Share via

Azure Firewall inbound and Outbound Exceptions for APIM instance deployed in Internal VNet mode

Taranjeet Malik 446 Reputation points
2024-05-08T07:55:30.75+00:00

Hi Community

I'm planning to deploy an APIM instance in "Internal" VNet injection mode in a hub-spoke topology where APIM is deployed to spoke VNet and there's an Azure Firewall in the hub that police all the inbound and outbound traffic. UDRs are in-place to route all the traffic destined for Internet (0.0.0.0/0) from the subnets. I would like to understand the firewall port exceptions that specifically applies to Azure Firewall when it is between APIM and Internet. The following article does cover exceptions needed in NSG applied to APIM subnet--> https://learn.microsoft.com/en-us/azure/api-management/api-management-using-with-internal-vnet?tabs=stv2

However, I've seen some forums where users have reported that even after applying these rules, they still struggle to bring the APIM in healthy state--> https://learn.microsoft.com/en-us/answers/questions/1274857/inbound-azure-firewall-rules-to-allow-connectivity?cid=kerryherger

Is there are any MS guidance specific to creating Azure Firewall based inbound / outbound exceptions when APIM is deployed in Internal VNet mode?

Can someone please help clarify what rules (ports, protocols, and direction) would be needed in this case?

Thanks

Taranjeet Singh

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,792 questions
Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
580 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sedat SALMAN 13,180 Reputation points
    2024-05-10T03:14:21.0333333+00:00

    there are general guidance documents by using them you can adapt firewall rules

    https://learn.microsoft.com/en-us/azure/api-management/api-management-using-with-internal-vnet

    https://learn.microsoft.com/en-us/azure/virtual-network/service-tags-overview

    as a summary

    • Internal VNet mode implies forced tunneling. All outbound traffic will be routed through the Azure Firewall. You must ensure appropriate routing and firewall rules allow the required communication.
    • Both the APIM management endpoint and developer portal require outbound connectivity.
    • Your APIM instance likely communicates with backend APIs or services. Identify the firewall rules needed to allow this traffic.

    and while creating it is better to use servicetags

    https://learn.microsoft.com/en-us/azure/virtual-network/service-tags-overview

    required rules

    Source Destination Protocol Ports Action
    ApiManagement APIM Subnet TCP 3443 Allow
    APIM Subnet Internet HTTPS 443 Allow
    APIM Subnet AzureStorage HTTPS 443 Allow
    APIM Subnet <Backend Service IP> <Backend Protocol> <Backend Port> Allowpen_spark