Share via

TCP Connection Limit Unclear for Azure Web App

Mora 0 Reputation points
2025-10-31T17:53:23.5166667+00:00

On a specific server running a single P2v3 instance I am seeing port exhaustion issues popping up, these issues are being remedied currently through upcoming improvements, however I noticed that its unclear on the diagnostics side what limit I am hitting, as the documentation and metrics don't appear to align with what I am seeing.

The main documented limit I see is that P2v3 has a 'Outbound IP connections per instance' of 3968. When port exhaustion was actively occurring I looked at several areas in the portal:

Diagnostics > TCP Connections > Outbound connections -> Shows hovering around 2.8K (The summary of connections at the bottom which includes inbound doesn't get above 3000)

Azure Web App > Metrics > Connections -> 3.96K

Azure Service Plan > Metrics > Socket count (Outbound/inbound/loopback) -> 2.8K

Furthermore, the diagnostics under TCP Connections showed an error: 'The app {appname} had maximum outbound connections on this instance. There were 569 outbound TCP connections and the below table shows the process and remote endpoint details at this time'. Note that this web app is within a VNET and routes outbound traffic with a NAT Gateway and Public IP.

Why the inconsistencies between these?

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Natheem Yousuf 340 Reputation points
    2025-11-13T05:35:45.9233333+00:00

    Hey Mora, this confusion is common.

    Those three numbers come from different measurements and scopes: Azure’s documented “outbound IP connections per instance” is an ephemeral port / SNAT guidance, Metrics → Connections shows an aggregated socket count the App Service host reports, and Diagnostics → TCP Connections can show per-process / per-endpoint snapshots (and may surface a smaller per-process limit hit). Add to that NAT Gateway SNAT port limits (and number of public IPs assigned) and you get more divergence — the app can hit SNAT exhaustion even though the host socket count looks lower.

    What to do next: check per-instance and per-process sockets from the instance (Kudu SSH or netstat -an), enable the App Service Diagnose and solve TCP tools, review NAT Gateway SNAT usage (Standard NAT Gateway + extra Public IPs increase SNAT ports), reuse connections (HTTP keep-alive / HttpClient pooling), and scale-out to reduce per-instance pressure. If numbers still don’t add up, open a support ticket with subscription, region and timestamps so platform logs can be checked.

    Hope this helps

  2. Vimal Lalani 2,405 Reputation points Microsoft External Staff Moderator
    2025-12-10T22:37:53.94+00:00

    Hi @Mora

    The numbers don’t match because each metric is counting different types of connections from different parts of the system.

    • Web App → Connections
      • This shows HTTP/WebSocket connections coming into your app. It is counted at the App Service front-end, not at the OS level. this number is typically higher because it includes logical client connections hitting your app.
    • App Service Plan → Socket Count
      • This shows all TCP sockets on the VM, including: inbound, outbound, loopback, system/internal sockets. Some sockets are extremely short-lived and may not appear in FE metrics. So this number is from the underlying worker machine, not just your app. this value reflects OS-level socket usage, not the logical app connection count.
    • TCP Diagnostics
      • This is a snapshot at one moment. It only shows the sockets that were open exactly at that sampling time. It does not include inbound or internal sockets. This is expected to be smaller than both app-level and plan-level metrics.
    • The diagnostic warning about “maximum outbound connections” is typically due to SNAT port limits, not the web app hitting its own connection limits. So you may see small outbound counts in diagnostics, but still experience SNAT exhaustion depending on how your app opens/holds connections.

    I hope this information helps address your query.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.