Taken from this article.
Any outbound connection from the App Service app, such as to a
back-end database, uses one of the outbound IP addresses as the origin
IP address.
Why can’t it just use the inbound IP address, which I thought would be the IP address of the VM or whatever it is that is running the app service?
Does this mean if my app service calls an API, that API would receive a request with one of the outbound IP addresses as the value for X-Forwarded-For?
How does it know which IP address to use?
Why does it need multiple outbound IP addresses?
2
Answers
Why can’t it just use the inbound IP address, which I thought would be the IP address of the VM or whatever it is that is running the app service?
The inbound IP is not a virtual machine, but a load balancer IP, otherwise, when you scale out, you would need to know multiple Inbound IP addresses and configure yourself a load balancer for the instances.
Does this mean if my app service calls an API, that API would receive a request with one of the outbound IP addresses as the value for X-Forwarded-For?
If you don’t have any proxy or application gateway, then yes.
How does it know which IP address to use?
https://en.wikipedia.org/wiki/Network_address_translation
Why does it need multiple outbound IP addresses?
Depending on your SLA uptime, you may need to host your application in multiple regions / availability zones. Which means, the datacenters won’t have the same IP Addresses, reason why it has many outbound ip addresses.
There is an entire article on docs which talks about the different IP address when it comes to App Services: https://learn.microsoft.com/en-us/azure/app-service/overview-inbound-outbound-ips
To get a single outbound IP address, you could, for example, use VNet-integration your App Service and then use NAT Gateway or Azure Firewall for egress.