Share via

I'm working on restricting access to APIM based on incoming IP addresses

Steven S 20 Reputation points
2025-05-06T20:35:51.6033333+00:00

I'm trying to restrict access to an APIM instance based on incoming IP addresses. From what I've found, the recommended approach is to use APIM Premium V2 with VNet injection, which would allow me to apply Network Security Groups (NSGs) to control traffic. However, this requires upgrading to the Premium V2 tier -and it appears that existing APIM instances cannot be upgraded directly.

When I attempted to create a new APIM instance using the Premium V2 tier, I encountered a gatekeeping process requiring a request form to be submitted for access. I've submitted this form multiple times, but haven't received any response or acknowledgment

How can I gain access to the Premium V2 preview? And alternatively, is there any way to lock down APIM by IP address without requiring the Premium V2 tier?

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
2,385 questions
Accepted answer
  1. Ranashekar Guda 1,360 Reputation points Microsoft External Staff
    2025-05-06T22:04:24.3966667+00:00

    Hello @Steven S,
    To gain access to the Premium V2 tier of Azure API Management (APIM), you need to fill out the request form provided by Microsoft, as it is currently in limited preview. If you have submitted the form multiple times without receiving a response, it may be beneficial to check if there are any specific requirements or follow-up actions needed on your part.

    Regarding your second question about restricting access to APIM by IP address without upgrading to the Premium V2 tier, the Standard v2 tier supports virtual network integration, which allows your API Management instance to reach API backends that are isolated in a single connected virtual network. It does not provide the same level of control over inbound and outbound traffic as the Premium V2 tier with VNet injection. While you can implement some security measures, the options may be limited compared to what is available in the Premium V2 tier.
    Kindly refer below links:

    I hope this helps resolve your issue. Feel free to reach out if you have further concerns.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Johnny 110 Reputation points
    2025-05-06T21:50:44.4266667+00:00

    You're right that APIM Premium V2 with VNet injection is the recommended approach for restricting access via Network Security Groups. However, since upgrading an existing APIM instance to Premium V2 isn't possible, let's explore alternative options:

    How to Gain Access to Premium V2 Preview

    • The Premium V2 tier is currently in limited preview, and access is granted through a request form. Since you've submitted multiple requests without a response, you might try:
    • Checking your email spam/junk folder for any missed communications.
    • Reaching out to Microsoft Support directly via Azure Support to inquire about status

    Alternative Ways to Restrict APIM by IP Address (Without Premium V2)

    If upgrading to Premium V2 isn't an option, here are some alternative methods to restrict access:

    1. Azure Application GatewayDeploy Azure Application Gateway in front of your APIM instance. It supports Web Application Firewall rules, allowing you to restrict access based on IP addresses
    2. Azure Front DoorUse Azure Front Door to filter incoming traffic. It provides IP-based access control and global load balancing
    3. APIM’s Built-in IP FilteringAPIM allows IP filtering at the API level. You can configure IP restrictions directly within APIM policies
    4. Firewall RulesIf your APIM instance has a public IP, you can create firewall rules to allow only specific IPs

    Each of these approaches has trade-offs, but they can help secure your APIM instance without requiring or waiting to get access to Premium V2.

    1 person found this answer helpful.
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.