Unexpected GET calls received in API Management instance from Microsoft Datacenter IPs

Hello Anirban Roy Choudhury •,

If you're getting some unexpected GET calls to your API Management instance from Microsoft datacenter IPs, which sounds frustrating. Here’s a breakdown of what might be going on and how you can address it:

Understand the Source: GET requests from Microsoft datacenter IPs could be legitimate traffic, perhaps coming from Azure services or monitoring tools that interact with your API Management. However, if these calls are causing exceptions and noise, it’s important to identify their purpose.

IP Management: The IP addresses for Azure API Management instances may not always be static, especially if you are using tiers like Consumption or Basic, which run on a shared infrastructure. If your instance is set up in a public tier, it’s essential to check whether you need to allowlist the datacenter IPs to manage unauthorized access properly.

Check the Logs: You mentioned using Application Insights; ensure to analyze the logs for these requests to identify patterns regarding the frequency, origin, and nature of the payloads.

Mitigation Strategies:

• IP Allowlisting: If you determine that the calls are unnecessary, consider implementing IP restrictions. You can refer to the information on making rules with IP addresses to block unwanted traffic.
  • Firewall Rules: Utilize Azure Firewall or other network security groups to control incoming traffic effectively.
  Further Investigation: It’s also worthwhile to check if these requests correlate with any Azure services you're using, such as Logic Apps, Azure Functions, or Dynamics 365, which might automatically hit your API for operations.

Hello Anirban Roy Choudhury •,
Just following up to see if you had a chance to review my previous response and if you have any additional questions.

@Krishna Chowdary Paricharla, As said before, GET requests are from Microsoft datacenter IP's e.g. 51.104.42.110, 51.141.93.187 . Cloud role name in logs registered as - "apim-api-gw-prd UK West" . Cloud Role Instance - apim-api-gw-prd UK West. Sample exceptions below.

[{"severityLevel":"Error","outerId":"0","message":"Unable to match incoming request to an operation.","type":"OperationNotFound","id":"0","parsedStack":[{"method":"configuration","level":0,"line":0}]}]
[{"severityLevel":"Error","outerId":"0","message":"Client connection was unexpectedly closed.","type":"ClientConnectionFailure","id":"0","parsedStack":[{"method":"policy-configuration","level":0,"line":0}]}]

These exceptions are generated as only following operations are called on the APIM instance which doesn't match any API operations.
GET /

Also, how do I understand the source more when the cloud role instance is mentioned as API management. Or are you meaning these could be some other Azure services? If yes then how to determine that?

I don't want to put a filter on IP as this could add to the maintenance in future but I can actually try this if I can specifically restrict Microsoft datacenter IPs via APIM policies. Note that consumption tier doesn't support VNET integration. Can you point me in the right direction where i can find a sample policy for such IP restrictions?

Note that I couldn't observe any correlation with azure services. Let me know if i'm missing anything here.

Hello Anirban Roy Choudhury •,
Thank you for the details.

Source of GET Requests: The GET / requests from Microsoft datacenter IPs (e.g., 51.104.42.110, 51.141.93.187) are likely from Azure internal services such as health probes or platform diagnostics. Since you're on the Consumption tier, logs only show the APIM role instance (e.g., apim-api-gw-prd UK West), and not the exact Azure service source — this is expected behavior.

Understanding the Source: These requests originate from Microsoft-owned IPs, but it’s difficult to correlate with a specific service due to APIM's abstraction in the consumption model. You’re not missing anything — the platform doesn’t expose deeper correlation.

1. Recommendations:

• To reduce exception noise, configure a fallback operation for GET / in your API to handle such requests gracefully.
  • If you'd prefer to block such calls, you can use APIM policy to filter by IP. Sample below:

         <inbound>
        <choose>
            <when condition="@(context.Request.IpAddress == "51.104.42.110" || context.Request.IpAddress == "51.141.93.187")">
                <return-response>
                    <set-status code="403" reason="Forbidden" />
                </return-response>
            </when>
        </choose>
        <base />
    

</inbound> ```

• Microsoft IP ranges can be referenced from: https://www.microsoft.com/en-us/download/details.aspx?id=56519

Thanks @Krishna Chowdary Paricharla for the quick response. Few more questions.

1. Currently API's are surfaced to APIM via function apps underneath. Do you mean to add just a root GET / endpoint within the function app to respond with 403 status code as above? Can this be done in the APIM itself without initiating any code changes on the FA? Or this root GET "/ " endpoint should be defined in APIM as a new API? Can you please provide the steps here clearly?
2. Looks like IP addresses are changing daily. So this approach will be difficult to manage. Is there way to restrict via APIM policies based on the URL path pattern?
3. Noticed method & outer methods in the logs are pointing towards "Configuration & Policy-Configuration" as shown below. What do these mean as I have a rate limit policy defined at the product level? Do i need to amend anything at the product level policies?