I have:
A Consumption Function App
An APIM API connected to the Function App backend - no additional customisations or policies
I turn on traffic rules for the Function App with the following rules:
<APIM static IP> - Allow
Default - Deny
The results of this:
From Postman I get a successful response from my Function App endpoint
From Power Automate using a HTTP action I get a 403 with an x-ms-forbidden-ip from the known Logic Apps address range
x-ms-forbidden-ip error header
After this I update the traffic rules on the Function App with a Service Tag:
This, of course, now allows that traffic from Power Automate HTTP actions.
My question is - what is APIM doing internally for the Function App to see a different IP for each request source?
I have tried reviewing documentation and like this and using different traffic rules, but cannot find any new information or documentation to explain the behaviour.
My question is - what is APIM doing internally for the Function App to see a different IP for each request source?
Azure API Management (APIM) forwards requests based on the original source, not always uses its static outbound IP. This is due to APIM’s forwarding behavior, which can make the Function App see different IPs.
APIM’s static IP, while Power Automate requests appear to come from the Logic Apps IP range.APIM may use its own outbound IP if no authentication policies enforce the original client’s identity, and when the backend doesn’t need the original client’s IP.
APIM policy:
<policies>
<inbound>
<base />
<set-header name="X-Forwarded-For" exists-action="override">
<value>@(context.Request.IpAddress)</value>
</set-header>
</inbound>
</policies>
Refer this doc to know about API Management policy.