Azure APIM : Target system to whitelist Azure APIM traffic

Amit-J 316 Reputation points
2022-11-08T07:03:40.107+00:00

Hi,

The target api system wants to whitelist calls only from Azure API Management.
My APIM is inside virtual network.

What is the correct Header of Azure APIM that I should provide to the target api system, so that it can be whitelisted ?

I guess it should be something X-Forwarded or X-Origin headers host headers.
Because X-Forwarded ip address cannot be the right solution as the outbound ip address from azure apim wil depend on the available ip address in the subnet.
It will not be constant forever.

What is the right recommendation ?

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,861 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. MuthuKumaranMurugaachari-MSFT 22,256 Reputation points
    2022-11-11T15:58:44.97+00:00

    @Amit-J I assume your APIM is in VNET, and backend API is outside VNET (internet facing), and you want to allow-list only calls from APIM. APIM uses public IP address for a connection outside VNET/peered VNET and internal IP addresses from the subnet are only used for within the VNET or a peered VNET. Refer IP addresses for outbound traffic for more info as mentioned below:

    259624-image.png

    As per Changes to the IP addresses, public IP address is static with few exceptions, and you would need to adjust allow-list in target backend API accordingly. It is also possible to route and override public IP of APIM with NVA's IP and refer SO thread and comment from our product team. I hope this helps but feel free to add a comment for any questions or clarify if my assumptions are incorrect.

    1 person found this answer helpful.
    0 comments No comments

  2. MughundhanRaveendran-MSFT 12,446 Reputation points
    2022-11-09T07:56:39.963+00:00

    Hi @Amit-J ,

    Thanks for posting your query in Q&A forum.

    The ideal way to achieve your goal is to add the target API to the same vnet where the APIM is present. When the target API and APIM are present in same vnet, then there is no need to whitelist the IP adressess. If you would like to go with the headers approach, you can set a custom HTTP header in the outbound policy in APIM and validate it at the target api side.

    https://learn.microsoft.com/en-us/azure/api-management/api-management-transformation-policies#SetHTTPheader

    Hope this helps! Feel free to reach out to me if you have any questions or concerns.

    Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.