TCP Connection Limit Unclear for Azure Web App

Question

TCP Connection Limit Unclear for Azure Web App

Mora 0

On a specific server running a single P2v3 instance I am seeing port exhaustion issues popping up, these issues are being remedied currently through upcoming improvements, however I noticed that its unclear on the diagnostics side what limit I am hitting, as the documentation and metrics don't appear to align with what I am seeing.

The main documented limit I see is that P2v3 has a 'Outbound IP connections per instance' of 3968. When port exhaustion was actively occurring I looked at several areas in the portal:

Diagnostics > TCP Connections > Outbound connections -> Shows hovering around 2.8K (The summary of connections at the bottom which includes inbound doesn't get above 3000)

Azure Web App > Metrics > Connections -> 3.96K

Azure Service Plan > Metrics > Socket count (Outbound/inbound/loopback) -> 2.8K

Furthermore, the diagnostics under TCP Connections showed an error: 'The app {appname} had maximum outbound connections on this instance. There were 569 outbound TCP connections and the below table shows the process and remote endpoint details at this time'. Note that this web app is within a VNET and routes outbound traffic with a NAT Gateway and Public IP.

Why the inconsistencies between these?

Vimal Lalani 2,400 Reputation points Microsoft External Staff Moderator

2025-11-13T10:21:02.4033333+00:00

Hi @Mora

Just checking in to see if above earlier comment was helpful or if you still need any assistance.
Vimal Lalani 2,400 Reputation points Microsoft External Staff Moderator

2025-12-10T22:37:53.94+00:00
Hi @Mora

The numbers don’t match because each metric is counting different types of connections from different parts of the system.

Web App → Connections

This shows HTTP/WebSocket connections coming into your app. It is counted at the App Service front-end, not at the OS level. this number is typically higher because it includes logical client connections hitting your app.

App Service Plan → Socket Count

This shows all TCP sockets on the VM, including: inbound, outbound, loopback, system/internal sockets. Some sockets are extremely short-lived and may not appear in FE metrics. So this number is from the underlying worker machine, not just your app. this value reflects OS-level socket usage, not the logical app connection count.

TCP Diagnostics

This is a snapshot at one moment. It only shows the sockets that were open exactly at that sampling time. It does not include inbound or internal sockets. This is expected to be smaller than both app-level and plan-level metrics.

The diagnostic warning about “maximum outbound connections” is typically due to SNAT port limits, not the web app hitting its own connection limits. So you may see small outbound counts in diagnostics, but still experience SNAT exhaustion depending on how your app opens/holds connections.

I hope this information helps address your query.
Vimal Lalani 2,400 Reputation points Microsoft External Staff Moderator

2025-12-12T01:02:07.5633333+00:00

Hi @Mora

Following up to see if the earlier details resolved your issue. If you have any more questions, feel free to post back — we’re here to help.

1 answer

Your answer

Vimal Lalani 2,400 Reputation points Microsoft External Staff Moderator

2025-11-13T10:21:02.4033333+00:00

Hi @Mora

Just checking in to see if above earlier comment was helpful or if you still need any assistance.
Vimal Lalani 2,400 Reputation points Microsoft External Staff Moderator

2025-12-10T22:37:53.94+00:00

Hi @Mora

The numbers don’t match because each metric is counting different types of connections from different parts of the system.

Web App → Connections

This shows HTTP/WebSocket connections coming into your app. It is counted at the App Service front-end, not at the OS level. this number is typically higher because it includes logical client connections hitting your app.

App Service Plan → Socket Count

This shows all TCP sockets on the VM, including: inbound, outbound, loopback, system/internal sockets. Some sockets are extremely short-lived and may not appear in FE metrics. So this number is from the underlying worker machine, not just your app. this value reflects OS-level socket usage, not the logical app connection count.

TCP Diagnostics

This is a snapshot at one moment. It only shows the sockets that were open exactly at that sampling time. It does not include inbound or internal sockets. This is expected to be smaller than both app-level and plan-level metrics.

The diagnostic warning about “maximum outbound connections” is typically due to SNAT port limits, not the web app hitting its own connection limits. So you may see small outbound counts in diagnostics, but still experience SNAT exhaustion depending on how your app opens/holds connections.

I hope this information helps address your query.
Vimal Lalani 2,400 Reputation points Microsoft External Staff Moderator

2025-12-12T01:02:07.5633333+00:00

Hi @Mora

Following up to see if the earlier details resolved your issue. If you have any more questions, feel free to post back — we’re here to help.

Answer 1

Hey Mora, this confusion is common.

Those three numbers come from different measurements and scopes: Azure’s documented “outbound IP connections per instance” is an ephemeral port / SNAT guidance, Metrics → Connections shows an aggregated socket count the App Service host reports, and Diagnostics → TCP Connections can show per-process / per-endpoint snapshots (and may surface a smaller per-process limit hit). Add to that NAT Gateway SNAT port limits (and number of public IPs assigned) and you get more divergence — the app can hit SNAT exhaustion even though the host socket count looks lower.

What to do next: check per-instance and per-process sockets from the instance (Kudu SSH or netstat -an), enable the App Service Diagnose and solve TCP tools, review NAT Gateway SNAT usage (Standard NAT Gateway + extra Public IPs increase SNAT ports), reuse connections (HTTP keep-alive / HttpClient pooling), and scale-out to reduce per-instance pressure. If numbers still don’t add up, open a support ticket with subscription, region and timestamps so platform logs can be checked.

Hope this helps

Mora 0 Reputation points

2025-12-11T00:36:46.9566667+00:00

In two places within the same webapp, single app instance plan, showed two different numbers labelled the same as *outbound connections. *As well, you stated that Connections is really socket count which I find confusing as there are dedicated socket count metrics which do not reflect this. This is not a SNAT limit being hit with current architecture we are running NAT Gateway and Public IPs and not using those fully. Appreciate the help but this isn't aligning from what we are seeing.

Share via

TCP Connection Limit Unclear for Azure Web App

1 answer

Your answer