Tip: APIM self-hosted gateway in K8s and ip-filter policies

If you happen to host the self-hosted gateway from Azure API Management into Kubernetes, pay attention to the default deployment script proposed by default on the Azure Portal.

This deployment creates a K8s service of type LoadBalancer which are source NAT’d by default. This means that the ip-filter policy is totally useless in APIM policies with that config since the original source IP of the intermediate calling service (Say Azure Application Gateway or Front Door) will be lost. The original IP is still retrievable from the X-Forwarded-For HTTP header but if you want to make sure your gateway is proxied by a WAF, you have no way to control it other then with an ip-filter policy.

This behavior is well described in the K8s doc https://kubernetes.io/docs/tutorials/services/source-ip/ so, a possibility if you want to keep using the ip-filter policy from within your APIM self-hosted gateway is to add an externalPolicy to the default proposed service implementation: externalTrafficPolicy: Local, this will preserve the source IP of the caller.

Note that, as explained here https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/, it has an impact on the way traffic is load balanced so you should decide accordingly.

About Stephane Eyskens

Office 365, Azure PaaS and SharePoint platform expert
This entry was posted in Azure. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s