Reputation: 11
How to explain inconsistent API Management IP address of forwarded requests?
I have:
A Consumption Function App
An APIM API connected to the Function App backend - no additional customisations or policies
- There is a static IP (Developer tier)
I turn on traffic rules for the Function App with the following rules:
<APIM static IP> - Allow
Default - Deny
The results of this:
From Postman I get a successful response from my Function App endpoint
From Power Automate using a HTTP action I get a 403 with an x-ms-forbidden-ip from the known Logic Apps address range
x-ms-forbidden-ip error header
After this I update the traffic rules on the Function App with a Service Tag:
- LogicApps.<region> - Allow
This, of course, now allows that traffic from Power Automate HTTP actions.
My question is - what is APIM doing internally for the Function App to see a different IP for each request source?
I have tried reviewing documentation and like this and using different traffic rules, but cannot find any new information or documentation to explain the behaviour.
Upvotes: 0
Views: 68
Answers (1)
Reputation: 1197
My question is - what is APIM doing internally for the Function App to see a different IP for each request source?
Azure API Management (APIM) forwards requests based on the original source, not always uses its static outbound IP. This is due to APIM’s forwarding behavior, which can make the Function App see different IPs.
- It's a default behavior, APIM forwards the original client’s IP address to the backend service.
- This explains why Postman requests appear to come from
APIM’s static IP, while Power Automate requests appear to come from theLogic Apps IP range. - Please refer this doc for better understanding about Preserving Client IP.
APIM may use its own outbound IP if no authentication policies enforce the original client’s identity, and when the backend doesn’t need the original client’s IP.
- If you want your Function App to always see APIM’s static IP instead of the original client’s IP, you can achieve this by using an APIM policy.
APIM policy:
<policies>
<inbound>
<base />
<set-header name="X-Forwarded-For" exists-action="override">
<value>@(context.Request.IpAddress)</value>
</set-header>
</inbound>
</policies>
Refer this doc to know about API Management policy.
Upvotes: 1
Related Questions
- Execution sequence to execute bicep for apim and consumption logic app
- Azure APIM: React app sends GET request and get response with status code 200, but the request never gets to the backend from the APIM
- IP Filter for Azure Functions to only allow traffic from Azure API Management Service
- Azure Functions Error Message: Method not allowed in this pricing tier
- Outbound IP address Azure API Management
- Azure API Management (consumption tier): First request gives timeout and is not sent to backend service
- Azure AppService>Networking>Access Restrictions & handling 308 redirects from API Management
- Azure function returns 403 when triggered by Azure DataFactory
- CNAME record not found for lower-priority Azure API Management instance behind Traffic Manager