How to set IP Filter Policy in Azure API Management Service for an Azure Static Web App

Ziggy Zulueta 480 Reputation points MVP
2023-04-09T15:55:43.9633333+00:00

I have an Azure API created via Azure API Management Service that I want to restrict its access to just one Azure Static Web App. What I did was to do an nslookup on the Azure Static Web App in the console to get the IP address and setup an IP Filter in the Inbound Processing setting of Azure API. However it does not work. Here is the nslookup blocking out my real https website address:

nslookup https://xxxx-xxx-xxx.3.azurestaticapps.net
Server:  waws-prod-hk1-c0bded75.sip.p.azurewebsites.windows.net
Address:  13.75.66.141
Aliases:  https://xxxx-xxx-xxx.3.azurestaticapps.net
          azurestaticapps3.trafficmanager.net
          msha-slice-3-hk1-1.msha-slice-3-hk1-1-ase.p.azurewebsites.net

I can access my api thru my website but after I put the below Filter , my website can no longer access the api.

        <ip-filter action="allow">
            <address>13.75.66.141</address>
        </ip-filter>

So How do I fix this? I want ONLY my Azure Static Web App to access my API in Azure API Management

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,805 questions
Azure
Azure
A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.
996 questions
Azure Static Web Apps
Azure Static Web Apps
An Azure service that provides streamlined full-stack web app development.
783 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Sedat SALMAN 13,180 Reputation points
    2023-04-09T17:34:09.6566667+00:00

    Azure Static Web Apps use a content delivery network (CDN) to cache and serve content, so the IP address of your Static Web App is not fixed and can change. Using an IP filter for your Azure API Management Service is not a viable solution in this case. Instead, you can implement an authentication mechanism to secure your API and allow only your Azure Static Web App to access it. One common approach is to use API keys for authentication. API Management Service instance > Subscriptions > API Management > Primary key > In your Azure Static Web App, add the subscription key to your API requests. You can include it in the request header as follows

    fetch('https://your-api-management-instance.azure-api.net/your-api-endpoint', {
      headers: {
        'Ocp-Apim-Subscription-Key': 'your-primary-key'
      }
    })
    
    

  2. MuthuKumaranMurugaachari-MSFT 22,236 Reputation points
    2023-04-10T17:26:12.8033333+00:00

    Ziggy Zulueta Thanks for posting your question in Microsoft Q&A. Based on your description, you are looking to restrict APIM to accept requests only from Azure Static Web Apps. As discussed above, it is not possible to restrict via IP address.

    I have discussed with our static web apps product team, and the current solution is to use bring your own API instead of managed version and then integrate with Azure API Management. Once you integrate it, validate-jwt policy is added to the product to allow only requests that contain a valid access token generated from the linked static web app. We have updated this note in https://github.com/Azure/static-web-apps/issues/75. Here are the doc references: https://learn.microsoft.com/en-us/azure/static-web-apps/apis-overview#api-options and API support in Azure Static Web Apps with Azure API Management to perform the integration. Note, the feature is currently in preview and bring your own APIs is only available in standard plan.

    I hope this helps with your question and let me know if you have any other.


    If you found the answer to your question helpful, please take a moment to mark it as "Yes" for others to benefit from your experience. Or simply add a comment tagging me and would be happy to answer your questions.


  3. RobertLynch-8642 0 Reputation points
    2024-01-26T17:35:07.9633333+00:00

    First Pinging the server or doing a tracert or nslookup will NOT get you the IP address of your service.
    You need to find the "external IP address" of the service.. what you are seeing is probably just a load balancer. (incoming calls).
    To find your IP address (of the Management API) go to the Monitoring -> analytics section. Click on the Requests tab and scroll to the bottom (assuming you just tried it) the Response Code the the NON authorized IP will be a 403. Add that to your filter. (example below)

    Then the IP filter should look something like this. (replace the xxx with your IP address once you find it.

    <policies>
        <inbound>
            <base />
            <ip-filter action="allow">
                <address-range from="xxx.xx.xxx.xxx" to="xxx.xx.xx.xxx" />         </ip-filter></inbound>