Inbound azure firewall rules to allow connectivity from Azure apim control plane to apim instance in internal mode

Maxim Sokolov 25 Reputation points

I'm having trouble configuring the Inbound Azure Firewall Rules to allow connectivity from the Azure APIM Control Plane to my APIM instance in internal mode. I've followed the instructions listed in the official documentation and have added the 4 Azure control plane IP addresses , listed in official apim documentation, to my netwok firewall rule (as a source), but I'm still getting error in the network status page of my APIM "internal" instance. More to that, I am not able to see any traffic coming from those control plane ips in my Azure firewall logs. So issue might have something to do with routing.

Can anyone provide guidance on how to properly configure the Inbound Azure Firewall Rules and/or routing tables/routes for apim control plane traffic to allow for connectivity to/from apim behind Azure firewall, in this scenario? Any help would be greatly appreciated. Thanks in advance!Thanks, Maxim

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,940 questions
Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
608 questions
{count} votes

Accepted answer
  1. Sedat SALMAN 13,345 Reputation points

    Configure Routing Tables

    a. Create a new Route Table in the same resource group as your Virtual Network or use an existing one.

    b. Add a new route, specifying the following:

    • Address Prefix: The address range for the Azure APIM control plane IP addresses.
    • Next Hop Type: Select 'Virtual Appliance'.
    • Next Hop Address: Enter the private IP address of your Azure Firewall.

    c. Associate the Route Table with the subnet(s) that contain your APIM instance.


    Check NSG Rules


    Verify APIM and Subnet Configurations

    a. Ensure that your APIM instance is deployed within the correct subnet in your virtual network.

    b. Configure the necessary service endpoints on the subnet that contains your APIM instance, such as 'Microsoft.ApiManagement' and 'Microsoft.Web'.

    c. Make sure your APIM instance is properly configured to use the custom domain and SSL certificate required for internal mode, and that the 'Virtual network type' is set to 'Internal'.

0 additional answers

Sort by: Most helpful