az webapp show returns duplicate IP addresses in the possibleOutboundIpAddresses property

[frankvaneykelen-work]

Describe the bug

I expect the possibleOutboundIpAddresses property to contain unique IP addresses, so I can use its value directly in a subsequent az network nsg rule update [...] --source-address-prefixes $app.possibleOutboundIpAddresses [...]

Related command

az webapp show
az network nsg rule update

Errors

Updating Network Security Rule '[....]' in Network Security Group `[...]'.
ERROR: (OverlappingSubnetsNotPermittedInSecurityRule) Security rule parameter SourceAddressPrefix for rule with Id /subscriptions/[...]_Port8080 contains overlapping subnets [20.[..].6/32, 20.[..].6/32],[...], which is not permitted.
Code: OverlappingSubnetsNotPermittedInSecurityRule

Issue script & Debug output

> ((az webapp show --name foo-app --resource-group foo-rg | `
    ConvertFrom-Json).possibleOutboundIpAddresses -split ',' -replace ' ', '' | Sort-Object).count
> 55
> ((az webapp show --name foo-app --resource-group foo-rg | `
    ConvertFrom-Json).possibleOutboundIpAddresses -split ',' -replace ' ', '' | Sort-Object | Get-Unique).count
> 43

Expected behavior

I expect the possibleOutboundIpAddresses property of the result of az webapp show to contain unique items.

Environment Summary

azure-cli                         2.49.0

core                              2.49.0
telemetry                          1.0.8

Dependencies:
msal                              1.20.0
azure-mgmt-resource               22.0.0

Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users\****\.azure\cliextensions'

Python (Windows) 3.10.10 (tags/v3.10.10:aad5f6a, Feb  7 2023, 17:05:00) [MSC v.1929 32 bit (Intel)]

Legal docs and information: aka.ms/AzureCliLegal


Your CLI is up-to-date.

Additional context

I can reproduce this locally but it also happens in a release running on an Azure DevOps Agent:

2023-06-12T07:09:55.0849473Z ##[section]Starting: Initialize job
2023-06-12T07:09:55.0852799Z Agent name: 'Azure Pipelines 15'
2023-06-12T07:09:55.0853502Z Agent machine name: 'fv-*****'
2023-06-12T07:09:55.0853861Z Current agent version: '3.220.5'

[yonzhan]

Thank you for opening this issue, we will look into it.

[frankvaneykelen-work]

As a workaround I added code to make the list unique again (the | Sort-Object | Get-Unique bit):

    $sourceIpAddresses = ($appService.possibleOutboundIpAddresses -split ',' | Sort-Object | Get-Unique)

[frankvaneykelen-work]

I have also checked the Web App in the Azure Portal, and that shows the following:

• 7 Outbound IP addresses
• 55 Additional Outbound IP addresses
• making a total of 62 IP addresses
• of which 43 are left after removing duplicates

I think the numbers 55 and 43 are matches for the ones mentioned above.

[frankvaneykelen-work]

I just had a call with an Azure Support engineer about this too, and we found out that this issue does not apply to all our resource groups. Right now we only know of one RG that has this issue.