IP Filtering - Azure API Management Security

Secure your API with IP Filtering in Azure API Management

IP filtering is a security feature in Azure API Management that allows you to control access to your APIs based on the IP addresses or IP address ranges that are allowed to call them. This is a crucial step in protecting your APIs from unauthorized access and potential threats.

What is IP Filtering?

IP filtering operates at the network level. When configured, API Management will inspect the incoming request's source IP address. If the IP address is not present in the allowed list (or is present in a denied list, depending on the configuration), the request will be rejected with an appropriate error response (typically an HTTP 403 Forbidden).

How to Configure IP Filtering

IP filtering can be configured at different scopes within API Management:

Global: Affects all APIs within the API Management instance.
Product: Affects all APIs within a specific product.
API: Affects a specific API.
Operation: Affects a specific operation within an API.

The most common and recommended approach is to configure IP filtering at the API or product level. Here's how you can do it using the Azure portal:

Navigate to your Azure API Management instance in the Azure portal.
In the left-hand menu, under the "Security" section, select Network.
Choose the scope for your IP filter:
- For global filtering, select IP Filters.
- For product or API specific filtering, navigate to Products or APIs respectively, select the desired item, and then find the Network tab.
Click the Add IP filter button.
Enter the IP address or CIDR notation for the range you want to allow. For example:
- A single IP address: 192.168.1.100
- An IP address range: 192.168.1.0/24
- IPv6 addresses are also supported.
(Optional) Add a Description for the filter for clarity.
Click Add to save the IP filter rule.
Repeat the process to add more IP addresses or ranges as needed.
Ensure that your desired IPs are added. If you have no IP filters configured, all IPs are implicitly allowed. Once you add your first IP filter, only the specified IPs will be allowed.

Tip: When configuring IP filters, it's often best practice to start with an allowlist of trusted IPs. Avoid using a deny list unless absolutely necessary, as it can be harder to manage and may inadvertently block legitimate traffic.

Using CIDR Notation

CIDR (Classless Inter-Domain Routing) notation is a compact way to represent a range of IP addresses. For example:

10.0.0.0/8 represents all IP addresses from 10.0.0.0 to 10.255.255.255.
192.168.1.0/24 represents all IP addresses from 192.168.1.0 to 192.168.1.255.

Azure API Management supports both IPv4 and IPv6 CIDR notation.

Testing Your IP Filter

After configuring your IP filters, it's essential to test them:

Attempt to access your API from an allowed IP address to ensure it works correctly.
Attempt to access your API from a disallowed IP address. You should receive a 403 Forbidden error response.

Note: If you are accessing your API from within a virtual network that has restrictions, ensure that the necessary outbound rules are in place to allow traffic to the Azure API Management endpoint.

IP Filtering via Management API or ARM Templates

For automated deployments and infrastructure-as-code, you can also configure IP filters using:

Azure Resource Manager (ARM) Templates: Define IP filter rules within your ARM template for declarative deployment.
Azure CLI or PowerShell: Use scripting to manage IP filters programmatically.
Azure API Management REST API: Integrate IP filter management into your CI/CD pipelines.

Here's an example of how you might represent an IP filter in an ARM template (within the ipFilterRules property of a product or API resource):


{
  "properties": {
    "displayName": "Allow specific IPs",
    "format": "ipv4",
    "address": "192.168.1.0/24",
    "mask": null
  }
}

JSON

Best Practices

Principle of Least Privilege: Only allow the IP addresses or ranges that are strictly necessary for access.
Regular Review: Periodically review your IP filter configurations to ensure they are still relevant and secure.
Use CIDR Notation: For managing ranges of IPs, CIDR notation is more efficient and easier to maintain.
Document Your Rules: Use descriptions to explain why certain IPs are allowed.
Combine with Other Security Measures: IP filtering is one layer of security. Combine it with authentication, authorization, and rate limiting for robust API protection.

By implementing IP filtering, you add a vital layer of defense to your Azure API Management deployment, significantly enhancing the security posture of your APIs.

Back to API Management Security