > Virtual network.
-
In Create virtual network, enter or select the settings specified as shown in the following table:
Setting Value Subscription Select your subscription. Resource group Select Create new, enter myResourceGroup, then select OK. Name Enter myResourceGroup-vnet. Location Select East US. -
Select Next: IP Addresses, and for IPv4 address space, enter 10.10.0.0/16.
-
Select Add subnet, then enter Tutorial-Net for Subnet name and 10.10.1.0/24 for Subnet address range.
-
Select Add, then select Review + create. Leave the rest as default and select Create.
-
In Create virtual network, select Create.
Next, you create a function app in the Premium plan. This plan provides serverless scale while supporting virtual network integration.
This tutorial shows you how to create your function app in a Premium plan. The same functionality is also available when using a Dedicated (App Service) plan.
Note
For the best experience in this tutorial, choose .NET for runtime stack and choose Windows for operating system. Also, create you function app in the same region as your virtual network.
[!INCLUDE functions-premium-create]
You can now connect your function app to the virtual network.
-
In your function app, select Networking in the left menu, then under VNet Integration, select Click here to configure.
:::image type="content" source="./media/functions-how-to-use-nat-gateway/networking-0.png" alt-text="Choose networking in the function app":::
-
On the VNET Integration page, select Add VNet.
-
In Network Feature Status, use the settings in the table below the image:
Setting Suggested value Description Virtual Network MyResourceGroup-vnet This virtual network is the one you created earlier. Subnet Create New Subnet Create a subnet in the virtual network for your function app to use. VNet Integration must be configured to use an empty subnet. Subnet name Function-Net Name of the new subnet. Virtual network address block 10.10.0.0/16 You should only have one address block defined. Subnet Address Block 10.10.2.0/24 The subnet size restricts the total number of instances that your Premium plan function app can scale out to. This example uses a /24subnet with 254 available host addresses. This subnet is over-provisioned, but easy to calculate. -
Select OK to add the subnet. Close the VNet Integration and Network Feature Status pages to return to your function app page.
The function app can now access the virtual network. Next, you'll add an HTTP-triggered function to the function app.
-
From the left menu of the Functions window, select Functions, then select Add from the top menu.
-
From the New Function window, select Http trigger and accept the default name for New Function, or enter a new name.
-
In Code + Test, replace the template-generated C# script (.csx) code with the following code:
#r "Newtonsoft.Json" using System.Net; using Microsoft.AspNetCore.Mvc; using Microsoft.Extensions.Primitives; using Newtonsoft.Json; public static async Task<IActionResult> Run(HttpRequest req, ILogger log) { log.LogInformation("C# HTTP trigger function processed a request."); var client = new HttpClient(); var response = await client.GetAsync(@"https://ifconfig.me"); var responseMessage = await response.Content.ReadAsStringAsync(); return new OkObjectResult(responseMessage); }
This code calls an external website that returns the IP address of the caller, which in this case is this function. This method lets you easily determine the outbound IP address being used by your function app.
Now you're ready to run the function and check the current outbound IPs.
Now, you can run the function. But first, check in the portal and see what outbound IPs are being use by the function app.
-
In your function app, select Properties and review the Outbound IP Addresses field.
-
Now, return to your HTTP trigger function, select Code + Test and then Test/Run.
-
Select Run to execute the function, then switch to the Output.
-
Verify that IP address in the HTTP response body is one of the values from the outbound IP addresses you viewed earlier.
Now, you can create a public IP and use a NAT gateway to modify this outbound IP address.
-
From your resource group, select Add, search the Azure Marketplace for Public IP address, and select Create. Use the settings in the table below the image:
Setting Suggested value IP Version IPv4 SKU Standard Tier Regional Name Outbound-IP Subscription ensure your subscription is displayed Resource group myResourceGroup (or name you assigned to your resource group) Location East US (or location you assigned to your other resources) Availability Zone No Zone -
Select Create to submit the deployment.
-
Once the deployment completes, navigate to your newly created Public IP Address resource and view the IP Address in the Overview.
Now, let's create the NAT gateway. When you start with the previous virtual networking tutorial, Function-Net was the suggested subnet name and MyResourceGroup-vnet was the suggested virtual network name in that tutorial.
-
From your resource group, select Add, search the Azure Marketplace for NAT gateway, and select Create. Use the settings in the table below the image to populate the Basics tab:
Setting Suggested value Subscription Your subscription Resource group myResourceGroup (or name you assigned to your resource group) NAT gateway name myNatGateway Region East US (or location you assigned to your other resources) Availability Zone None -
Select Next: Outbound IP. In the Public IP addresses field, select the previously created public IP address. Leave Public IP Prefixes unselected.
-
Select Next: Subnet. Select the myResourceGroup-vnet resource in the Virtual network field and Function-Net subnet.
-
Select Review + Create then Create to submit the deployment.
Once the deployment completes, the NAT gateway is ready to route traffic from your function app subnet to the Internet.
Now, you must add an application setting WEBSITE_VNET_ROUTE_ALL set to a value of 1. This setting forces outbound traffic through the virtual network and associated NAT gateway. Without this setting, internet traffic isn't routed through the integrated virtual network, and you'll see the same outbound IPs.
-
Navigate to your function app in the Azure portal and select Configuration from the left-hand menu.
-
Under Application settings, select + New application setting and complete use the following values to fill out the fields:
Field Name Value Name WEBSITE_VNET_ROUTE_ALL Value 1 -
Select OK to close the new application setting dialog.
-
Select Save and then Continue to save the settings.
The function app's now configured to route traffic through its associated virtual network.
Repeat the steps earlier to run the function again. You should now see the outbound IP address that you configured in the NAT shown in the function output.
You created resources to complete this tutorial. You'll be billed for these resources, depending on your account status and service pricing. To avoid incurring extra costs, delete the resources when you know longer need them.
[!INCLUDE functions-quickstart-cleanup-inner]
[!div class="nextstepaction"] Azure Functions networking options