question

PitawatN-1924 avatar image
0 Votes"
PitawatN-1924 asked suvasara-MSFT commented

Service Tag for APIM Consumption tier

Hi,

I am trying to allow only inbound traffic to App Gateway from APIM only and deny all traffic if it comes from other sources.


89469-appgw.png



I setup NSG and associate it to subnet that App Gateway is in. My inbound rule is

89518-nsg-rule.png



This did not work. APIM could not connect to App Gateway.

I then looked at https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview#available-service-tags and found an interesting piece of text at API Management row: "Management traffic for Azure API Management-dedicated deployments"

Does this mean APIM Consumption tier does not have its Service Tag? Is it only for developer, basic, premium, etc tiers? If so, how could I restrict inbound traffic to be only from APIM Consumption tier?

Thank you.

azure-virtual-networkazure-api-managementazure-application-gateway
appgw.png (64.8 KiB)
nsg-rule.png (45.1 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

suvasara-MSFT avatar image
0 Votes"
suvasara-MSFT answered suvasara-MSFT commented

@PitawatN-1924 , In the Developer, Basic, Standard, and Premium tiers of API Management, the public IP addresses (VIP) are static for the lifetime of a service, so the service tag is available for those tiers. Whereas, Consumption tier service, it doesn't have a dedicated IP address. Consumption tier service runs on a shared infrastructure and without a deterministic IP address.

Solution: For traffic restriction purposes, you can use the range of IP addresses of Azure data centers. Refer to the Azure Functions documentation article for precise steps.

Also, you can provide your feedback and upvote the similar ask here in this feedback section for its future availability.


Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.



· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for your reply, @suvasara-MSFT

Regarding the range of IP of Azure data centers, is it the same as using Service Tag: AzureCloud.SoutheastAsia ? (My APIM Consumption tier is in this region) Because right now I tried setting this service tag and APIM can connect to App Gateway. I'm just curious if this is the narrowest policy I can set for my scenario.

89566-nsgsea.png

According to the JSON file you mentioned, I earlier tried allowing IP ranges of "ApiManagement.SoutheastAsia" but it also did not work (I did not try allowing IPv6). I assume these ranges are for APIM developer, basic, standard and premium tiers, aren't they?

89585-apimsea.png


Anyway, please let me know if allowing Service Tag: AzureCloud.SoutheastAsia is the best option I can do for this case.

Thank you.


0 Votes 0 ·
apimsea.png (20.8 KiB)
nsgsea.png (26.9 KiB)

@PitawatN-1924, Yes, those regional service tags are nothing but the data center IP's. You can implement this feature from portal itself. This service will take care of newly added IP's with time.

1 Vote 1 ·