Merge pull request #302832 from MicrosoftDocs/main

Auto Publish – main to live - 2025-07-16 17:00 UTC

Author: learn-build-service-prod[bot]

articles/app-service/media/overview-inbound-outbound-ips/ip-mode-configuration.png

@@ -4,7 +4,7 @@ description: Learn how inbound and outbound IP addresses are used in Azure App S
 author: msangapu-msft
 ms.author: msangapu
 ms.topic: article
-ms.date: 03/10/2025
+ms.date: 07/16/2025
 ms.update-cycle: 1095-days
 ms.custom:
   - UpdateFrequency3
@@ -19,42 +19,42 @@ ms.custom:
 
 ## How IP addresses work in App Service
 
-An App Service app runs in an App Service plan, and App Service plans are deployed into one of the deployment units in the Azure infrastructure (internally called a webspace). Each deployment unit is assigned a set of virtual IP addresses, which includes one public inbound IP address and a set of [outbound IP addresses](#find-outbound-ips). All App Service plans in the same deployment unit, and app instances that run in them, share the same set of virtual IP addresses. For an App Service Environment (an App Service plan in [Isolated tier](https://azure.microsoft.com/pricing/details/app-service/)), the App Service plan is the deployment unit itself, so the virtual IP addresses are dedicated to it as a result.
+An App Service app runs in an App Service plan, and App Service plans are deployed into one of the deployment units in the Azure infrastructure (internally called a webspace). Each deployment unit is assigned to a set of virtual IP addresses, which includes one public inbound IP address and a set of [outbound IP addresses](#find-outbound-ips). All App Service plans in the same deployment unit, and app instances that run in them, share the same set of virtual IP addresses. For an App Service Environment (an App Service plan in [Isolated tier](https://azure.microsoft.com/pricing/details/app-service/)), the App Service plan is the deployment unit itself, so the virtual IP addresses are dedicated to it as a result.
 
 Because you're not allowed to move an App Service plan between deployment units, the virtual IP addresses assigned to your app usually remain the same, but there are exceptions.
 
 > [!NOTE]
-> The Premium V4 tier does not provide a stable set of outbound IP addresses.  This behavior is intentional.  Although applications running on the Premium V4 tier can make outbound calls to internet-facing endpoints, the App Service platform does not provide a stable set of outbound IP addresses for the Premium V4 tier.  This is a change in behavior from previous App Service pricing tiers.  The portal will show "Dynamic" for outbound IP addresses and additional outbound IP addresses information for applications using Premium V4.  ARM and CLI calls will return empty strings for the values of *outboundIpAddresses* and *possibleOutboundIpAddresses*.  If applications running on Premium V4 require a stable outbound IP address(es), developers will need to use a solution like [Azure NAT Gateway](overview-nat-gateway-integration.md) to get a predictable IP address for outbound internet-facing traffic.
+> The Premium V4 tier doesn't provide a stable set of outbound IP addresses. This behavior is intentional. Although applications running on the Premium V4 tier can make outbound calls to internet-facing endpoints, the App Service platform doesn't provide a stable set of outbound IP addresses for the Premium V4 tier. This behavior is a change in behavior from previous App Service pricing tiers. The portal shows "Dynamic" for outbound IP addresses and additional outbound IP addresses information for applications using Premium V4. Azure Resource Manager (ARM) and CLI calls return empty strings for the values of *outboundIpAddresses* and *possibleOutboundIpAddresses*. If applications running on Premium V4 require a stable outbound IP address or addresses, developers need to use a solution like [Azure NAT Gateway](overview-nat-gateway-integration.md) to get a predictable IP address for outbound internet-facing traffic.
 
 ## When inbound IP changes
 
-Regardless of the number of scaled-out instances, each app has a single inbound IP address. The inbound IP address may change when you perform one of the following actions:
+Regardless of the number of scaled-out instances, each app has a single inbound IP address. The inbound IP address might change when you perform one of the following actions:
 
-- Delete an app and recreate it in a different resource group (deployment unit may change).
-- Delete the last app in a resource group _and_ region combination and recreate it (deployment unit may change).
+- Delete an app and recreate it in a different resource group (deployment unit might change).
+- Delete the last app in a resource group _and_ region combination and recreate it (deployment unit might change).
 - Delete an existing IP-based TLS binding, such as during certificate renewal (see [Renew certificate](configure-ssl-certificate.md#renew-an-expiring-certificate)).
 
 ## Find the inbound IP
 
-Just run the following command in a local terminal:
+Run the following command in a local terminal:
 
 ```bash
 nslookup <app-name>.azurewebsites.net
 ```
 
 ## Get a static inbound IP
 
-Sometimes you might want a dedicated, static IP address for your app. To get a static inbound IP address, you need to [secure a custom DNS name with an IP-based certificate binding](./configure-ssl-bindings.md). If you don't actually need TLS functionality to secure your app, you can even upload a self-signed certificate for this binding. In an IP-based TLS binding, the certificate is bound to the IP address itself, so App Service creates a static IP address to make it happen. 
+Sometimes you might want a dedicated, static IP address for your app. To get a static inbound IP address, you need to [secure a custom DNS name with an IP-based certificate binding](./configure-ssl-bindings.md). If you don't actually need TLS functionality to secure your app, you can even upload a self-signed certificate for this binding. In an IP-based TLS binding, the certificate is bound to the IP address itself, so App Service creates a static IP address to make it happen.
 
 ## When outbound IPs change
 
 Regardless of the number of scaled-out instances, each app has a set number of outbound IP addresses at any given time. Any outbound connection from the App Service app, such as to a back-end database, uses one of the outbound IP addresses as the origin IP address. The IP address to use is selected randomly at runtime, so your back-end service must open its firewall to all the outbound IP addresses for your app.
 
 The set of outbound IP addresses for your app changes when you perform one of the following actions:
 
-- Delete an app and recreate it in a different resource group (deployment unit may change).
-- Delete the last app in a resource group _and_ region combination and recreate it (deployment unit may change).
-- Scale your app between the lower tiers (**Basic**, **Standard**, and **Premium**), the **PremiumV2** tier, the **PremiumV3** tier, and the **Pmv3** options within the **PremiumV3** tier (IP addresses may be added to or subtracted from the set).
+- Delete an app and recreate it in a different resource group (deployment unit might change).
+- Delete the last app in a resource group _and_ region combination and recreate it (deployment unit might change).
+- Scale your app between the lower tiers (**Basic**, **Standard**, and **Premium**), the **PremiumV2** tier, the **PremiumV3** tier, and the **Pmv3** options within the **PremiumV3** tier (IP addresses might be added to or subtracted from the set).
 
 You can find the set of all possible outbound IP addresses your app can use, regardless of pricing tiers, by looking for the `possibleOutboundIpAddresses` property or in the **Additional Outbound IP Addresses** field in the **Properties** page in the Azure portal. See [Find outbound IPs](#find-outbound-ips).
 
@@ -90,13 +90,13 @@ For function apps, see [Function app outbound IP addresses](/azure/azure-functio
 
 ## Get a static outbound IP
 
-You can control the IP address of outbound traffic from your app by using virtual network integration together with a virtual network NAT gateway to direct traffic through a static public IP address. [Virtual network integration](./overview-vnet-integration.md) is available on **Basic**, **Standard**, **Premium**, **PremiumV2**, and **PremiumV3** App Service plans. To learn more about this setup, see [NAT gateway integration](./networking/nat-gateway-integration.md).
+You can control the IP address of outbound traffic from your app by using virtual network integration and a virtual network NAT gateway to direct traffic through a static public IP address. [Virtual network integration](./overview-vnet-integration.md) is available on **Basic**, **Standard**, **Premium**, **PremiumV2**, and **PremiumV3** App Service plans. To learn more about this setup, see [NAT gateway integration](./networking/nat-gateway-integration.md).
 
 ## IP Address properties in Azure portal
 
-IP Addresses appear in multiple places in Azure portal. The properties page will show you the raw output from `inboundIpAddress`, `possibleInboundIpAddresses`, `outboundIpAddresses`, and `possibleOutboundIpAddresses`. The overview page will also show the same values, but not include the **Possible Inbound IP Addresses**.
+IP Addresses appear in multiple places in Azure portal. The properties page shows you the raw output from `inboundIpAddress`, `possibleInboundIpAddresses`, `outboundIpAddresses`, and `possibleOutboundIpAddresses`. The overview page also shows the same values, but not include the **Possible Inbound IP Addresses**.
 
-Networking overview shows the combination of **Inbound IP Address** and any private endpoint IP addresses in the **Inbound addresses** field. If public network access is disabled, the public IP address won't be shown. The **Outbound addresses** field has a combined list of **(Possible) Outbound IP Addresses**, and if the app is virtual network integrated and is routing all traffic, and the subnet has a NAT gateway attached, the field will also include the IP addresses from the NAT gateway.
+Networking overview shows the combination of **Inbound IP Address** and any private endpoint IP addresses in the **Inbound addresses** field. If public network access is disabled, the public IP address isn't shown. The **Outbound addresses** field has a combined list of **(Possible) Outbound IP Addresses**, and if the app is virtual network integrated and is routing all traffic, and the subnet has a NAT gateway attached, the field also includes the IP addresses from the NAT gateway.
 
 :::image type="content" source="./media/overview-inbound-outbound-ips/networking-overview.png" alt-text="Screenshot that shows how IP addresses are shown in the networking overview page.":::
 
@@ -111,6 +111,114 @@ The tag can be used to allow outbound traffic in a Network security group (NSG)
 > [!NOTE]
 > Service tag helps you define network access, but it shouldn't be considered as a replacement for proper network security measures as it doesn't provide granular control over individual IP addresses.
 
+## Inbound IPv6 support (public preview)
+
+Azure App Service supports IPv6 for inbound traffic. Apps can receive traffic over both IPv4 and IPv6 protocols, providing compatibility with modern networks and clients that require IPv6 connectivity.
+
+> [!NOTE]
+> Inbound IPv6 support is in public preview. Outbound IPv6 support is in public preview just for Windows apps. For more information on outbound IPv6 support, see [Announcing App Service Outbound IPv6 Support in Public Preview](https://techcommunity.microsoft.com/blog/appsonazureblog/announcing-app-service-outbound-ipv6-support-in-public-preview/4423368). All outbound connections from your Linux apps still use IPv4.
+
+### Prerequisites
+
+To use IPv6 inbound traffic, you need:
+
+- An IPv6 address that accepts incoming traffic
+- A DNS record that returns an IPv6 (AAAA) record
+- A client that can send and receive IPv6 traffic
+
+> [!IMPORTANT]
+> Many local networks and development environments only support IPv4, which might affect your ability to test IPv6 connectivity from your local machine.
+
+### How IPv6 addressing works
+
+All App Service deployment units include IPv6 addresses, enabling your app to receive traffic on both IPv4 and IPv6 addresses. For backward compatibility, the DNS response for the default hostname (`<app-name>.azurewebsites.net`) returns only the IPv4 address by default.
+
+You can configure the IP mode behavior using the `IPMode` property:
+
+- **IPv4** (default): DNS returns IPv4 address only
+- **IPv6**: DNS returns IPv6 address only
+- **IPv4AndIPv6**: DNS returns both IPv4 and IPv6 addresses
+
+### Configure IPv6 support
+
+# [Azure portal](#tab/azure-portal)
+
+To update an app to return IPv6 DNS records in the Azure portal, go to the **Configuration** page for the App Service app and set the **Inbound IP mode** property.
+
+  :::image type="content" source="./media/overview-inbound-outbound-ips/ip-mode-configuration.png" alt-text="Screenshot that shows how the inbound IP mode is set in the App Service configuration page.":::
+
+# [Azure CLI](#tab/azure-cli)
+
+To update an app to return IPv6 DNS records in the Azure CLI, run the following command.
+
+```azurecli
+# Configure IPv6 only
+az resource update --name <app-name> --set properties.ipMode="IPv6" -g <resource-group-name> --resource-type "Microsoft.Web/sites"
+
+# To update a slot, you need to provide the resource ID of the slot
+az resource update --ids '/subscriptions/<sub-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Web/sites/<app-name>/slots/<slot-name>' --set properties.ipMode='IPv6'
+```
+
+# [Azure Resource Manager template](#tab/arm-template)
+
+To deploy a new app or update an existing app using an Azure Resource Manager (ARM) template, set the `IPMode` to either "IPv6" or "IPv4AndIPv6".
+
+```json
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "variables": {
+      "appName": "APP-SERVICE-NAME",
+      "appIPMode": "IPv6",
+      "appServicePlanName": "PLAN-NAME",
+      "location": "[resourceGroup().location]"
+  },
+  "resources": [
+    {
+        "name": "[variables('appName')]",
+        "type": "Microsoft.Web/sites",
+        "apiVersion": "2021-03-01",
+        "location": "[variables('location')]",
+        "dependsOn": [
+            "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]"
+        ],
+        "properties": {
+          "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]",
+          "httpsOnly": true,
+          "ipMode": "[variables('appIPMode')]"
+        }
+    }
+  ]
+}
+```
+
+---
+
+### Test IPv6 connectivity
+
+To test IPv6 connectivity to your app, use the following curl command:
+
+```bash
+curl -6 https://<app-name>.azurewebsites.net
+```
+
+### Custom domains and IPv6
+
+When using custom domains, you can configure DNS records to support IPv6:
+
+- **IPv6 only**: Add an AAAA record pointing to your app's IPv6 address. Clients must support IPv6.
+- **Dual-stack**: Add both A (IPv4) and AAAA (IPv6) records, or use a CNAME record to the default hostname, which inherits the `IPMode` behavior.
+
+### IPv6 considerations
+
+Consider the following factors when implementing IPv6 support:
+
+- **Compatibility**: Use `IPv4AndIPv6` mode for maximum client compatibility
+- **Testing**: Verify that your network infrastructure and test environments support IPv6
+- **Client support**: Ensure your application clients can handle IPv6 addresses
+- **Outbound traffic**: Remember that outbound connections always use IPv4
+- **Client testing**: To ensure propert functionality, test your application with both IPv4 and IPv6 clients
+
 ## Next steps
 
 * Learn how to [restrict inbound traffic](./app-service-ip-restrictions.md) by source IP addresses.

articles/app-service/overview-inbound-outbound-ips.md

@@ -35,7 +35,7 @@ Whether you're a student, a small business, a startup, or an enterprise, App Ser
 - **Command-line friendly**: Deploy using command line tools you already use, such as Maven, Gradle, Azure Developer CLI, Azure CLI, and Azure PowerShell.
 - **Scalability**: Automatically scale your applications based on demand.
 - **Global reach**: Deploy your apps in data centers around the world.
-- **Application templates**: Choose from an extensive list of application templates in the [Azure Marketplace](https://azure.microsoft.com/marketplace/), such as WordPress, Joomla, and Drupal.
+- **Application templates**: Choose from an extensive list of application templates in the [Azure Marketplace](https://azure.microsoft.com/marketplace/), such as WordPress, Joomla, Django , Node.js and Drupal.
 - **Social sign-in support**: Turn-key social sign-in with [Google](configure-authentication-provider-google.md), [Facebook](configure-authentication-provider-facebook.md), [X](configure-authentication-provider-twitter.md), and [Microsoft accounts](configure-authentication-provider-microsoft.md).
 
 ### Enterprises
@@ -51,4 +51,4 @@ For information about which Azure compute services best fit your scenario, see [
 
 ## Next Steps
 
-- [Getting started with Azure App Service](getting-started.md)
+- [Getting started with Azure App Service](getting-started.md)

articles/app-service/overview.md

@@ -1,6 +1,6 @@
 ---
-title: Connect multiple Azure VMware Solution Generation 2 Private Clouds
-description: Learn about connecting multiple Azure VMware Solution Generation 2 Private Clouds.
+title: Connect multiple Azure VMware Solution Generation 2 private clouds
+description: Learn about connecting multiple Azure VMware Solution Generation 2 private clouds.
 ms.topic: how-to
 ms.service: azure-vmware
 author: jjaygbay1
@@ -11,21 +11,21 @@ ms.custom: engagement-fy25
 # Customer intent: As a cloud administrator, I want to connect multiple Azure VMware Solution Generation 2 private clouds using Virtual Network peering, so that I can ensure efficient communication and optimize performance across my cloud infrastructure.
 ---
 
-# Connect multiple Azure VMware Solution Generation 2 Private Clouds
+# Connect multiple Azure VMware Solution Generation 2 private clouds
 
-In this article, you learn how to connect a Azure VMware Solution Generation 2 (Gen 2) private cloud to other Gen 2 private clouds.
+In this article, you learn how to connect an Azure VMware Solution Generation 2 (Gen 2) private cloud to other Gen 2 private clouds.
 
 ## Prerequisite
 
 Have multiple Azure VMware Solution Gen 2 private clouds deployed successfully.
 
-## Connect multiple Azure VMware Solution Gen 2 
+## Use Virtual Network peering to connect multiple private clouds
 
-Private clouds deployed in different Azure Virtual Networks can be connected using Virtual Network peering. The Virtual Network peering provides the best possible throughput and latency between Azure VMware Solution private clouds in the same region. For more information about how to do Azure Virtual Network peering, see [Create, change, or delete a Virtual Network peering](/azure/virtual-network/virtual-network-peering-overview).
+You can connect private clouds deployed in different Azure Virtual Networks using virtual network peering. The virtual network peering provides the best possible throughput and latency between Azure VMware Solution private clouds in the same region. For more information about how to do Azure Virtual Network peering, see [Create, change, or delete a Virtual Network peering](/azure/virtual-network/virtual-network-peering-overview).
 
 Depending on the location of the private cloud, you may require local Virtual Network peering or a global Virtual Network peering.
 
-:::image type="content" source="./media/native-connectivity/native-connect-multiple-solutions-on-premises.png" alt-text="Diagram of an multiple Azure VMware Solution Gen 2 private clouds connected together." lightbox="media/native-connectivity/native-connect-multiple-solutions-on-premises.png":::
+:::image type="content" source="./media/native-connectivity/native-connect-multiple-solutions-on-premises.png" alt-text="Diagram of multiple Azure VMware Solution Gen 2 private clouds connected together." lightbox="media/native-connectivity/native-connect-multiple-solutions-on-premises.png":::
 
 ## Related topics 
 - [Connectivity to an Azure Virtual Network](native-network-connectivity.md)