Ports
- 19 Aug 2025
- 1 Minute to read
- Print
- DarkLight
- PDF
Ports
- Updated on 19 Aug 2025
- 1 Minute to read
- Print
- DarkLight
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback!
This page will describe the ports involved in the architecture.
Inbound to the Web/Function Apps (via Private Endpoint)
When something calls your Web App or Function App via its private endpoint:
Source → Destination | Ports | Purpose |
|---|---|---|
Client in VNet → App Service Private Endpoint | 443/TCP | HTTPS for all HTTP-triggered requests |
App Service outbound via VNet Integration
Your Web/Function Apps talk outbound from the delegated integration subnet to other Private Endpoints.
To Azure SQL Private Endpoint
1433/TCP — Default SQL Database port
11000–11999/TCP — Additional SQL Database data transfer ports (for MARS and bulk copy)
443/TCP if using Azure AD authentication for SQL (token acquisition + redirect).
To Azure Storage Private Endpoint (Blob/File)
443/TCP — All Blob/File operations (including Run-From-Package ZIP load and content delivery)
445/TCP — Any access to storage file shared
To Application Insights Private Endpoint
443/TCP — Telemetry ingestion
To Log Analytics Private Endpoint
443/TCP — Logs ingestion
(LA ingestion over HTTPS, even with Private Link)
Notification Channels
25/TCP - SMTP Server
587/TCP - SMTP Server
443/TCP - API based notification channels eg: Service Now / Teams
Azure control-plane / identity
Even with all those Private endpoints, App Service still needs public egress for:
443/TCP — Entra ID endpoints (
login.microsoftonline.com,*.aadcdn.microsoftonline-p.com)443/TCP — Azure Resource Manager control plane
443/TCP — CRL/OCSP checks for TLS certificates
Internal DNS resolution
If using Azure Private DNS Zones:
53/UDP — DNS queries from App Service outbound to your DNS forwarder or Azure DNS
53/TCP — Fallback for large DNS responses
Was this article helpful?