[APIM] Remove control plane IPs

dlepow · dlepow · commit 2cba99e45d0b · 2023-11-30T13:00:16.000-08:00
diff --git a/articles/api-management/api-management-howto-disaster-recovery-backup-restore.md b/articles/api-management/api-management-howto-disaster-recovery-backup-restore.md
@@ -7,7 +7,7 @@ author: dlepow
 
 ms.service: api-management
 ms.topic: how-to
-ms.date: 07/27/2022
+ms.date: 11/30/2023
 ms.author: danlep 
 ms.custom: devx-track-azurepowershell
 ---
@@ -334,13 +334,8 @@ Restore is a long-running operation that may take up to 30 or more minutes to co
 
 ## Storage networking constraints
 
-### Access using storage access key
-
-If the storage account is **[firewall][azure-storage-ip-firewall] enabled** and a storage key is used for access, then the customer must **Allow** the set of [Azure API Management control plane IP addresses][control-plane-ip-address] on their storage account for backup or restore to work. The storage account can be in any Azure region except the one where the API Management service is located. For example, if the API Management service is in West US, then the Azure Storage account can be in West US 2 and the customer needs to open the control plane IP 13.64.39.16 (API Management control plane IP of West US) in the firewall. This is because the requests to Azure Storage aren't SNATed to a public IP from compute (Azure API Management control plane) in the same Azure region. Cross-region storage requests will be SNATed to the public IP address.
-
-### Access using managed identity
 
-If an API Management system-assigned managed identity is used to access a firewall-enabled storage account, ensure that the storage account [grants access to trusted Azure services](../storage/common/storage-network-security.md?tabs=azure-portal#grant-access-to-trusted-azure-services).
+If the storage account is **[firewall][azure-storage-ip-firewall] enabled**, it's recommended to use the API Management instance's system-assigned managed identity for access to the account. Ensure that the storage account [grants access to trusted Azure services](../storage/common/storage-network-security.md?tabs=azure-portal#grant-access-to-trusted-azure-services).
 
 ## What is not backed up
 -   **Usage data** used for creating analytics reports **isn't included** in the backup. Use [Azure API Management REST API][azure api management rest api] to periodically retrieve analytics reports for safekeeping.
diff --git a/articles/api-management/virtual-network-reference.md b/articles/api-management/virtual-network-reference.md
@@ -6,7 +6,7 @@ author: dlepow
 
 ms.service: api-management
 ms.topic: reference
-ms.date: 10/19/2023
+ms.date: 11/29/2023
 ms.author: danlep
 ms.custom: references_regions
 ---
@@ -25,7 +25,7 @@ When an API Management service instance is hosted in a VNet, the ports in the fo
 >[!IMPORTANT]
 > * **Bold** items in the *Purpose* column indicate port configurations required for successful deployment and operation of the API Management service. Configurations labeled "optional" enable specific features, as noted. They are not required for the overall health of the service. 
 >
-> * We recommend using [service tags](../virtual-network/service-tags-overview.md) instead of IP addresses in NSG rules to specify network sources and destinations. Service tags prevent downtime when infrastructure improvements necessitate IP address changes.      
+> * We recommend using the indicated [service tags](../virtual-network/service-tags-overview.md) instead of IP addresses in NSG and other network rules to specify network sources and destinations. Service tags prevent downtime when infrastructure improvements necessitate IP address changes.      
 
 
 ### [stv2](#tab/stv2)
@@ -137,85 +137,26 @@ The following settings and FQDNs are required to maintain and diagnose API Manag
 
 ## Control plane IP addresses
 
-The following IP addresses are divided by **Azure Environment** and **Region**. In some cases, two IP addresses are listed. Permit both IP addresses.
-
 > [!IMPORTANT]
-> Control plane IP addresses should be configured for network access rules only when needed in certain networking scenarios. We recommend using the **ApiManagement** [service tag](../virtual-network/service-tags-overview.md) instead of control plane IP addresses to prevent downtime when infrastructure improvements necessitate IP address changes.   
-
-| **Azure Environment**|   **Region**|  **IP address**|
-|-----------------|-------------------------|---------------|
-| Azure Public| Australia Central| 20.37.52.67|
-| Azure Public| Australia Central 2| 20.39.99.81|
-| Azure Public| Australia East| 20.40.125.155|
-| Azure Public| Australia Southeast| 20.40.160.107|
-| Azure Public| Brazil South| 191.233.24.179, 191.238.73.14|
-| Azure Public| Brazil Southeast| 191.232.18.181|
-| Azure Public| Canada Central| 52.139.20.34, 20.48.201.76|
-| Azure Public| Canada East| 52.139.80.117|
-| Azure Public| Central India| 13.71.49.1, 20.192.45.112|
-| Azure Public| Central US| 13.86.102.66|
-| Azure Public| Central US EUAP| 52.253.159.160|
-| Azure Public| East Asia| 52.139.152.27|
-| Azure Public| East US| 52.224.186.99|
-| Azure Public| East US 2| 20.44.72.3|
-| Azure Public| East US 2 EUAP| 52.253.229.253|
-| Azure Public| France Central| 40.66.60.111|
-| Azure Public| France South| 20.39.80.2|
-| Azure Public| Germany North| 51.116.0.0|
-| Azure Public| Germany West Central| 51.116.96.0, 20.52.94.112|
-| Azure Public| Japan East| 52.140.238.179|
-| Azure Public| Japan West| 40.81.185.8|
-| Azure Public| India Central| 20.192.234.160|
-| Azure Public| India West| 20.193.202.160|
-| Azure Public| Korea Central| 40.82.157.167, 20.194.74.240|
-| Azure Public| Korea South| 40.80.232.185|
-| Azure Public| North Central US| 40.81.47.216|
-| Azure Public| North Europe| 52.142.95.35|
-| Azure Public| Norway East| 51.120.2.185|
-| Azure Public| Norway West| 51.120.130.134|
-| Azure Public| South Africa North| 102.133.130.197, 102.37.166.220|
-| Azure Public| South Africa West| 102.133.0.79|
-| Azure Public| South Central US| 20.188.77.119, 20.97.32.190|
-| Azure Public| South India| 20.44.33.246|
-| Azure Public| Southeast Asia| 40.90.185.46|
-| Azure Public| Switzerland North| 51.107.246.176, 51.107.0.91|
-| Azure Public| Switzerland West| 51.107.96.8|
-| Azure Public| UAE Central| 20.37.81.41|
-| Azure Public| UAE North| 20.46.144.85|
-| Azure Public| UK South| 51.145.56.125|
-| Azure Public| UK West| 51.137.136.0|
-| Azure Public| West Central US| 52.253.135.58|
-| Azure Public| West Europe| 51.145.179.78|
-| Azure Public| West India| 40.81.89.24|
-| Azure Public| West US| 13.64.39.16|
-| Azure Public| West US 2| 51.143.127.203|
-| Azure Public| West US 3| 20.150.167.160|
-| Microsoft Azure operated by 21Vianet| China North (Global)| 139.217.51.16|
-| Microsoft Azure operated by 21Vianet| China East (Global)| 139.217.171.176|
-| Microsoft Azure operated by 21Vianet| China North| 40.125.137.220|
-| Microsoft Azure operated by 21Vianet| China East| 40.126.120.30|
-| Microsoft Azure operated by 21Vianet| China North 2| 40.73.41.178|
-| Microsoft Azure operated by 21Vianet| China East 2| 40.73.104.4|
-| Azure Government| USGov Virginia (Global)| 52.127.42.160|
-| Azure Government| USGov Texas (Global)| 52.127.34.192|
-| Azure Government| USGov Virginia| 52.227.222.92|
-| Azure Government| USGov Iowa| 13.73.72.21|
-| Azure Government| USGov Arizona| 52.244.32.39|
-| Azure Government| USGov Texas| 52.243.154.118|
-| Azure Government| USDoD Central| 52.182.32.132|
-| Azure Government| USDoD East| 52.181.32.192|
-
-
-## Next steps
+> Control plane IP addresses for Azure API Management should be configured for network access rules only when needed in certain networking scenarios. We recommend using the **ApiManagement** [service tag](../virtual-network/service-tags-overview.md) instead of control plane IP addresses to prevent downtime when infrastructure improvements necessitate IP address changes.   
+
+
+
+## Related content
 
 Learn more about:
 
 * [Connecting a virtual network to backend using VPN Gateway](../vpn-gateway/design.md#s2smulti)
 * [Connecting a virtual network from different deployment models](../vpn-gateway/vpn-gateway-connect-different-deployment-models-powershell.md)
-* [Debug your APIs using request tracing](api-management-howto-api-inspector.md)
 * [Virtual Network frequently asked questions](../virtual-network/virtual-networks-faq.md)
 * [Service tags](../virtual-network/network-security-groups-overview.md#service-tags)
 
+For more guidance on configuration issues, see:
+* [API Management - Networking FAQs (Demystifying series I)](https://techcommunity.microsoft.com/t5/azure-paas-blog/api-management-networking-faqs-demystifying-series-i/ba-p/1500996)
+* [API Management - Networking FAQs (Demystifying series II)](https://techcommunity.microsoft.com/t5/azure-paas-blog/api-management-networking-faqs-demystifying-series-ii/ba-p/1502056)
+
+
+
 [api-management-using-vnet-menu]: ./media/api-management-using-with-vnet/api-management-menu-vnet.png
 [api-management-setup-vpn-select]: ./media/api-management-using-with-vnet/api-management-using-vnet-select.png
 [api-management-setup-vpn-add-api]: ./media/api-management-using-with-vnet/api-management-using-vnet-add-api.png
diff --git a/includes/api-management-virtual-network-forced-tunneling.md b/includes/api-management-virtual-network-forced-tunneling.md
@@ -2,7 +2,7 @@
 author: dlepow
 ms.service: api-management
 ms.topic: include
-ms.date: 06/01/2022
+ms.date: 11/29/2023
 ms.author: danlep
 ---
 
@@ -21,11 +21,8 @@ Forced tunneling lets you redirect or "force" all internet-bound traffic from yo
       > [!NOTE]
       > We strongly recommend enabling service endpoints directly from the API Management subnet to dependent services such as Azure SQL and Azure Storage that support them. However, some organizations may have requirements to force tunnel all traffic from the API Management subnet. In this case, ensure that you configure your firewall or virtual appliance to allow this traffic. You will need to allow the complete [IP address range](https://www.microsoft.com/download/details.aspx?id=56519) of each dependent service, and keep this configuration up to date when the Azure infrastructure changes. Your API Management service may also experience latency or unexpected timeouts because of the force tunneling of this network traffic.  
 
-  * All the control plane traffic from the internet to the management endpoint of your API Management service is routed through a specific set of inbound IPs, hosted by API Management. When the traffic is force tunneled, the responses won't symmetrically map back to these inbound source IPs and connectivity to the management endpoint is lost. To overcome this limitation, configure user-defined routes ([UDRs][UDRs]) for these inbound IPs with next hop type set to "Internet", to steer traffic back to Azure. Configure the **ApiManagement** [service tag](../articles/virtual-network/service-tags-overview.md), or find the set of inbound IPs for control plane traffic documented in [Control plane IP addresses](../articles/api-management/virtual-network-reference.md#control-plane-ip-addresses).
+  * All the control plane traffic from the internet to the management endpoint of your API Management service is routed through a specific set of inbound IPs, hosted by API Management, encompassed by the **ApiManagement** [service tag](../articles/virtual-network/service-tags-overview.md). When the traffic is force tunneled, the responses won't symmetrically map back to these inbound source IPs and connectivity to the management endpoint is lost. To overcome this limitation, configure a user-defined route ([UDR][UDRs]) for the ApiManagement service tag with next hop type set to "Internet", to steer traffic back to Azure. 
     
-    > [!IMPORTANT]
-    > Control plane IP addresses should be configured for network access rules and routes only when needed in certain networking scenarios. We recommend using the ApiManagement service tag instead of control plane IP addresses to prevent downtime when infrastructure improvements necessitate IP address changes. 
-
     > [!NOTE]
     > Allowing API Management management traffic to bypass an on-premises firewall or network virtual appliance isn't considered a significant security risk. The [recommended configuration](../articles/api-management/virtual-network-reference.md#required-ports) for your API Management subnet allows inbound management traffic on port 3443 only from the set of Azure IP addresses encompassed by the ApiManagement service tag. The recommended UDR configuration is only for the return path of this Azure traffic.
 
