Recently I was implementing an API with Azure APIM which would be consumed by Logic Apps running on an Integration Services Environment (ISE). I wanted to add an IP restriction so that my API would only accept calls from my Logic Apps ISE. With ISE you have a dedicated environment with your own reserved compute which is seperate from the public consumption Logic Apps environment and you get your own static IP range too. This allows me to use my ip addresses for ISE to add an IP restriction in APIM to limit access to my API to just the ISE environment.

If you open your ISE and go to the properties page and then in the runtime outgoing IP addresses page you will see a range of ip addresses.

You will need to get the list of ip addresses associated with this. You seem to get a single ip address and then a CIDR range. You can use a tool like this link to get the first and last ip address in that range – https://www.ipaddressguide.com/cidr

Now you should have a single IP address and a range of IP addresses and you can then go to your APIM policy and add the filter like in the below policy example.

<policies>
    <inbound>
        <ip-filter action="allow">
            <address-range from="[ISE RANGE START ADDRESS]" to="[ISE RANGE END ADDRESS]" />                        
            <address>[ISE SINGLE ADDRESS]</address>
        </ip-filter>
        <base />
    </inbound>
    <backend>
        <base />
    </backend>
    <outbound>
        <base />
    </outbound>
    <on-error>
        <base />
    </on-error>
</policies>

That’s it, with that policy in place you can now restrict access to your API so the ip has to come from your ISE environment.

 

Buy Me A Coffee