Static IPs for Azure Functions, Data Factory, and Power Automate

Azure's serverless and integration services share a common problem: outbound IP addresses are unpredictable. Azure Functions rotate IPs across a pool. Data Factory pipelines egress from shared ranges. Power Automate connectors run on Microsoft's multi-tenant infrastructure with no IP guarantees.

If you're integrating with a partner API, a firewalled database, or any service that requires IP whitelisting, this creates a real problem.

The Azure Outbound IP Situation

Azure Functions assigns a set of possible outbound IPs to your function app. You can see them in the portal under Properties. But "possible" is the key word. The actual IP used for any given request can be any address in that set. The set changes when you scale, redeploy, or when Azure moves your function between infrastructure. Premium and Dedicated plans give you more control, but even those don't guarantee a single static IP for outbound traffic.

Azure Data Factory pipelines use Azure Integration Runtime by default. Outbound IPs come from a pool specific to your region, but the pool is shared across customers. Microsoft publishes the ranges, but they're broad. A partner who needs to whitelist your traffic isn't going to open their firewall to a range that includes thousands of other Azure customers.

Power Automate runs on Microsoft's shared connectors infrastructure. Outbound IPs are published as service tags, but they cover the entire Power Automate service in your region. Same problem.

Why This Matters

The scenario usually looks like this. Your Azure Function calls a partner's API. The partner requires IP whitelisting. You look up your function app's outbound IPs and find a list of 6-8 addresses. You send them to the partner. A month later, Azure rotates the pool and your integration breaks. Or the partner looks at the list and says they can only whitelist two IPs, not eight.

Data Factory has the same issue when pulling data from firewalled sources. You need to access a customer's SFTP server or a database behind a corporate firewall. They need an IP to whitelist. You can't give them a stable one.

The Fix: Route Through a Static Proxy

QuotaGuard gives you two dedicated static IP addresses. You route your outbound traffic through the proxy. Partners whitelist those two IPs. They don't change.

Azure Functions with HTTP Proxy

For HTTP/HTTPS API calls from Azure Functions, set the proxy URL as an environment variable and use it in your HTTP client:

import os
import requests

proxy_url = os.environ.get('QUOTAGUARD_URL')
proxies = {
    'http': proxy_url,
    'https': proxy_url
}

response = requests.get('https://api.partner.com/data', proxies=proxies)

In your Azure Function App settings, add QUOTAGUARD_URL with your proxy connection string. Deploy. Your outbound HTTP calls now come from two static IPs.

Azure Data Factory with Self-Hosted Integration Runtime

Data Factory's default Azure IR doesn't support proxy configuration directly. The workaround is a Self-Hosted Integration Runtime on a VM or container that routes traffic through QuotaGuard.

Set up a Self-Hosted IR on an Azure VM. Configure the VM's environment to route traffic through the proxy. Data Factory pipelines using that IR will egress through your static IPs.

This is more setup than a simple function app, but it solves the IP whitelisting problem for Data Factory pipelines that connect to firewalled sources.

Power Automate with Custom Connectors

Power Automate's built-in connectors use Microsoft's shared infrastructure. For IP-sensitive integrations, create a custom connector that routes through an Azure Function, which in turn uses QuotaGuard's proxy. The function acts as a relay: Power Automate calls the function, the function calls the partner API through the proxy, partner sees the static IP.

It adds a hop, but it gives you control over the outbound IP.

SOCKS5 and QGTunnel for Non-HTTP Traffic

If your Azure service needs to connect to a database (SQL Server, PostgreSQL, MongoDB) or other TCP service behind a firewall, HTTP proxy won't work. Use QuotaGuard's SOCKS5 proxy or QGTunnel for TCP-level connections.

QGTunnel wraps your application process and transparently routes TCP traffic through static IPs. Your connection strings don't change. The tunnel handles the routing.

VNet Integration: The Azure-Native Alternative

Azure offers VNet integration with NAT Gateway for static outbound IPs. This works, but there are trade-offs.

A NAT Gateway costs roughly $32/month per gateway plus $0.045/GB of data processed. You need VNet integration on your Function App, which requires Premium or Dedicated plans (starting around $150/month for Premium). You're looking at $180+/month minimum for the infrastructure.

For teams already running Premium Function Apps with VNet integration for other reasons, adding a NAT Gateway makes sense. For teams on Consumption plans who just need one API call to come from a static IP, it's expensive infrastructure for a simple requirement.

QuotaGuard Static starts at $19/month. Two static IPs. Managed failover. No plan upgrades required.

Common Questions

Can I just use the "possible outbound IPs" listed in the Azure portal?

You can try. But that list changes, and it's often 6-8 IPs. Many partners won't whitelist that many. And when Azure rotates the pool, your integration breaks without warning.

Does this work with Azure Functions on Linux?

Yes. The proxy approach works regardless of the runtime OS. Set the environment variable, use it in your HTTP client.

What about latency?

QuotaGuard operates in multiple regions including US East, US West, and EU West. Pick the region closest to your Azure deployment. Same-region adds single-digit milliseconds.

Getting Started

Sign up for QuotaGuard Static. Add the proxy URL to your Azure Function App settings. Update your HTTP client to use the proxy for partner API calls. Test at https://ip.quotaguard.com to confirm your traffic is coming from the static IPs.

If you need compliance-level encryption (HIPAA, PCI-DSS), QuotaGuard Shield starts at $29/month with SSL passthrough for end-to-end encryption.

QuotaGuard Static starts at $19/month.