azure azure-api-management policy azure-front-door

Azure APIM IP Policy does not allow Azure Front End Door IP ranges

We are using Azure APIM management to call the API from various clients. However, we use IP restrictions so that only specific IP addresses can call our API.

Our main application (website) is now hosted on an Azure VM, and requests are being routed through the Azure front door. Now, after enabling IP policy, the request is getting blocked by Azure APIM.

What do we check? We check our website's IP address and also add it to the IP policy XML.

However, if our website-hosted VM is restarted or stopped, we notice that the Azure Front Door IP address changes. It becomes very challenging for us to update IP ranges on a daily basis in the IP policy.

<!-- Add policies as children to the <inbound>, <outbound>, <backend>, and <on-error> elements -->
<policies>
    <!-- Throttle, authorize, validate, cache, or transform the requests -->
    <inbound>
        <base />
        <cors allow-credentials="false">
            <allowed-origins>
                <origin>*</origin>
            </allowed-origins>
            <allowed-methods>
                <method>*</method>
            </allowed-methods>
                .........................................
  <ip-filter action="allow">
            <address-range from="xx.xx.xx.xx" to="xxxx:xxx:bdf:0:0:0:0:xx" />
            <address-range from="xx.xx.xx.xx" to="xxxx:1ec:bdf::xx" />
            <address>xx.xx.xx.xx</address>
            <address>xx.xx.xx.xx</address>
            <address>xx.xx.xx.xx</address>
            <address>xx.xx.xx.xx</address>
  </ip-filter>

One solutions could be Azure Application gateway use behind of the Azure Front End door, and it has one static Public IP, but it increases our budget and cost.

Any suggestions?

Solution

You could use a choose in combination with a when and otherwise. For your case it would look like this:

<inbound>
    <base />

    ...

    <choose>
        <when condition="@(
           context.Request.IpAddress == "{{IpAddress1}}" ||
           context.Request.IpAddress == "{{IpAddress2}}" ||
           context.Request.Headers.GetValueOrDefault("X-Azure-FDID", "") == "{{FrontDoorId}}")">
            <!-- Allow request to proceed -->
        </when>
        <otherwise>
            <return-response>
                <set-status code="403" reason="Forbidden" />
                <set-body>Access denied: IP or header not authorized.</set-body>
            </return-response>
        </otherwise>
    </choose>
</inbound>

All requests coming from Azure Front Door get the X-Azure-FDID header which you can use to filter if IP is not allowed. The following things need to be changed by you in the example:

{{IpAddress1}} --> with your IpAddress
{{IpAddress2}} --> with your IpAddress
{{FrontDoorId}} --> with your Front Door ID

The information with the header you can find here: https://learn.microsoft.com/en-us/azure/api-management/front-door-api-management#check-front-door-header