You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In this article we describe how to retrieve the IP addresses of Azure API Management service. IP addresses can be public or private if the service is in a virtual network. You can use IP addresses to create firewall rules, filter the incoming traffic to the backend services, or restrict the outbound traffic.
20
+
This article describes how to retrieve the IP addresses of Azure API Management. IP addresses can be public or private if the service is in a virtual network. You can use IP addresses to create firewall rules, filter incoming traffic to backend services, or restrict outbound traffic.
19
21
20
22
## Public IP addresses
21
23
22
-
Every API Management service instance in Developer, Basic, Standard, or Premium tier has public IP addresses, which are exclusive only to that service instance (they are not shared with other resources).
24
+
Every API Management instance in Developer, Basic, Standard, or Premium tier has public IP addresses that are exclusive only to that instance. (They're not shared with other resources.)
23
25
24
-
You can retrieve the IP addresses from the overview dashboard of your resource in the Azure portal.
26
+
You can retrieve the IP addresses from the overview dashboard of your resource in the Azure portal:
25
27
26
-
28
+
:::image type="content" source="media/api-management-howto-ip-addresses/public-ip.png" alt-text="Screenshot that shows an IP address in API Management." lightbox="media/api-management-howto-ip-addresses/public-ip.png":::
27
29
28
-
You can also fetch them programmatically with the following API call:
30
+
You can also fetch them programmatically by using this API call:
29
31
30
-
```
32
+
```json
31
33
GET https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>?api-version=<api-version>
32
34
```
33
35
34
-
Public IP addresses will be part of the response:
36
+
Public IP addresses will appear in the response:
35
37
36
38
```json
37
39
{
@@ -49,17 +51,17 @@ Public IP addresses will be part of the response:
49
51
50
52
In [multi-regional deployments](api-management-howto-deploy-multi-region.md), each regional deployment has one public IP address.
51
53
52
-
## IP addresses of API Management service in VNet
54
+
## IP addresses of API Management in a virtual network
53
55
54
-
If your API Management service is inside a virtual network, it will have two types of IP addresses: public and private.
56
+
If your API Management instance is inside a virtual network, it has two types of IP addresses: public and private.
55
57
56
-
* Public IP addresses are used for internal communication on port `3443` - for managing configuration (for example, through Azure Resource Manager). In the *external*VNet configuration, they are also used for runtime API traffic. In the *internal*VNet configuration, public IP addresses are only used for Azure internal management operations and don't expose your instance to the internet.
58
+
* Public IP addresses are used for internal communication, on port `3443`, for managing configuration (for example, through Azure Resource Manager). In the *external*virtual network configuration, they're also used for runtime API traffic. In the *internal*virtual network configuration, public IP addresses are used only for Azure internal management operations and don't expose your instance to the internet.
57
59
58
-
* Private virtual IP (VIP) addresses, available **only** in the [internal VNet mode](api-management-using-with-internal-vnet.md), are used to connect from within the network to API Management endpoints - gateways, the developer portal, and the management plane for direct API access. You can use them for setting up DNS records within the network.
60
+
* Private virtual IP (VIP) addresses, available only in [internal virtual network mode](api-management-using-with-internal-vnet.md), are used to connect from within the network to API Management endpoints: gateways, the developer portal, and the management plane for direct API access. You can use these addresses for setting up DNS records within the network.
59
61
60
-
You will see addresses of both types in the Azure portal and in the response of the API call:
62
+
You'll see addresses of both types in the Azure portal and in the response of an API call:
61
63
62
-
64
+
:::image type="content" source="media/api-management-howto-ip-addresses/vnet-ip.png" alt-text="Screenshot that shows a VIP address in API Management." lightbox="media/api-management-howto-ip-addresses/vnet-ip.png":::
63
65
64
66
65
67
```json
@@ -82,24 +84,23 @@ GET https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/
82
84
```
83
85
84
86
> [!IMPORTANT]
85
-
> The private IP addresses of internal load balancer and API Management units are assigned dynamically. Therefore, it is impossible to anticipate the private IP of the API Management instance prior to its deployment. Additionally, changing to a different subnet and then returning may cause a change in the private IP address.
86
-
87
+
> The private IP addresses of internal load balancer and API Management units are assigned dynamically. It's therefore impossible to anticipate the private IP of the API Management instance before its deployment. Additionally, changing to a different subnet and then returning might cause a change in the private IP address.
87
88
88
89
### IP addresses for outbound traffic
89
90
90
-
API Management uses a public IP address for a connection outside the VNet or a peered VNet, and it uses a private IP address for a connection in the VNet or a peered VNet.
91
+
API Management uses a public IP address for a connection outside the virtual network or a peered virtual network. It uses a private IP address for a connection in the virtual network or a peered virtual network.
91
92
92
-
* When API Management is deployed in an external or internal virtual network and API Management connects to private (intranet-facing) backends, internal IP addresses (dynamic IP, or DIP addresses) from the subnet are used for the runtime API traffic. When a request is sent from API Management to a private backend, a private IP address will be visible as the origin of the request.
93
+
* When API Management is deployed in an external or internal virtual network and API Management connects to private (intranet-facing) backends, internal IP addresses (dynamic IP, or DIP, addresses) from the subnet are used for the runtime API traffic. When a request is sent from API Management to a private backend, a private IP address will be visible as the origin of the request.
93
94
94
-
Therefore, if IP restriction lists secure resources within the VNet or a peered VNet, it is recommended to use the whole API Management [subnet range](virtual-network-injection-resources.md#subnet-size) with an IP rule - and (in internal mode) not just the private IP address associated with the API Management resource.
95
+
Therefore, if IP restriction lists secure resources within the virtual network or a peered virtual network, we recommend that you use the whole API Management [subnet range](virtual-network-injection-resources.md#subnet-size) with an IP rule and (in internal mode) not just the private IP address associated with the API Management resource.
95
96
96
97
* When a request is sent from API Management to a public (internet-facing) backend, a public IP address will always be visible as the origin of the request.
97
98
98
-
## IP addresses of Consumption, Basic v2, Standard v2, and Premium v2 tier API Management service
99
+
## IP addresses of Consumption, Basic v2, Standard v2, and Premium v2 tier API Management instances
99
100
100
101
If your API Management instance is created in a service tier that runs on a shared infrastructure, it doesn't have a dedicated IP address. Currently, instances in the following service tiers run on a shared infrastructure and without a deterministic IP address: Consumption, Basic v2, Standard v2, Premium v2.
101
102
102
-
If you need to add the outbound IP addresses used by your Consumption, Basic v2, Standard v2, or Premium v2 tier instance to an allowlist, you can add the instance's data center (Azure region) to an allowlist. You can [download a JSON file that lists IP addresses for all Azure data centers](https://www.microsoft.com/download/details.aspx?id=56519). Then find the JSON fragment that applies to the region that your instance runs in.
103
+
If you need to add the outbound IP addresses used by your Consumption, Basic v2, Standard v2, or Premium v2 tier instance to an allowlist, you can add the instance's datacenter (Azure region) to an allowlist. You can [download a JSON file that lists IP addresses for all Azure datacenters](https://www.microsoft.com/download/details.aspx?id=56519). Then find the JSON fragment that applies to the region that your instance runs in.
103
104
104
105
For example, the following JSON fragment is what the allowlist for Western Europe might look like:
105
106
@@ -116,7 +117,6 @@ For example, the following JSON fragment is what the allowlist for Western Europ
116
117
"13.69.0.0/17",
117
118
"13.73.128.0/18",
118
119
... Some IP addresses not shown here
119
-
"213.199.180.192/27",
120
120
"213.199.183.0/24"
121
121
]
122
122
}
@@ -125,15 +125,15 @@ For example, the following JSON fragment is what the allowlist for Western Europ
125
125
126
126
For information about when this file is updated and when the IP addresses change, expand the **Details** section of the [Download Center page](https://www.microsoft.com/en-us/download/details.aspx?id=56519).
127
127
128
-
## Changes to the IP addresses
128
+
## Changes to IP addresses
129
129
130
-
In the Developer, Basic, Standard, and Premium tiers of API Management, the public IP address or addresses (VIP) and private VIP addresses (if configured in the internal VNet mode) are static for the lifetime of a service, with the following exceptions:
130
+
In the Developer, Basic, Standard, and Premium tiers of API Management, the public IP address or addresses (VIP) and private VIP addresses (if configured in the internal virtual network mode) are static for the lifetime of a service, with the following exceptions:
131
131
132
-
* The API Management service is deleted and then re-created.
133
-
* The service subscription is disabled or warned (for example, for nonpayment) and then reinstated. [Learn more about subscription states](/azure/cost-management-billing/manage/subscription-states)
132
+
* The API Management is deleted and then re-created.
133
+
* The service subscription is disabled or warned (for example, for nonpayment) and then reinstated. [Learn more about subscription states.](/azure/cost-management-billing/manage/subscription-states)
134
134
* (Developer and Premium tiers) Azure Virtual Network is added to or removed from the service.
135
-
* (Developer and Premium tiers) API Management service is switched between external and internal VNet deployment mode.
136
-
* (Developer and Premium tiers) API Management service is moved to a different subnet or configured with a different public IP address resource.
135
+
* (Developer and Premium tiers) API Management is switched between external and internal virtual network deployment mode.
136
+
* (Developer and Premium tiers) API Management is moved to a different subnet or configured with a different public IP address resource.
137
137
* (Premium tier) [Availability zones](../reliability/migrate-api-mgt.md) are enabled, added, or removed.
138
138
* (Premium tier) In [multi-regional deployments](api-management-howto-deploy-multi-region.md), the regional IP address changes if a region is vacated and then reinstated.
0 commit comments