With private endpoint enabled, egress is using public IP of APIM

MicrosoftDocs / azure-docs

Open source documentation of Microsoft Azure

https://docs.microsoft.com/azure

Creative Commons Attribution 4.0 International

10.28k stars 21.46k forks source link

With private endpoint enabled, egress is using public IP of APIM #90182

Closed drmiru closed 2 years ago

drmiru commented 2 years ago

Enabling private endpoint disables the vnet integration feature. Egress requests from API management are routed via the public IP address, where I'd expect the private endpoint's IP to be the source for egress traffic towards a private web app or private Azure Function.

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

ID: c325024b-11a3-3d9f-59d6-f30c847f8d62
Version Independent ID: 979a8487-b62a-2ada-4714-1686fd77e0f9
Content: Set up private endpoint for Azure API Management Preview
Content Source: articles/api-management/private-endpoint.md
Service: api-management
GitHub Login: @dlepow
Microsoft Alias: danlep

SwathiDhanwada-MSFT commented 2 years ago

@drmiru Thanks for your comment. We will review the issue and get back to you shortly.

mundayn commented 2 years ago

@drmiru does the egress requests from the APIM route via the "Virtual IP (VIP) addresses" defined for the APIM instance? Or a random Azure assigned APIM IP range?

drmiru commented 2 years ago

@drmiru does the egress requests from the APIM route via the "Virtual IP (VIP) addresses" defined for the APIM instance? Or a random Azure assigned APIM IP range?

As far as I observed it, the public VIP was source of egress

MayankBargali-MSFT commented 2 years ago

@drmiru I have checked with the product team and they confirmed that private endpoint will not work with vnet integration. Private endpoints are only for incoming calls and not for outgoing calls.

Limit incoming traffic only to private endpoints, preventing data exfiltration.

MayankBargali-MSFT commented 2 years ago

@drmiru Hope the above helps and clears things up. We will now proceed to close this thread. If there are further questions regarding this matter, please reopen it and we will gladly continue the discussion.

pitinga commented 2 years ago

Sorry, but I don't understand how a private endpoint is useful without working with outgoing calls.

The APIM is private but the backend that the APIM calls must be public. What's the point?

I improve security by putting the APIM in a private context but in the same solution, have I to expose the backend with a public IP?

cveld commented 1 year ago

@MayankBargali-MSFT is vnet integrated egress to be expected soon? currently this private link feature is not adding any value for our use case. for now we have to fall back to custom domains in combination with the internal vnet deployment model.