Does outbound IP of APIM premium tier is same as the Virtual IP address ?

Question

Does outbound IP of APIM premium tier is same as the Virtual IP address ?

$@chin 200

Hi,

APIM is configured with an external VNet with no NAT gateway or Azure firewall configured.

Scenario 1: Looking for clear information on whether the Virtual IP address of the APIM Premium tier will act as the outbound IP. Specifically, will all traffic from APIM to external services use the same IP as the VIP or will it have a different IP?

Scenario 2: If the backend of APIM is an Azure Function or Web App, and traffic flows from APIM to external services through those apps, will the outbound IP be the APIM VIP or the outbound IP of the Web App or Function App?

JananiRamesh-MSFT 29,276 Reputation points

2024-11-08T18:36:09.7366667+00:00

@$@chin Just following up to check if the below answer helped. If that answers your query, do click "Accept the answer” for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know. I would be happy to help.
JananiRamesh-MSFT 29,276 Reputation points

2024-11-12T05:12:48.4866667+00:00

@$@chin Let us know if the below answer helped you or if you have any follow-up questions. Accepting answers will help increase the visibility of this question and the solution for anyone else who may run into the same issue. Thank you for helping to improve Microsoft Q&A!

1 answer

Your answer

JananiRamesh-MSFT 29,276 Reputation points

2024-11-08T18:36:09.7366667+00:00

@$@chin Just following up to check if the below answer helped. If that answers your query, do click "Accept the answer” for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know. I would be happy to help.
JananiRamesh-MSFT 29,276 Reputation points

2024-11-12T05:12:48.4866667+00:00

@$@chin Let us know if the below answer helped you or if you have any follow-up questions. Accepting answers will help increase the visibility of this question and the solution for anyone else who may run into the same issue. Thank you for helping to improve Microsoft Q&A!

Answer 1

JananiRamesh-MSFT 29,276

@$@chin Thanks for reaching out.

For Scenario 1, If the APIM instance is in an external VNet and the backend (external service) is public, then the outbound IP address for traffic from APIM to the backend will be the public IP address (VIP) of the APIM instance.

When API Management is deployed in an external virtual network and API Management connects to private (intranet-facing) backends, internal IP addresses (dynamic IP, or DIP addresses) from the subnet are used for the runtime API traffic. When a request is sent from API Management to a private backend, a private IP address will be visible as the origin of the request. So, if you have any firewall you would need to whitelist the entire subnet range.

For Scenario 2, if the backend of APIM is an Azure Function or Web App, and traffic flows from APIM to external services through those apps, then the outbound IP address will be the public IP address of the Azure Function or Web App. The APIM VIP is not used for outgoing traffic, and the outbound IP address will be determined by the backend service that is handling the traffic.

please refer: https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-ip-addresses#ip-addresses-for-outbound-traffic

do let me know incase of further queries, I would be happy to assist you.

$@chin 200 Reputation points

2024-11-06T18:51:18.28+00:00

Hi @JananiRamesh-MSFT ,

Scenario 1:
Here, what will be the outbound IP address for traffic from APIM to external services ?

Is this the public IP address for the outbound traffic under APIM Vnet ? I have attached the screenshot below.

If yes, then assume it's optional. If it is not configured, what will be the outbound IP address for APIM traffic ? so that correct details can be shared on other end for whitelisting.

Scenario 2:

outbound public IP address of the VNet subnet where the Function or Web App is deployed is shown in the screenshot below. Both the Web App and Function App use dynamic outbound IP addresses. If the Web App and Function App are hosted behind the API Management, will this be the outbound IP addresses of the App Service be used for external communications ?

That means
JananiRamesh-MSFT 29,276 Reputation points

2024-11-07T12:21:27.63+00:00
@$@chin please find the details below

Here, what will be the outbound IP address for traffic from APIM to external services?
outbound IP address for traffic from APIM to external services will be the public IP address (VIP) of the APIM instance. you can see this ip address in the overview page of your APIM instance.

outbound public IP address of the VNet subnet where the Function or Web App is deployed is shown in the screenshot below. Both the Web App and Function App use dynamic outbound IP addresses. If the Web App and Function App are hosted behind the API Management, will this be the outbound IP addresses of the App Service be used for external communications?
yes, please refer: https://learn.microsoft.com/en-us/azure/app-service/overview-inbound-outbound-ips

do let me know incase of further queries, I would be happy to assist you.

If you found the answer to your question helpful, please take a moment to mark it as Yes for others to benefit from your experience. Or simply add a comment tagging me and would be happy to answer your questions.
JananiRamesh-MSFT 29,276 Reputation points

2024-11-14T04:18:44.67+00:00

@$@chin Please accept as Yes if the answer provided is useful, so that you can help others in the community looking for remediation for similar issues.

Share via

Does outbound IP of APIM premium tier is same as the Virtual IP address ?

1 answer

Your answer