How to get a static IP address for your Windows App Service Web App

This article has been moved to its new home here:

11-AUG-2016: This article discusses INBOUND IPs, if you are looking for a single outbound IP address, Web Apps do not support that, instead there is a group of ~4 outgoing IP addresses described here.  If you want your own set of outbound IPs, consider an ASE described here.

25-OCT-2017: If you delete an exisiting binding during the certificate renewal process, then you likley will get a new inbound IP address allocated.  This would cause a problem with an A record DNS configuration.  Therefore, to renew a certificate, upload the new certificate, noting the new thumbprint and bind that one to the App Service domain without deleting the old one, I.e. replace/update instead of delete/add.

When you host your web site on the Azure Web App platform it is bound to a virtual IP address that is shared with other web sites in that region stamp.  See in Figure 1 where I performed an NSLOOKUP of a few of my test Web App sites, they return the same IP address.  Sometimes you might need or want your own static IP address for your web site.  This article explains how you can do that.

Figure 1, same IP address for all Azure Web App

The basic concept is that you will need to install and configure an IP based SSL certificate.  A self-signed certificate will work fine, so there is no requirement to purchase an SSL certificate to get the static IP address.  The caveats are that your Web App must be in either Basic or Standard mode and there is likely some billing impact when using an SSL certificate.  See here.

NOTE:  I have read/heard that when using Web Hosting Plans / App Service Plans that you get 1 free static IP address, so check out this link to see if you find the same.

The steps required to setup a self-signed IP based SSL certificate so that you get a free static IP address is by following these steps.

  1. Make sure your Web App is in either Basic or Standard mode
  2. Configure CNAME in DNS for your Web App
  3. Create a self-signed SSL certificate
  4. Upload an configure the certificate

Scale your Web App to either Basic or Standard mode

Select the Web App that you want the static IP for and make sure it is scale to either Basic or Standard as shown in Figure 2.

Figure 2, Azure Web App in Basic or Standard mode

Configure CNAME in DNS

You will need to have a custom domain mapped to your Web App URL.  Here are the instructions for achieving that.

Create a Self-Signed Certificate

I created an article on how to create and export a self-signed certificate here, so use that as a reference for this step.  Take note that the certificate Subject Name must match the custom domain name mapped to the MAWS.  That article discusses how to create the self-signed certificate using MAKECERT and then imports it into IIS, but you can import the same certificate into Web App.

Upload and configure the self-signed certificate

Once you are ready to configure the self-signed SSL certificate, access the Microsoft Azure management portal, select the web site which you would like the static IP address for and click on the CONFIGURE item at the top of the page.  Once on this page scroll down until you see CERTIFICATES as illustrated in Figure 3.


Figure 3, uploading and configuring a self-signed certificate on Azure Web App

Click on the UPLOAD A CERTIFICATE button and upload the self-signed certificate.  Once uploaded, click on the drop-downs in the SSL BINDINGS section and map the self-signed certificate to the domain name.  Figure 4 illustrates an example of how this might look.


Figure 4, configure an IP based SSL self-signed certificate Microsoft Azure Web Apps

When I tested this it did take some time for the static IP address to show up in NSLOOKUP.  But after some minutes it did happen.  Figure 5 illustrates that the Web App and custom domain now have a different IP address than my other Web App sites in the same region and stamp.

Figure 5, a free static IP using Azure Web App

Notice that the IP address has changed from the one shown previously in Figure 1.  This was the objective and it has been met.








Comments (20)

  1. Anonymous says:


    According to…/static-ip-address-for-outbound-egress-traffic

    it says it is not possible to get a static IP, Are you sure you're solution works?

    regards, T

  2. Hi T,

    This article is not about an outbound IP address, rather getting a static IP address which is bound to your MAWS.  Customers want the outbound IP so that request coming from the MAWS can be added to a firewall or white list, for example.

    This article is about not using the VIP allocated to all MAWS running in a given stamp.  Instead, getting your own IP address.  

    HTH, Benjamin

  3. Anonymous says:

    Hi Benjamin,

    thatnks a lot, your article was exactly what I needed and the only source of information I could find on the topic.



  4. Anonymous says:

    Ben thanks for clearing this up. I was trying to find if this was possible today and your post nailed it.

  5. Anonymous says:

    Hello Ben,

    Thanks for this. It works as you've described for us; however, we noticed at the end that we cannot browse to the IP address. Azure just gives us "Error 404 – Web Site not found!"… which suggests that although it has fixed the Virtual IP address, it hasn't set up the IIS routing to actual recognise browsing to that IP address. Do you know anything about this? Thanks

  6. Hi Aaron,

    The only thing I can think of is that your custom domain is not bound to your Azure Website via the console.  I am certain the instructions here work ok.  HTH

  7. Anonymous says:

    Does it mean that currently there is not way for an Azure webjob to use a static outgoing IP address ?

  8. Anonymous says:

    @Aaron LAwrence, I checked, as of now, the preserved ID service is only available for Cloud service role and VM.

  9. A Web Job runs on the same VM as the Web App, but in a different process and would therefore have the same possible 4 outgoing IP addresses as the Web App.  HTH

  10. Matthew Krieger says:

    hi Benjamin – I'm glad I came across your article because I've been trying to understand something related to this.  When you bring a custom domain name to an Azure website (no SSL at this point), you are shown an IP address for the site.  I assume at that point the IP address is still shared (amongst your other sites and possibly other users' sites – is this correct?), but is it static at this point?  I assume not given you saying that you need to bind an ssl cert to get a static address.  And once you bind an SSL cert, is the IP address not only static but dedicated to your site?


  11. Matthew Krieger says:

    I have to edit my comment from earlier this afternoon.  The IP address appears on the custom domain/bring external domain blade *even before* you specify a custom domain name.  And after you create and verify a custom name, and then upload an ssl cert, the IP address does not change…

  12. Bastien says:

    Hey Benjamin,

    You wrote:" you will need to have a custom domain mapped…"

    Do I really have to register a custom domain? Why can I not use the which I get from azure?

  13. Anurag says:

    I did everything but finally it says its a ssl binding is paid….is it ?

  14. Keith S says:


    SSL Bindings have a cost. According to the Azure Pricing Calculator (…/calculator) the cost of SNI-Based SSL is 9.00/month, while the IP-Based SSL described in this article is 39.00/month. This is in addition to the compute time costs for hosting web apps.

    1. Anurag says:

      thanks for the info

  15. Mitesh says:

    I understand this is for Inbound IP but still asking a Q related to Outbound IP. We want to access Onpremise service from Application hosted on Azure Web App. We whitelisted 4 Azure IP Addresses from Azure Web APP Properties on premise but still application hosted on Azure Web App is not able to access On premise Service. When We try to nslookup, site’s URL, it gives different IP addresses and not the ones mentioned in outbound IP addresses. Please share your thoughts.

  16. Cornel says:

    Thank you this really helped I manage to get a VIP for my Web service however when browsing the VIP I get Error 404. NSLOOKUP and PING does return the correct newly assigned IP but I need to be able to browse the website on the public IP. Any thoughts ?

    1. Probably not relevant for you anymore but as info: You won’t be able to do that.
      The reason is your website public IP is shared with more than one application, and (unlike this article implicitly says) that is true for both non-SSL and SSL sites. The fact that you are assigned a new IP when binding an SSL certificate to your site doesn’t mean that IP is dedicated to your site only – it isn’t, it is simply assigned to a VIP that deals with SSL requests and uses SNI to host multiple SSL sites.

  17. Shweta says:


    is external id for web app and inbound ip address the same thing?

  18. snapchat download says:

    Thank yoᥙ for every other wonderful article. The place else maʏ just anybody get that type of information in such an ideal means of writing? I’ve a presentation next ᴡeek, and I’m at the look for such information.

Skip to main content