Different IP address of app service found in storage blob logs. Not in outbound ip list

Question

I have an web app deployed in Azure App Service which uploads file to a blob container. Both App service and blob are in same resource group and region. After uploading a file successfully when I check the diagnostic logs of storage container I see a different IP address. This IP address does not belong to the list of outbound IPs mentioned in the App Service. Why is it like that? Where does this IP come from?

Update: The IP address is shown as private IP address if I search for it.

Regards Binil

Answer 1

Generally, when web app makes an outbound call to the internet, it uses a set of predefined IP addresses. A storage account could have public or private endpoint to accept the request.

First, you could ensure that if the specific private IP you mentioned is the client request IP from app service to the storage account.

In this case, one of the possible reasons is that you have integrated your app with an Azure virtual network and enabled the integrated vnet service endpoint for Microsoft.Storage. This allow web app access an Azure storage account from a virtual network. See how Azure select a route for more details.

Edit

From this document,

Services deployed in the same region as the storage account use private Azure IP addresses for communication. Thus, you cannot restrict access to specific Azure services based on their public outbound IP address range.

thus, it's properly using a private IP address from apps service to your Azure storage account in the same region over the Azure backbone network. To validate it, you can use a storage account in a different region than the app service.