0

I am building a Node.js WebRTC media bridge (a Back-to-Back User Agent or B2BUA) that connects a browser-based client to the WhatsApp Calling API. The backend is hosted on an Azure App Service for Containers.

The application consistently fails because the server cannot discover its public IP address via STUN. The application logs show that it is unable to generate srflx (server reflexive) or public host candidates, which results in a malformed SDP with c=IN IP4 0.0.0.0 and a failed connection.

The critical piece of evidence is that the exact same container image and configuration, when deployed to a standard IaaS VM (a DigitalOcean Droplet), works perfectly. This strongly suggests the issue is specific to the Azure App Service networking environment.

The Environment

Backend: Node.js

WebRTC Library: werift (or a library that uses it)

Hosting: Azure App Service for Containers

Networking:

Azure VNet with a Network Security Group (NSG)

Third-party STUN/TURN provider (Metered.ca)

What I Have Tried (Debugging Steps)

I have gone through an extensive debugging process to isolate the problem:

Verified STUN/TURN Credentials: Confirmed the credentials are correct using online WebRTC testers. They work perfectly.

Configured the NSG Firewall: Added a high-priority inbound security rule to the NSG to allow UDP traffic on a wide port range (10000-60000) from any source.

Verified Outbound Connectivity: Used netcat from the App Service's built-in SSH terminal to test outbound UDP connectivity to the STUN server. This test was successful, proving the container can send UDP packets to the internet.

Configured the Application: The Node.js application is configured to use the same UDP port range as the firewall rule:

const pc = new RTCPeerConnection({
  iceServers: [/* ... my STUN/TURN config ... */],
  icePortRange: [10000, 60000] // Matches the NSG rule
});

The Comparative Test (Proof):

On Azure App Service, the onicecandidate event handler only ever fires for relay (TURN) candidates.

When the identical container image is deployed on a DigitalOcean Droplet with a simple ufw firewall rule (sudo ufw allow 10000:60000/udp), it works immediately. The logs show it successfully generates host, srflx, and relay candidates as expected.

This proves the issue is not with the code, the configuration, or the STUN/TURN provider, but is specific to the Azure App Service environment's handling of inbound UDP.

My Question

Given that outbound UDP connectivity is confirmed and the user-configurable NSG is correctly set to allow inbound UDP, what non-configurable, platform-level network policies exist on Azure App Service that would prevent STUN binding responses from reaching the running container?

Is this a known limitation for hosting real-time media applications on this platform, and is there an official workaround or a different Azure PaaS service that is better suited for this WebRTC use case?

Improve this question
Related questions
2
WebRTC on Chrome; how do I know if it's using UDP or TCP
0
how to get tcp connection candidate from twilio stun/turn server?
5
WebRTC: ICE failed since Firefox v 53
Load 3 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.