0

Scenario: I have Pay-As-You-Go instance of Azure API Management created. In that, as APIs, I have imported Azure Functions App. Azure Functions app is on Consumption Plan as well. These azure functions are calling some external APIs and getting data. I return data as is from these functions.

Issue: To get data from external APIs, I need to get my IP address whitelisted. My calling pattern is APIM => Azure Function => External API. I am hitting APIM endpoint from my UI to get data. I have not exposed azure functions endpoint to UI. Issue is what IP should be whitelisted to get the data ?

Options Tried:

  1. I got the APIM virtual address(public) whitelisted, but that didn't work.
  2. I added logs to my each function to log outbound IP address (using ipconfig.me). This is giving me different IP address then that of APIM public IP.

My confusion is, if I have imported these functions to APIM, then my outbound IP address should be of APIM and not of functions, right ? or my understanding is wrong here ?

It will be really helpful if someone can help with this scenario. We need to get our IP whitelisted so that we can get data. For that changes to infra can be done, even if we need to switch to premium plans.

Anshul
  • 55
  • 2
  • 9
  • So, to make the long story short - you are accessing your External APIs via Azure Functions, which are accessed via APIM? The return path would be External API -> Azure Functions -> APIM -> Client? – kamil-mrzyglod Nov 02 '21 at 08:05
  • @kamil-mrzyglod That's correct. – Anshul Nov 02 '21 at 08:34

1 Answers1

2

In your case APIM works as a gateway to your system, so you would use outbound IP address for APIM for IP restrictions configured on Azure Functions level. This would secure access to Functions and limit it to only APIM.

As you need to secure External API, which is accessed via Azure Functions, you need to check outbound IP for your App Service Plan(whether it's Consumption or not). The scenario you were trying would work only if outbound traffic is sent via some kind of gateway (see - https://learn.microsoft.com/en-us/azure/azure-functions/functions-how-to-use-nat-gateway)

Without a gateway, outbound IP can be checked with the following commands:

az functionapp show --resource-group <GROUP_NAME> --name <APP_NAME> --query outboundIpAddresses --output tsv
az functionapp show --resource-group <GROUP_NAME> --name <APP_NAME> --query possibleOutboundIpAddresses --output tsv
kamil-mrzyglod
  • 4,948
  • 1
  • 20
  • 29
  • This is a bit confusing. You mean to say if I am calling external API, then it will get IP of function and not of APIM ? – Anshul Nov 02 '21 at 10:12
  • If yes, then using NAT gateway and static IP, then I should be able to restrict the outbound IP of function app. – Anshul Nov 02 '21 at 10:14
  • 1
    @Anshul it doesn't matter if you are using APIM or not - you are calling External API via your functions, they will not get outbound IP of APIM as it's only a gateway to your system. If you don't have outbound connectivity configured, by design all the traffic from functions will receive their outbound IP. – kamil-mrzyglod Nov 02 '21 at 10:32
  • Thanks for clarifying. Let me try this nat gateway method. If it works, that will resolve my problem. And I can mark this as answer. – Anshul Nov 02 '21 at 10:50
  • @Anshul sure, you're welcome. Remember, that you can avoid using NAT gateway if standard outbound IP address for Function App work for you. They are not static, but you can also implement a mechanism, which will update your rules accordingly for External API. – kamil-mrzyglod Nov 02 '21 at 12:20
  • NAT Gateway worked. Hence I marked your reply as answer. I went with creating a public IP, linked that to NAT Gateway, and then linked function to that gateway. Routing all function app traffic through this gateway now. Tested by local code as well as getting the static IP whitelisted with the external service. Everything works now. – Anshul Nov 03 '21 at 18:40
  • @Anshul Great, happy I could help :) – kamil-mrzyglod Nov 03 '21 at 21:10