Static Outbound Private IP Address for Azure Function

Question

I need to access a SFTP server from an Azure Function App using a single static outbound private IP address. Ideally I would like to access the same SFTP server using an Azure Logic App too to use use the SFTP file trigger to call the the Azure Function app, however, that is not so important, I could use a timer trigger on the Azure Function.

I've not tried an Azure virtual network NAT gateway because that only utilises Public IP addresses.

Answer 1

As you mentioned, NAT gateway can be used to send the traffic from a single IP address but it would be public IP. There is no straightforward way to achieve this scenario however if you can introduce additional networking components in between, it can be achieved.

Please refer to the below diagram for the following explanation,

First you need to run the Azure function app in a dedicated app service plan so that will a set of static outbound IP addresses. Once it is integrated with vnet you will get a set of private outbound IP addresses. Subnet 1 where the function app is present should have a UDR table which should route the traffic to subnet 3 via the Azure Firewall. You will have to configure SNAT private IP at the Azure Firewall so that the traffic goes through a single private IP address. Now the traffic to the SFTP would go through a single private IP address.

Please note that there is no SFTP trigger to Azure function. You can use upload files to blob storage and have a blob storage trigger function.