0

I am currently deploying an ASP.NET Core Web API on Azure App Service and I need this service to utilize a static public IP address. The reason behind this requirement is that there is a 3rd party integration which necessitates IP whitelisting.

https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/linux_web_app

Moreover, I also plan to deploy the same ASP.NET Core Web API in Azure Container Registry (ACR) and leverage Azure Kubernetes Service (AKS) for orchestration. I mention this in case it impacts the process of assigning the static public IP to the Azure App Service.

Edit

I created a simple App Service using Terraform code:

resource "azurerm_service_plan" "asp" {
  name                = "${local.basename}-asp"
  resource_group_name = module.resource_group.name
  location            = var.location
  os_type             = "Linux"
  sku_name            = "P1v2"
}

resource "azurerm_linux_web_app" "app" {
  name                = "${local.basename}-app"
  resource_group_name = module.resource_group.name
  location            = var.location
  service_plan_id     = azurerm_service_plan.asp.id

  site_config {}
}

enter image description here

Does that mean that if I whitelist all of these IP addresses in Binance's API key, it's going to be okay? Just to clarify, if I wanted to have a single outbound IP address, then I would have needed NAT Gateway, right?

Improve this question
10
  • 1
    learn.microsoft.com/en-us/azure/app-service/… Commented Jul 24, 2023 at 15:41
  • @silent, thanks for that! Looks like this is getting a list of all outbound IP addresses which I can whitelist? Is that correct? As long as these IP address will not change ever, then I'm fine with it. Commented Jul 24, 2023 at 16:01
  • @silent, I was looking at some other posts, but they're creating azurerm_virtual_network, followed by azurerm_public_ip, subnet, etc. But it looks like creating a virtual network and subnet is meant to be used in cases where you have two applications and you want both of them to use the same IP address? Commented Jul 24, 2023 at 16:02
  • 1
    "When can an inbound IP change?" learn.microsoft.com/en-us/azure/app-service/… Using a public IP with an App Service is not a supported scenario. If you really want a single public IP that you can control, I suggest you rather look at AKS learn.microsoft.com/en-us/azure/aks/… Commented Jul 24, 2023 at 16:10
  • 1
    @MaxPower, sorry for the late reply. Yes, I did. Will post it as an answer. Commented Oct 24, 2023 at 11:52

1 Answer 1

Reset to default
1

This is more or less what I did to achieve what I needed. Additionally, I've broken it down into modules as it's best practices, but for the sake of simplicity of this answer, I would keep it that way.

resource "azurerm_service_plan" "asp" {
  name                = "${local.basename}-asp"
  resource_group_name = module.resource_group.name
  location            = var.location
  os_type             = "Linux"
  sku_name            = "S1"
}

resource "azurerm_linux_web_app" "app" {
  name                = "${local.basename}-app"
  resource_group_name = module.resource_group.name
  location            = var.location
  service_plan_id     = azurerm_service_plan.asp.id

  site_config {
    vnet_route_all_enabled = true # WEBSITE_VNET_ROUTE_ALL
  }

  tags = var.tags
}

resource "azurerm_virtual_network" "vnet" {
  name                = "${local.basename}-vnet"
  resource_group_name = module.resource_group.name
  location            = var.location
  address_space       = ["10.0.0.0/16"]

  tags = var.tags
}

resource "azurerm_subnet" "snet" {
  name                 = "${local.basename}-linuxapp-snet"
  resource_group_name  = module.resource_group.name
  virtual_network_name = azurerm_virtual_network.vnet.name
  address_prefixes     = ["10.0.1.0/24"]

  delegation {
    name = "delegation"

    service_delegation {
      name    = "Microsoft.Web/serverFarms"
      actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
    }
  }
}

resource "azurerm_subnet_nat_gateway_association" "example" {
  subnet_id      = azurerm_subnet.snet.id
  nat_gateway_id = azurerm_nat_gateway.ng.id
}

resource "azurerm_public_ip" "pip" {
  name                = "${local.basename}-pip"
  resource_group_name = module.resource_group.name
  location            = var.location
  allocation_method   = "Static"
  sku                 = "Standard"

  tags = var.tags
}

resource "azurerm_nat_gateway" "ng" {
  name                    = "${local.basename}-ng"
  resource_group_name     = module.resource_group.name
  location                = var.location
  sku_name                = "Standard"
  idle_timeout_in_minutes = 10

  tags = var.tags
}

resource "azurerm_nat_gateway_public_ip_association" "association" {
  nat_gateway_id       = azurerm_nat_gateway.ng.id
  public_ip_address_id = azurerm_public_ip.pip.id
}

resource "azurerm_app_service_virtual_network_swift_connection" "example" {
  app_service_id = azurerm_linux_web_app.app.id
  subnet_id      = azurerm_subnet.snet.id
}
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.