Network Restrictions & Alternative Solutions

Important

Azure Trusted Service Connectivity Retirement (March 2026) - Microsoft is retiring the Trusted Services feature, which affects logging from APIM to Azure Blob Storage and Event Hubs when network restrictions are enabled. Read the Microsoft announcement.

This guide provides comprehensive alternative solutions for Azure API Management logging when network restrictions prevent access to Storage Accounts or Event Hubs.

Understanding the Issue

When APIM logs to Blob Storage or Event Hubs, traffic flows through the Azure backbone network using private source IP addresses (e.g., 10.x.x.x). Previously, you could enable "Allow trusted Microsoft services" in your firewall settings, even with "Selected networks" enabled. This option is being retired in March 2026.

The problem:

• APIM's private source IPs cannot be whitelisted in Storage Account or Event Hub firewalls
• The "Trusted Microsoft Services" workaround no longer functions after March 2026
• Public access raises security concerns for many organizations

Affected logging methods:

• Blob Storage Policy - Writing logs to Azure Blob Storage containers
• Event Hub Policy - Writing logs to Azure Event Hub entities

---

Solution 1: Private Endpoint with VNet Integration ⭐ (Recommended for Production)

Requirements:

• APIM must be on a tier supporting VNet integration: Developer, Premium, or Standard v2
• Does NOT work with: Basic, Standard v1 (retired August 2024), or Consumption tiers

Tip

Pricing Clarification: Standard v2 is ~75% cheaper than Premium (~$700/month vs ~$2,800/month for base units). If you previously considered Premium too expensive, Standard v2 provides VNet integration at a much lower cost. Azure APIM pricing details.

Implementation for Blob Storage

1. Create a Private Endpoint for your Storage Account:

   • Navigate to Storage Account → Networking → Private endpoint connections
   • Click + Private endpoint
   • Deploy in the same VNet as APIM (or a peered VNet)
   • Target sub-resource: blob

2. Configure APIM VNet Integration:

   • Ensure APIM is deployed in VNet-integrated mode
   • The APIM subnet must have network connectivity to the Storage Account's private endpoint

3. Update Storage Account Network Settings:

   • Go to Storage Account → Networking
   • Select Enabled from selected virtual networks and IP addresses
   • Add the VNet/subnet where APIM is deployed

Implementation for Event Hub

1. Create a Private Endpoint for your Event Hub Namespace:

   • Navigate to Event Hub Namespace → Networking → Private endpoint connections
   • Click + Private endpoint
   • Deploy in the same VNet as APIM (or a peered VNet)
   • Target sub-resource: namespace

2. Configure APIM VNet Integration:

   • Ensure APIM is deployed in VNet-integrated mode
   • The APIM subnet must have network connectivity to the Event Hub's private endpoint

3. Update Event Hub Network Settings:

   • Go to Event Hub Namespace → Networking
   • Select Enabled from selected virtual networks and IP addresses
   • Add the VNet/subnet where APIM is deployed

Benefits

• ✅ Traffic stays on Azure backbone network
• ✅ No public internet exposure
• ✅ Complies with March 2026 Microsoft changes
• ✅ Production-grade security
• ✅ Maintains asynchronous logging pattern

Drawbacks

• ❌ Requires APIM tier upgrade if on Basic/Consumption (Standard v1 is already retired)
• ❌ Additional Azure networking configuration
• ❌ Higher cost than Basic/Consumption (~$700/month for Standard v2), but significantly cheaper than Premium if that was your alternative

---

Solution 2: Direct Log API Policy

Requirements:

• Works on ALL APIM tiers (including Consumption)
• Nodinite Log API must be accessible via HTTPS

Implementation

Replace the Blob Storage or Event Hub Policy with the Log API Policy. Configure APIM to send log events directly to your Nodinite Log API endpoint.

Security Options:

• Expose Log API with API Key authentication (already in policy)
• Add IP whitelisting to restrict access to Azure APIM outbound IPs
• Use Azure Front Door or Application Gateway for additional protection

Benefits of Direct Log API

• ✅ Works on all APIM tiers (no upgrade needed)
• ✅ No intermediate storage dependency
• ✅ No VNet requirements
• ✅ No Trusted Services dependency
• ✅ No Event Hub Logger configuration needed
• ✅ Immediate logging (no pickup service delay)

Drawbacks of Direct Log API

• ⚠️ Synchronous policy call (slight performance impact on API response time)
• ⚠️ Nodinite Log API must be highly available
• ⚠️ Log API unavailability during maintenance may result in lost events
• ⚠️ Requires public HTTPS endpoint or network line-of-sight from APIM to Log API

When to Use

• You cannot upgrade APIM tier
• Security policies prevent enabling public access on Storage Account or Event Hub
• You need a solution that works immediately without infrastructure changes
• Your logging volume is manageable for synchronous calls

---

Solution 3: Azure Function/Logic App Intermediary

Requirements:

• Works on all APIM tiers
• Additional Azure resources (Function App or Logic App)

Implementation for Function/Logic App Intermediary

1. Create an Azure Function or Logic App with VNet integration and Managed Identity
2. Configure APIM policy to call the Function/Logic App via HTTPS
3. The Function/Logic App writes to Blob Storage or Event Hub using Managed Identity with Private Endpoint access

Benefits of Function/Logic App Intermediary

• ✅ Works on all APIM tiers
• ✅ Function/Logic App can use VNet + Managed Identity
• ✅ Can run on consumption pricing (cost-effective)
• ✅ Maintains asynchronous logging pattern
• ✅ Provides additional processing capabilities if needed

Drawbacks of Function/Logic App Intermediary

• ❌ Additional component to maintain and monitor
• ❌ Increased complexity
• ❌ Additional latency (APIM → Function → Storage)
• ❌ Extra costs for Function/Logic App

---

Solution 4: Enable Public Network Access with Managed Identity 🔓

Requirements:

• Works on ALL APIM tiers (including Consumption, Basic, Developer, Standard v2, Premium)
• Managed Identity must be configured on APIM instance

This is a viable option when using Managed Identity authentication. Despite the name "public access," this solution maintains strong security through multiple layers of protection.

Important

"Public Access" Does NOT Mean Insecure - When using Managed Identity, public network access still requires full authentication and authorization. It simply means the storage endpoint is accessible from the internet, not that it's open to anonymous access.

Understanding Public Network Access

When you enable "Allow access from all networks" on Azure Storage or Event Hub:

What It Means	What It DOES NOT Mean
✅ Accessible from any IP address	❌ Anonymous/unauthenticated access
✅ No VNet restrictions	❌ Unencrypted traffic
✅ Simplified networking	❌ Publicly browsable data
✅ Works with all APIM tiers	❌ Bypass authentication

Security Layers That Remain Active

Even with public network access enabled, you still have multiple security layers:

Security Layer	Status	Details
Authentication	✅ Required	Managed Identity via Azure AD
Authorization	✅ Active	Azure RBAC controls permissions
Encryption in Transit	✅ Enforced	HTTPS/TLS 1.2+ only
Encryption at Rest	✅ Enforced	Microsoft or customer-managed keys
Audit Logging	✅ Enabled	Azure Monitor tracks all access
RBAC Scoping	✅ Granular	Limit to specific container/namespace

Implementation with Public Network Access

For Blob Storage

1. Configure Storage Account Networking:

   # Enable public network access
   az storage account update `
     --name <storage-account> `
     --resource-group <resource-group> `
     --public-network-access Enabled `
     --default-action Allow
   
   # Require HTTPS only
   az storage account update `
     --name <storage-account> `
     --resource-group <resource-group> `
     --https-only true
   

2. Assign Managed Identity Permissions:

   # Grant Storage Blob Data Contributor to APIM's Managed Identity
   az role assignment create `
     --assignee <managed-identity-client-id> `
     --role "Storage Blob Data Contributor" `
     --scope "/subscriptions/<sub-id>/resourceGroups/<rg>/providers/Microsoft.Storage/storageAccounts/<storage-account>/blobServices/default/containers/<container-name>"
   

3. Implement Lifecycle Policy (Recommended):

   {
     "rules": [{
       "name": "DeleteOldLogs",
       "enabled": true,
       "type": "Lifecycle",
       "definition": {
         "filters": {
           "blobTypes": ["blockBlob"],
           "prefixMatch": ["nodinite-logs/"]
         },
         "actions": {
           "baseBlob": {
             "delete": { "daysAfterModificationGreaterThan": 1 }
           }
         }
       }
     }]
   }
   

For Event Hub

1. Configure Event Hub Networking:

   # Enable public network access
   az eventhubs namespace update `
     --name <namespace> `
     --resource-group <resource-group> `
     --public-network-access Enabled
   

2. Assign Managed Identity Permissions:

   # Grant Azure Event Hubs Data Sender to APIM's Managed Identity
   az role assignment create `
     --assignee <managed-identity-client-id> `
     --role "Azure Event Hubs Data Sender" `
     --scope "/subscriptions/<sub-id>/resourceGroups/<rg>/providers/Microsoft.EventHub/namespaces/<namespace>/eventhubs/<eventhub-name>"
   

Security Comparison: Public Access vs Private Endpoint

Security Aspect	Public Access + Managed Identity	Private Endpoint + Managed Identity
Authentication Required	✅ Yes (Azure AD/Managed Identity)	✅ Yes (Azure AD/Managed Identity)
Authorization (RBAC)	✅ Yes (same granularity)	✅ Yes (same granularity)
Encryption in Transit	✅ HTTPS/TLS (Azure backbone)	✅ HTTPS/TLS (Azure backbone)
Encryption at Rest	✅ Same encryption	✅ Same encryption
Network Path	Azure backbone (not internet)	VNet private network
Attack Surface	Larger (internet-facing endpoint)	Smaller (VNet-only)
IP Whitelisting	❌ Not possible (dynamic IPs)	✅ VNet-based restrictions
Compliance Impact	Depends on policy	Generally compliant
Cost	✅ No APIM upgrade needed	❌ Requires Standard v2+ (~$700/mo)
Setup Complexity	✅ Simple (5 minutes)	❌ Complex (hours of networking)

Additional Hardening Options

If you choose public network access, implement these additional controls:

1. Azure Monitor Alerts

# Alert on failed authentication attempts
az monitor metrics alert create `
  --name "storage-failed-auth" `
  --resource-group <resource-group> `
  --scopes <storage-account-id> `
  --condition "count FailedRequests > 10" `
  --window-size 5m `
  --evaluation-frequency 1m

2. Redact Sensitive Data in APIM Policy

<!-- Exclude sensitive headers -->
<set-body>@{
    var headers = context.Request.Headers
        .Where(h => h.Key != "Authorization" 
                 && h.Key != "Ocp-Apim-Subscription-Key"
                 && h.Key != "X-API-Key"
                 && !h.Key.Contains("Secret")
                 && !h.Key.Contains("Password"));
    
    // Option: Hash or redact PII in body
    var body = context.Request.Body.As<string>(preserveContent: true);
    // Add your redaction logic here
    
    return JsonConvert.SerializeObject(logEvent);
}</set-body>

3. Container-Level Scoping

# Limit managed identity to specific container only
# Use most restrictive scope possible
--scope "/subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.Storage/storageAccounts/<sa>/blobServices/default/containers/<container>"

4. Azure Policy Governance

{
  "if": {
    "field": "type",
    "equals": "Microsoft.Storage/storageAccounts"
  },
  "then": {
    "effect": "audit",
    "details": {
      "existenceCondition": {
        "field": "Microsoft.Storage/storageAccounts/publicNetworkAccess",
        "equals": "Enabled"
      }
    }
  }
}

5. Minimize Data Exposure Window

Important

Limited Attack Window for Blob Storage - The Nodinite Pickup Service processes logs from Blob Storage using destructive reads. Blobs are deleted immediately after successful pickup, meaning log data only exists in the container for seconds to minutes. This dramatically reduces the exposure window for potential attackers.

Blob Storage: Destructive Reads (Minimal Exposure)

How it works:

1. APIM writes log event to Blob Storage container
2. Pickup Service polls container (default: every 30 seconds)
3. Pickup Service reads blob content and writes to Nodinite database
4. Blob is deleted immediately after successful processing
5. Container contains only logs created within the last polling interval

Typical data retention in container:

Polling Interval	Maximum Exposure Time
30 seconds (default)	~30-60 seconds
1 minute	~1-2 minutes
5 minutes	~5-10 minutes

Security benefit:

Even if an attacker somehow compromised the Managed Identity, they would only gain access to logs created within the last polling interval (typically 30-60 seconds). Historical data is already in the Nodinite database, not in the Blob Storage container.

Event Hub: Non-Destructive Reads (Retention-Based)

How it works:

1. APIM writes log event to Event Hub
2. Pickup Service consumes messages from Event Hub
3. Pickup Service writes to Nodinite database
4. Messages remain in Event Hub until retention policy expires
5. Event Hub retains messages based on configured retention period (1-7 days standard, up to 90 days with premium)

Why longer retention is necessary:

• Outage recovery: If Pickup Service stops or Nodinite database is unavailable, messages remain in Event Hub
• Catch-up capability: When service resumes, Pickup Service can consume backlog of messages
• No data loss: Service interruptions don't result in lost log events

Recommended retention settings:

Environment	Recommended Retention	Rationale
Production	3-7 days	Allows recovery from weekend outages, maintenance windows
Dev/Test	1-3 days	Balance cost vs recovery needs
High-volume	1-2 days	Minimize storage costs while maintaining recovery buffer

Warning

Do NOT set Event Hub retention too short (e.g., 1 hour). If the Pickup Service or Nodinite database experiences an outage, you'll lose log events that arrived during the downtime. A minimum of 24 hours is recommended for production environments.

Security consideration:

Unlike Blob Storage, Event Hub messages persist longer, meaning there's a larger window of exposure if Managed Identity is compromised. However:

• Messages are consumed by offset tracking - attacker would need to enumerate all messages
• RBAC limits permissions to specific Event Hub entity
• Azure Monitor tracks all access attempts
• Trade-off: Longer retention = better recovery capability but larger attack window

Risk Assessment Matrix

Risk Factor	Likelihood	Impact	Mitigation
Compromised Managed Identity	Low	High	Azure AD Conditional Access, PIM
Data Exfiltration	Very Low	Low	Destructive reads (30-60s exposure), lifecycle policies, monitoring
Unauthorized Access	Very Low	Medium	RBAC reviews, audit logs
Compliance Violation	Medium	High	Risk acceptance, compensating controls
Credential Theft	Very Low	N/A	No static credentials (managed identity)

When This Solution is Viable

✅ Good fit for:

• Cost-sensitive environments (no APIM tier upgrade)
• Dev/test environments
• Low-to-medium sensitivity operational logs
• Organizations with mature Azure monitoring
• When using Managed Identity (not SAS tokens or access keys)
• Scenarios where you redact sensitive data in policies
• Temporary solution while planning Private Endpoint migration

✅ Acceptable if:

• Corporate security policy allows documented risk acceptance
• You implement all recommended hardening measures
• Data sensitivity is low (operational logs, no PII/financial)
• You have Azure Monitor alerting configured
• Lifecycle policies auto-delete old data

When This Solution is NOT Viable

❌ Avoid if:

• Corporate policy explicitly requires private networking
• Logging highly sensitive data (PII, financial, health)
• Compliance requirements (PCI-DSS, HIPAA, SOX) forbid public endpoints
• Working in highly regulated industries
• Zero-trust architecture mandated
• Risk appetite is very low
• External auditors require private networking

Cost Comparison (Annual)

Solution	APIM Tier Cost	Additional Costs	Total Annual Cost
Public Access	$0 (no upgrade)	~$50/year (storage + monitoring)	~$50/year
Private Endpoint	~$8,400/year (Standard v2)	~$200/year (PE + storage)	~$8,600/year

Savings: ~$8,550/year 🎯

Benefits of Public Network Access with Managed Identity

• ✅ No APIM tier upgrade needed - Works on Basic, Consumption, all tiers
• ✅ Maintains asynchronous logging pattern - No performance impact on APIs
• ✅ Simple implementation - 5-10 minutes to configure
• ✅ Strong authentication - Managed Identity via Azure AD
• ✅ Full encryption - HTTPS in transit, encryption at rest
• ✅ Audit trail - Azure Monitor logs all access
• ✅ Cost-effective - Saves ~$700/month vs Standard v2
• ✅ No static credentials - No keys or connection strings to manage

Drawbacks of Public Network Access

• ⚠️ Larger attack surface - Endpoint accessible from internet (but still requires auth)
• ⚠️ May not meet compliance - Some policies explicitly forbid public endpoints
• ⚠️ Requires compensating controls - Monitoring, lifecycle policies, redaction
• ⚠️ Risk acceptance needed - Security team approval recommended
• ⚠️ Cannot whitelist IPs - APIM uses dynamic Azure backbone IPs

Recommendation

Use this solution when:

• Cost is a primary concern (~$700/month savings)
• You cannot upgrade to Standard v2 APIM tier
• Data sensitivity is low-to-medium
• You can implement compensating controls
• Security team approves risk acceptance

Consider alternatives when:

• Production environment with strict security requirements
• High data sensitivity or compliance requirements
• Unlimited budget for security controls
• Corporate policy prohibits public endpoints

Tip

Many organizations successfully use public network access with Managed Identity for non-production environments while using Private Endpoints for production. This hybrid approach balances cost and security.

---

Solution 5: Upgrade to Developer Tier (if on Basic/Consumption)

Implementation: Upgrade from Basic or Consumption tier to Developer tier (~$50/month) to gain VNet support, then implement Solution 1 (Private Endpoint).

Benefits of Developer Tier Upgrade

• ✅ Much cheaper than Standard v2 (~$50 vs ~$700/month)
• ✅ Enables VNet integration and private endpoints
• ✅ Good for development/test environments

Drawbacks of Developer Tier

• ❌ Developer tier has 99.9% SLA only (not recommended for production)
• ❌ Limited to single unit (no horizontal scaling)
• ❌ Designed for non-production workloads

---

Solution 6: Switch from Event Hub to Blob Storage (Event Hub Users Only)

Implementation: If you're currently using Event Hub Policy and hitting the 200 KB message limit, switch to Blob Storage Policy.

Benefits of Switching to Blob Storage

• ✅ No 200 KB message size limit (supports any payload size)
• ✅ Can use same alternative solutions as described above
• ✅ Simpler configuration (no Event Hub Logger needed)
• ✅ Better for large payloads

Drawbacks of Switching to Blob Storage

• ❌ Still affected by the same Trusted Services retirement
• ❌ Requires changing logging architecture
• ❌ Must configure Pickup Service for Blob Storage instead of Event Hub

When to Switch to Blob Storage

• You need to log messages larger than 200 KB
• Your APIM tier supports VNet integration (for Private Endpoint solution)
• You want to simplify your logging infrastructure

---

Recommendation Summary

Your APIM Tier	Recommended Solution	Alternative
🚀 Developer, Premium, Standard v2	Solution 1: Private Endpoint	Solution 4: Public Access + Managed Identity
📱 Basic, Standard v1, Consumption	Solution 4: Public Access + Managed Identity	Solution 2: Log API Policy
🏭 Production workloads	Solution 1: Private Endpoint	Solution 4: Public Access (with approval)
📦 Large messages (>200 KB)	Solution 6: Switch to Blob Storage + Solution 1	Solution 4: Public Access + Blob Storage
💰 Cost-sensitive environments	Solution 4: Public Access + Managed Identity	Solution 2: Log API Policy
🧪 Dev/Test environments	Solution 4: Public Access + Managed Identity	Solution 5: Upgrade to Developer

---

Frequently Asked Questions

Q: Does enabling "public network access" allow any Azure tenant to access my data?

A: No. This is a common misconception. "Public network access" only means the endpoint is reachable from the internet - it does NOT bypass authentication or authorization.

With Managed Identity (Solution 4), you still have:

• ✅ Authentication required - Only the specific APIM instance with the assigned Managed Identity can authenticate
• ✅ Authorization required - Azure RBAC role assignment must explicitly grant permissions to that exact Managed Identity
• ✅ Tenant isolation - Other Azure tenants cannot access your data
• ✅ Subscription isolation - Even other APIM instances in YOUR OWN subscription cannot access the data without explicit RBAC assignment
• ✅ Full audit trail - Azure Monitor logs every access attempt

What's different from the retired "Trusted Services":

The old "Trusted Services" bypass allowed any Microsoft service classified as "trusted" to access your storage, which was indeed a broader permission model. Managed Identity is fundamentally different - it requires explicit identity authentication and role-based authorization for one specific resource.

Analogy: Your bank has a public-facing website (public network access), but that doesn't mean anyone can access your account. You still need credentials (authentication) and account ownership (authorization). Same principle applies here.

Q: Is Standard v2 really cheaper than Premium?

A: Yes! Standard v2 is approximately 75% cheaper than Premium (~$700/month vs ~$2,800/month for base units). Standard v2 was introduced to make VNet integration accessible to more organizations. Previously, VNet integration required the expensive Premium tier.

Q: Can I continue using Trusted Services after March 2026?

A: No. Microsoft is retiring this feature. You must implement one of the alternative solutions before March 2026 to avoid logging disruptions.

Q: Will Event Hub help me avoid this issue?

A: No. Event Hub is affected by the same Trusted Services retirement as Blob Storage. You'll face the same challenges regardless of which intermediate storage you use.

Q: What happens if I do nothing?

A: After March 2026, if you have network restrictions enabled on your Storage Account or Event Hub, APIM will no longer be able to write logs to them. Your logging will stop working, and you'll lose visibility into your API traffic.

Q: Can I whitelist APIM's IP addresses?

A: No. APIM logs through the Azure backbone network using private IP addresses (10.x.x.x range) that cannot be whitelisted in storage firewalls. This is why the Private Endpoint solution is needed.

Q: Is the Log API Policy synchronous or asynchronous?

A: The Log API Policy makes synchronous HTTP calls, which means it can add latency to your API response time. However, the policy uses ignore-error="true", so logging failures won't break your API calls. For truly asynchronous logging, use Solution 1 (Private Endpoint) or Solution 3 (Function Intermediary).

Q: Can I use Network Security Perimeter (NSP) to solve this?

A: No. While Network Security Perimeter is now generally available and supports both Azure Storage Accounts and Azure Event Hubs as member resources, Azure API Management is not currently an NSP-supported service.

Why NSP doesn't work for this scenario:

Network Security Perimeter creates logical network boundaries around PaaS resources to control public network access. To benefit from NSP, both the source and destination resources must be NSP-supported services that can be associated with the perimeter.

In this APIM logging scenario:

• Source: Azure API Management (attempting to write logs)
• Destination: Storage Account or Event Hub (receiving logs)

The problem: APIM is not in Microsoft's list of onboarded private link resources. Currently supported NSP services include Azure Monitor, Key Vault, Storage, Event Hubs, SQL DB, Cosmos DB, and others—but not API Management.

Without APIM being an NSP member, you cannot create a secure perimeter that includes both APIM and the Storage/Event Hub destination. The NSP would only control access rules for the Storage/Event Hub side, but APIM's traffic would still be treated as external public access, requiring the same workarounds described in this guide.

When NSP could be useful:

If you implement Solution 3 (Azure Function/Logic App Intermediary), you could place the intermediary Azure Function or Logic App and the Storage/Event Hub within the same NSP to secure that segment of the communication path. Azure Functions and Logic Apps can leverage NSP when they support the feature in the future, but this still doesn't eliminate the need for the intermediary component.

Bottom line: NSP is an excellent security feature for supported PaaS-to-PaaS scenarios, but it cannot solve the APIM logging challenge because APIM itself is not (yet) NSP-aware. Continue using the solutions outlined in this guide instead.

---

Next Steps

1. Assess your current tier: Check which APIM tier you're currently using
2. Evaluate your requirements: Consider SLA, cost, and security needs
3. Choose a solution: Use the recommendation table above
4. Test in non-production: Implement the solution in a dev/test environment first
5. Plan migration: Schedule the migration before March 2026

Tip

Contact Nodinite Support if you need assistance evaluating and implementing the best solution for your environment.

Related Topics

• Blob Storage Policy
• Event Hub Policy
• Log API Policy

Azure Application Access
JSON Log Event
Pickup Log Events Service Logging Agent