Network flow missing ?

[ericrousse]

In the stv2, version for the APIM NSG, In the inbound section I see 3443 but with ApiManagement->VirtualNetwork, but still in the logs of the NSG of the Subnet, I see attempts coming in from AzureCloud->APIM Subnet on port 3443. And no mention in the documentation, is the doc right, or the services not behaving as the doc says ?

---

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

• ID: cbd2c349-f9a7-d43e-ab97-675b9fe3e809
• Version Independent ID: 997f977d-978c-541f-cc03-d47412998c73
• Content: VNet configuration settings
• Content Source: articles/api-management/virtual-network-reference.md
• Service: api-management
• GitHub Login: @dlepow
• Microsoft Alias: danlep

[AjayBathini-MSFT]

@ericrousse Thanks for your feedback! We will investigate and update as appropriate.

[ericrousse]

Also, just a tought, is it possible that the traffic i'm seeing coming from AzureCloud, could be traffic generated by other customers from within Azure, that are scanning around and testing to see if some clients are vulnerable or something ? For now, I just added AzureCloud to pass in my NSG on that subnet. But wondering if its really good. Thanks again!

[dlepow]

@ericrousse - Apologies for delayed response. I don't believe it's necessary to add AzureCloud to pass in your NSG on the subnet - the more restricted set of addresses encompassed by the ApiManagement service tag should be sufficient for the control plane. That said, I don't have an explanation for the attempts coming into your subnet from AzureCloud. Was this a newly created network or had it been functioning for some time before you modified the rules?

[dlepow]

Since we haven't heard back on this issue, I'll now proceed to close it. If you still see this behavior or want to continue the discussion, I suggest opening a support case, or reaching out on Microsoft Q&A. Thanks again. #please-close