Reputation: 3
Azure AppService>Networking>Access Restrictions & handling 308 redirects from API Management
Just wanted to see if there were any Azure App Service or APIM experts that could help me get past something that is puzzling me when it comes to restricting access to my app service endpoint to the IP address of my Azure API Management service. I can successfully set the APIM's ip address in an "allow" rule, in the Access Restrictions section of the networking tab, in the app service I am targeting. What happens though, is that the APIM redirects my browser to hit the app service endpoint with its own IP address, which of course I just set to be restricted only to allow access from the APIM IP address.
A 308 Moved Permanently http code is delivered to my browser and my browser is sent to the app service page. I am met with a 403 restricted error, because it is indeed my IP address that is accessing the app service. I am expecting to be redirected to my desired app service, and to be allowed access because it was passed from the "allowed" IP address of my APIM. Do I need to adjust this somehow with an APIM policy, or some kind of networking policy inside the targeted app service?
When I attempt to hit the app from the APIM endpoint, my redirect causes web app to restrict MY IP address
Any thoughts at all would be very helpful
Upvotes: 0
Views: 1135
Answers (2)
Reputation: 7825
APIM never replies with redirect on its own, so I assume that your backend does that. By default APIM will just pass backend http response to client, no matter the status code. But you can use policies to decide what to do with response in general. For redirect specifically, there is an option follow-redirects on forward-request policy that does what you need.
Upvotes: 0
Reputation: 16198
If you are redirecting clients to go to your app service directly, you cannot put an IP restriction on your App Service. The App Service doesn't know anything about the redirect coming from APIM (and thus that you want to allow it). Also, if you put a 308 Redirect in, the next time the client might (based on its cache) to hit the App Service directly, without going to APIM first again.
So: What you are trying here doesn't work - and doesn't make too much sense either. If you want all your clients to go through APIM, then forward the request in APIM instead of redirecting the clients.
Upvotes: 0
Related Questions
- Redirect service (302) in Azure, best possible approach?
- Azure Container App: Only allow access over Api Management
- Azure App Service access restrictions with service tag not working
- Azure API Management Policy- "rewrite-url" policy
- Why is Azure APIM redirecting to the backend service URL?
- Prevent bypassing Azure App Gateway WAF rules
- How to prevent direct access to API hosted in Azure app service
- How to Disable HTTP to HTTPS Redirection on App Service?
- Redirect policy in Azure API Management
- Azure Api Management Policy 302