Virtual network configuration reference: API Management

This reference provides detailed network configuration settings for an API Management instance deployed in an Azure virtual network in the external or internal mode.

For VNet connectivity options, requirements, and considerations, see Using a virtual network with Azure API Management.

Required ports

Control inbound and outbound traffic into the subnet in which API Management is deployed by using network security group rules. If certain ports are unavailable, API Management may not operate properly and may become inaccessible.

When an API Management service instance is hosted in a VNet, the ports in the following table are used. Some requirements differ depending on the version (stv2 or stv1) of the compute platform hosting your API Management instance.

Important

  • Bold items in the Purpose column indicate port configurations required for successful deployment and operation of the API Management service. Configurations labeled "optional" enable specific features, as noted. They are not required for the overall health of the service.

  • We recommend using the indicated service tags instead of IP addresses in NSG and other network rules to specify network sources and destinations. Service tags prevent downtime when infrastructure improvements necessitate IP address changes.

Important

When using stv2, it is required to assign a Network Security Group to your VNet in order for the Azure Load Balancer to work. Learn more in the Azure Load Balancer documentation.

Source / Destination Port(s) Direction Transport protocol Service tags
Source / Destination
Purpose VNet type
* / [80], 443 Inbound TCP Internet / VirtualNetwork Client communication to API Management External only
* / 3443 Inbound TCP ApiManagement / VirtualNetwork Management endpoint for Azure portal and PowerShell External & Internal
* / 443 Outbound TCP VirtualNetwork / Storage Dependency on Azure Storage External & Internal
* / 443 Outbound TCP VirtualNetwork / AzureActiveDirectory Microsoft Entra ID, Microsoft Graph, and Azure Key Vault dependency (optional) External & Internal
* / 443 Outbound TCP VirtualNetwork / AzureConnectors managed connections dependency (optional) External & Internal
* / 1433 Outbound TCP VirtualNetwork / Sql Access to Azure SQL endpoints External & Internal
* / 443 Outbound TCP VirtualNetwork / AzureKeyVault Access to Azure Key Vault External & Internal
* / 5671, 5672, 443 Outbound TCP VirtualNetwork / EventHub Dependency for Log to Azure Event Hubs policy and Azure Monitor (optional) External & Internal
* / 445 Outbound TCP VirtualNetwork / Storage Dependency on Azure File Share for GIT (optional) External & Internal
* / 1886, 443 Outbound TCP VirtualNetwork / AzureMonitor Publish Diagnostics Logs and Metrics, Resource Health, and Application Insights External & Internal
* / 6380 Inbound & Outbound TCP VirtualNetwork / VirtualNetwork Access external Azure Cache for Redis service for caching policies between machines (optional) External & Internal
* / 6381 - 6383 Inbound & Outbound TCP VirtualNetwork / VirtualNetwork Access internal Azure Cache for Redis service for caching policies between machines (optional) External & Internal
* / 4290 Inbound & Outbound UDP VirtualNetwork / VirtualNetwork Sync Counters for Rate Limit policies between machines (optional) External & Internal
* / 6390 Inbound TCP AzureLoadBalancer / VirtualNetwork Azure Infrastructure Load Balancer External & Internal
* / 443 Inbound TCP AzureTrafficManager / VirtualNetwork Azure Traffic Manager routing for multi-region deployment External

Regional service tags

NSG rules allowing outbound connectivity to Storage, SQL, and Azure Event Hubs service tags may use the regional versions of those tags corresponding to the region containing the API Management instance (for example, Storage.WestUS for an API Management instance in the West US region). In multi-region deployments, the NSG in each region should allow traffic to the service tags for that region and the primary region.

TLS functionality

To enable TLS/SSL certificate chain building and validation, the API Management service needs outbound network connectivity on ports 80 and 443 to ocsp.msocsp.com, oneocsp.msocsp.com, mscrl.microsoft.com, crl.microsoft.com, and csp.digicert.com. This dependency is not required if any certificate you upload to API Management contains the full chain to the CA root.

DNS access

Outbound access on port 53 is required for communication with DNS servers. If a custom DNS server exists on the other end of a VPN gateway, the DNS server must be reachable from the subnet hosting API Management.

Microsoft Entra integration

To operate properly, the API Management service needs outbound connectivity on port 443 to the following endpoints associated with Microsoft Entra ID: <region>.login.microsoft.com and login.microsoftonline.com.

Metrics and health monitoring

Outbound network connectivity to Azure Monitoring endpoints, which resolve under the following domains, are represented under the AzureMonitor service tag for use with Network Security Groups.

Azure Environment Endpoints
Azure Public
  • gcs.prod.monitoring.core.windows.net
  • global.prod.microsoftmetrics.com
  • shoebox2.prod.microsoftmetrics.com
  • shoebox2-red.prod.microsoftmetrics.com
  • shoebox2-black.prod.microsoftmetrics.com
  • prod3.prod.microsoftmetrics.com
  • prod3-black.prod.microsoftmetrics.com
  • prod3-red.prod.microsoftmetrics.com
  • gcs.prod.warm.ingestion.monitoring.azure.com
Azure Government
  • fairfax.warmpath.usgovcloudapi.net
  • global.prod.microsoftmetrics.com
  • shoebox2.prod.microsoftmetrics.com
  • shoebox2-red.prod.microsoftmetrics.com
  • shoebox2-black.prod.microsoftmetrics.com
  • prod3.prod.microsoftmetrics.com
  • prod3-black.prod.microsoftmetrics.com
  • prod3-red.prod.microsoftmetrics.com
  • prod5.prod.microsoftmetrics.com
  • prod5-black.prod.microsoftmetrics.com
  • prod5-red.prod.microsoftmetrics.com
  • gcs.prod.warm.ingestion.monitoring.azure.us
Microsoft Azure operated by 21Vianet
  • mooncake.warmpath.chinacloudapi.cn
  • global.prod.microsoftmetrics.com
  • shoebox2.prod.microsoftmetrics.com
  • shoebox2-red.prod.microsoftmetrics.com
  • shoebox2-black.prod.microsoftmetrics.com
  • prod3.prod.microsoftmetrics.com
  • prod3-red.prod.microsoftmetrics.com
  • prod5.prod.microsoftmetrics.com
  • prod5-black.prod.microsoftmetrics.com
  • prod5-red.prod.microsoftmetrics.com
  • gcs.prod.warm.ingestion.monitoring.azure.cn

Developer portal CAPTCHA

Allow outbound network connectivity for the developer portal's CAPTCHA, which resolves under the hosts client.hip.live.com and partner.hip.live.com.

Publishing the developer portal

Enable publishing the developer portal for an API Management instance in a VNet by allowing outbound connectivity to blob storage in the West US region. For example, use the Storage.WestUS service tag in an NSG rule. Currently, connectivity to blob storage in the West US region is required to publish the developer portal for any API Management instance.

Azure portal diagnostics

When using the API Management diagnostics extension from inside a VNet, outbound access to dc.services.visualstudio.com on port 443 is required to enable the flow of diagnostic logs from Azure portal. This access helps in troubleshooting issues you might face when using the extension.

Azure load balancer

You're not required to allow inbound requests from service tag AzureLoadBalancer for the Developer SKU, since only one compute unit is deployed behind it. However, inbound connectivity from AzureLoadBalancer becomes critical when scaling to a higher SKU, such as Premium, because failure of the health probe from load balancer then blocks all inbound access to the control plane and data plane.

Application Insights

If you enabled Azure Application Insights monitoring on API Management, allow outbound connectivity to the telemetry endpoint from the VNet.

KMS endpoint

When adding virtual machines running Windows to the VNet, allow outbound connectivity on port 1688 to the KMS endpoint in your cloud. This configuration routes Windows VM traffic to the Azure Key Management Services (KMS) server to complete Windows activation.

Internal infrastructure and diagnostics

The following settings and FQDNs are required to maintain and diagnose API Management's internal compute infrastructure.

  • Allow outbound UDP access on port 123 for NTP.
  • Allow outbound TCP access on port 12000 for diagnostics.
  • Allow outbound access on port 443 to the following endpoints for internal diagnostics: azurewatsonanalysis-prod.core.windows.net, *.data.microsoft.com, azureprofiler.trafficmanager.net, shavamanifestazurecdnprod1.azureedge.net, shavamanifestcdnprod1.azureedge.net.
  • Allow outbound access on port 443 to the following endpoint for internal PKI: issuer.pki.azure.com.
  • Allow outbound access on ports 80 and 443 to the following endpoints for Windows Update: *.update.microsoft.com, *.ctldl.windowsupdate.com, ctldl.windowsupdate.com, download.windowsupdate.com.
  • Allow outbound access on ports 80 and 443 to the endpoint go.microsoft.com.
  • Allow outbound access on port 443 to the following endpoints for Windows Defender: wdcp.microsoft.com, wdcpalt.microsoft.com .

Control plane IP addresses

Important

Control plane IP addresses for Azure API Management should be configured for network access rules only when needed in certain networking scenarios. We recommend using the ApiManagement service tag instead of control plane IP addresses to prevent downtime when infrastructure improvements necessitate IP address changes.

Learn more about:

For more guidance on configuration issues, see: