3

I want to limit the access to one of my app services to Azure API Mangement. In order to be independent from a single IP I created the following setting using service-tag-based restriction:

enter image description here

However if I test my API using the Developer Portal I still receive 403 messages.

If I now add a restriction-rule to allow the IP address of the API Management it will work.

The documentation claims that service tags are adding the IP ranges for the provided Azure services to the restrictions. This is exactly what I want to achieve but it does not seem to work.

Alexander Schmidt
  • 5,631
  • 4
  • 39
  • 79

3 Answers3

3

After I contacted the MS support I know can tell an answer to this.

On central message in the answer was

Unfortunately, there is no tag for all of the API Management outbound IP addresses.

The support highlighted that the documentation for service tags points out that

This enables customers to perform management operations on the APIs, Operations, Policies, NamedValues configured on the API Management service.

What this means is that the service tag is only for backend operations. Problem with this is that it doesn't help you at all. I already noticed that after I switched on the service tag rule I could not update an API using the direct OpenAPI endpoint via the portal which is the documented way. This is because the explorative request against the OpenAPI would be performed using the local browser as a XHR-request. This means I would have to add my local IP to the restriction list every time.

The supports suggests to put everything inside a VNET and configure the access using this technique. I had this solution in place and then considered it as too clumpsy. I guess I have to do it now.

Alexander Schmidt
  • 5,631
  • 4
  • 39
  • 79
1

I also had a similar problem. My goal is to only allow the API Management to the App Service. I was able to do it with service tags. But instead of API Management service tag. I Used AzureCloud service tag. But this allows large amount of IP addresses. If you want to cut the IP addresses further, you can add the AzureCloud.region service tag. For instance, my API Management region is central India, so I added AzureCloud.centralindia. After adding that service tag, the API Management was able to access the app service.

user1479203
  • 437
  • 1
  • 8
  • 16
  • Not ideal - but better than nothing - I guess in combo with the authorization code this is still pretty secure. If youre using the Consumption based APIM, this might be as good as it gets – Ian Robertson Aug 25 '23 at 17:26
0

Thanks for pointing this out. The support suggestion using VNet seems like an overkill, because VNet is only avalaible starting with the pricey Premium tier of APIM. However, there are other solutions.

  • use App Service Private Endpoint
  • only allow APIM public IP address in App Service access restriction
Sven
  • 2,345
  • 2
  • 21
  • 43