APIM StandardV2/PremiumV2 IP not in ApiManagement service tag - 403 errors

Hi @Shemesh, Tchelet ,

Thanks for reaching out to Microsoft Q&A.

The ApiManagement tag only covers the control-plane endpoints (management/portal) and doesn’t include the data-plane SNAT egress IPs that Standard V2 and Premium V2 use when they call your back end. That’s why the IP isn’t in the ApiManagement (or ApiManagement.EastUS2) ranges.

Are Standard V2 IPs supposed to be in the ApiManagement service tag?

No, that tag is only for management traffic (port 3443, RP calls, etc.), not for the outbound API calls. V2 tiers use a separate SNAT pool.

What IP ranges does Standard V2 use in East US 2?

The exact set of outbound IPs is unique to your instance and region and is published in your APIM resource’s Properties under Outbound IP addresses. You can grab them via CLI for example:

  az apim show \

    --name   <your-apim> \

    --resource-group <rg> \

    --query outboundIpAddresses \

    -o tsv

Those will include your IP address plus any sister IPs in that pool.

Workaround for allowing Standard V2 traffic?

• Whitelist the specific outbound IP addresses from your APIM instance (from the portal or CLI) in your Function App’s Access Restrictions.

• Or inject APIM into a VNet with a NAT Gateway or Azure Firewall so you get a fixed set of egress IPs you can safely lock down.

Is this a known gap or am I missing something?

It’s a known behavior for the v2 SKU: service tag ApiManagement hasn’t yet been updated to carry data-plane SNAT ranges for Standard V2/Premium V2. The recommended pattern is to use the instance’s outbound IP list (or VNet+NAT Gateway) until the service tag is enhanced.

Hope that helps!

References

• Azure IP Ranges & Service Tags JSON
• How to find your APIM outbound IP addresses
• APIM access restriction policies
• Troubleshooting 403 Forbidden in APIM
• Using VNets and NAT Gateway for fixed egress in APIM v2

1. For Standard v2/Premium v2, outbound IPs are not guaranteed to be included in the ApiManagement service tag. The ApiManagement service tag is a convenience abstraction over IP ranges that Microsoft publishes and maintains, but it does not cover all outbound IPs for all SKUs and scenarios. The context explicitly notes that service tags are lists of IP prefixes maintained by Microsoft and that they are not a security control by themselves and do not necessarily include all outbound IPs for a given service or tier.
2. Standard v2 in East US 2 runs on shared infrastructure and does not expose a deterministic, dedicated outbound IP range that can be fully mapped via the service tag. The documentation states that for API Management instances created in service tiers that run on shared infrastructure (Consumption, Basic v2, Standard v2, Premium v2), the instance does not have a dedicated IP address and does not have a deterministic IP. For allowlisting, the guidance is to use the datacenter (region) IP ranges instead of a fixed APIM IP:

   "If you need to add the outbound IP addresses used by your Consumption, Basic v2, Standard v2, or Premium v2 tier instance to an allowlist, you can add the instance's datacenter (Azure region) to an allowlist. You can download a JSON file that lists IP addresses for all Azure datacenters. Then find the JSON fragment that applies to the region that your instance runs in."

   Therefore, Standard v2 outbound traffic in East US 2 can originate from any of the public IP ranges for the East US 2 region listed in the Azure IP ranges JSON, not just from the ApiManagement service tag ranges.
3. Recommended workaround for allowing Standard v2 traffic: Because Standard v2 does not have deterministic outbound IPs and the ApiManagement service tag does not cover all possible outbound addresses, the recommended approach is:
   • Download the "Microsoft Azure IP Ranges and Service Tags – Public Cloud" JSON.
   • Locate the section for the East US 2 region.
   • Use those regional IP ranges (for the region where the APIM instance runs) in the allowlist for the Azure Function App instead of relying solely on the ApiManagement service tag.
   This aligns with the documented guidance for v2 tiers: allowlist by region rather than by a single APIM IP or by assuming the service tag covers all outbound addresses.
4. This is a known behavioral difference/limitation of the v2 tiers, not a configuration mistake. The behavior observed (APIM outbound IP not present in the ApiManagement service tag and 403 when only that tag is allowed) is consistent with the documented characteristics of Consumption/Basic v2/Standard v2/Premium v2 tiers: they run on shared infrastructure without deterministic IPs, and outbound allowlisting must be done using the region’s IP ranges from the Azure IP ranges JSON rather than assuming a fixed APIM IP or complete coverage by the ApiManagement service tag.

References:

• IP addresses in Azure API Management
• Inbound and outbound IP addresses in Azure App Service
• Azure service tags overview for virtual network security
• Power Platform URLs and IP address ranges