If my APIM (API Management Service) is public, why can it retrieve storage blob that is private?

Question

We created a APIM with public IP no network VNET/Private endpoint enabled.

The storage account Public network access is set to disabled and a private endpoint has been configured. RBAC permissions have been provided for the APIM managed identity to the storage account, however why is it that the APIM can access the data plane from a network perspective if the APIM in public and the storage is configured for private endpoint?

Answer 1

Hi Niggie Anwar (IT Services) - Thanks for reaching out.

Based on the documentation, access to a storage account from trusted services takes the highest precedence over other network access restrictions.

https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json&tabs=azure-portal#change-the-default-network-access-rule

I further notice API Management Service is part of trusted service list.

https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json&tabs=azure-portal#trusted-access-based-on-a-managed-identity

So ideally, this should tend to work. I would recommend testing it out once and in case there are any exception observed, you can raise a support ticket for further deeper investigation of the logs ahead.

Hope that helps!

Let me know if there are any further queries/concerns, will be glad to assist.

---

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.