Understand why App Insight cannot resolve internal API Management’s request client IP Geo Location

Published Feb 13 2022 06:43 PM 1,342 Views
Microsoft

Understand why App Insight cannot resolve internal API Management’s request client IP Geo Location

 

Prerequisites:

To fully utilize this blog, we should have a basic understanding of

  • How App Gateway is integrated with internal mode API management.
  • How to check the log that is stored in App Insight.
  • How to get API management request trace (ocp-apim-trace)

Setup:

Yixuan_Wang_0-1644559103646.png

 

We have all the resources drew in the above diagram.

  • API Management is configured to internal V-Net Mode.
  • App Gateway and API Management are in the same V-Net.
  • App Gateway uses private IP to connect API management.
  • Both API management and Function App have an App Insight to log down requests’ information.

 

 

 

Problem:

APIM’s App Insight cannot resolve correct Client IP Geo location.

 

Yixuan_Wang_1-1644559103657.png

 

 

As we can see in the screenshot, the client IP column here is App Gateway’s private IP instead of end users’ actual client public IP. App Insight cannot use this private IP to resolve a correct Geo Location, hence the columns are empty.

 

Explanation:

App Insight logs down the information sent by the data source. Different data sources treat client IP field in different approaches.

Resources like Function App for example, extracts the end users’ IP addresses from the ‘X-Forwarded-For’ request header.

If we test the request and check the APIM trace, we will see when APIM forwards the request to Function App, there are two IP addresses in the ‘X-Forwarded-For’ header, and the first one is the actual end user’s public IP.

 

Yixuan_Wang_2-1644559103667.png

 

 

Function App will extract this IP and send this to App Insight.

To prove that, if we check Function App’s App Insight, we can see the Geo Location columns are correctly displayed.

 

Yixuan_Wang_3-1644559103675.png

 

However, on APIM side, we find that APIM is not using this approach to handle client IP field. APIM will send incoming resource’s IP as client IP to App Insight. This is a known issue and we have confirmed with the corresponding product team.

 

 

Workaround:

  1. Enable Azure Monitor log in Application Gateway side and get client IP from there.
  2. Manually log the “X-Forwarded-For” header in APIM Application Insights. Then manually resolve to Geo Location info.
  3. Resolve the geo location from X-Forwarded-For header in policy, then use <Trace> policy to log to AI. https://docs.microsoft.com/en-us/azure/api-management/api-management-advanced-policies#Trace

 

If App Insight is showing Client IP as 0.0.0.0:

The default behavior for App Insight is to mask the IP field and display it as 0.0.0.0.

We need to follow this documentation and set the ‘DisableIpMasking’ property to true.

Azure Application Insights IP address collection - Azure Monitor | Microsoft Docs

 

Conclusion:

Hope this blog helps you understand why we are not able to view client IP geo locations from App Insight. This is a known issue, and the APIM product team already has a work item to discuss the possibility to modify this. For now, we can use the above workarounds I mentioned above.

%3CLINGO-SUB%20id%3D%22%5C%26quot%3Blingo-sub-3152990%5C%26quot%3B%22%20slang%3D%22%5C%26quot%3Ben-US%5C%26quot%3B%22%3EUnderstand%20why%20App%20Insight%20cannot%20resolve%20internal%20API%20Management%E2%80%99s%20request%20client%20IP%20Geo%20Location%26lt%3B%5C%2Flingo-sub%26gt%3B%3CLINGO-BODY%20id%3D%22%5C%26quot%3Blingo-body-3152990%5C%26quot%3B%22%20slang%3D%22%5C%26quot%3Ben-US%5C%26quot%3B%22%3E%3CP%3E%3CSTRONG%3EUnderstand%20why%20App%20Insight%20cannot%20resolve%20internal%20API%20Management%E2%80%99s%20request%20client%20IP%20Geo%20Location%26lt%3B%5C%2FSTRONG%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CSTRONG%3E%26nbsp%3B%26lt%3B%5C%2FSTRONG%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%22%5C%26quot%3B5%5C%26quot%3B%22%20color%3D%22%5C%26quot%3B%231460AA%5C%26quot%3B%22%3E%3CSTRONG%3EPrerequisites%3A%26lt%3B%5C%2FSTRONG%26gt%3B%26lt%3B%5C%2FFONT%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%22%5C%26quot%3B4%5C%26quot%3B%22%3ETo%20fully%20utilize%20this%20blog%2C%20we%20should%20have%20a%20basic%20understanding%20of%26lt%3B%5C%2FFONT%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3CUL%3E%5Cn%3CLI%3E%3CFONT%20size%3D%22%5C%26quot%3B4%5C%26quot%3B%22%3EHow%20App%20Gateway%20is%20integrated%20with%20internal%20mode%20API%20management.%26lt%3B%5C%2FFONT%26gt%3B%26lt%3B%5C%2FLI%26gt%3B%5Cn%3C%2FFONT%3E%3C%2FLI%3E%3CLI%3E%3CFONT%20size%3D%22%5C%26quot%3B4%5C%26quot%3B%22%3EHow%20to%20check%20the%20log%20that%20is%20stored%20in%20App%20Insight.%26lt%3B%5C%2FFONT%26gt%3B%26lt%3B%5C%2FLI%26gt%3B%5Cn%3C%2FFONT%3E%3C%2FLI%3E%3CLI%3E%3CFONT%20size%3D%22%5C%26quot%3B4%5C%26quot%3B%22%3EHow%20to%20get%20API%20management%20request%20trace%20(ocp-apim-trace)%26lt%3B%5C%2FFONT%26gt%3B%26lt%3B%5C%2FLI%26gt%3B%5Cn%26lt%3B%5C%2FUL%26gt%3B%5Cn%3CP%3E%3CFONT%20size%3D%22%5C%26quot%3B5%5C%26quot%3B%22%20color%3D%22%5C%26quot%3B%231460AA%5C%26quot%3B%22%3E%3CSTRONG%3ESetup%3A%26lt%3B%5C%2FSTRONG%26gt%3B%26lt%3B%5C%2FFONT%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F347229iDEF7900A64DC104E%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22Yixuan_Wang_0-1644559103646.png%22%20alt%3D%22%5C%26quot%3BYixuan_Wang_0-1644559103646.png%5C%26quot%3B%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%22%5C%26quot%3B4%5C%26quot%3B%22%3EWe%20have%20all%20the%20resources%20drew%20in%20the%20above%20diagram.%26lt%3B%5C%2FFONT%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3CUL%3E%5Cn%3CLI%3E%3CFONT%20size%3D%22%5C%26quot%3B4%5C%26quot%3B%22%3EAPI%20Management%20is%20configured%20to%20internal%20V-Net%20Mode.%26lt%3B%5C%2FFONT%26gt%3B%26lt%3B%5C%2FLI%26gt%3B%5Cn%3C%2FFONT%3E%3C%2FLI%3E%3CLI%3E%3CFONT%20size%3D%22%5C%26quot%3B4%5C%26quot%3B%22%3EApp%20Gateway%20and%20API%20Management%20are%20in%20the%20same%20V-Net.%26lt%3B%5C%2FFONT%26gt%3B%26lt%3B%5C%2FLI%26gt%3B%5Cn%3C%2FFONT%3E%3C%2FLI%3E%3CLI%3E%3CFONT%20size%3D%22%5C%26quot%3B4%5C%26quot%3B%22%3EApp%20Gateway%20uses%20private%20IP%20to%20connect%20API%20management.%26lt%3B%5C%2FFONT%26gt%3B%26lt%3B%5C%2FLI%26gt%3B%5Cn%3C%2FFONT%3E%3C%2FLI%3E%3CLI%3E%3CFONT%20size%3D%22%5C%26quot%3B4%5C%26quot%3B%22%3EBoth%20API%20management%20and%20Function%20App%20have%20an%20App%20Insight%20to%20log%20down%20requests%E2%80%99%20information.%26lt%3B%5C%2FFONT%26gt%3B%26lt%3B%5C%2FLI%26gt%3B%5Cn%26lt%3B%5C%2FUL%26gt%3B%5Cn%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSTRONG%3E%26nbsp%3B%26lt%3B%5C%2FSTRONG%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CSTRONG%3E%26nbsp%3B%26lt%3B%5C%2FSTRONG%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%22%5C%26quot%3B5%5C%26quot%3B%22%20color%3D%22%5C%26quot%3B%231460AA%5C%26quot%3B%22%3E%3CSTRONG%3EProblem%26lt%3B%5C%2FSTRONG%26gt%3B%3A%26lt%3B%5C%2FFONT%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%22%5C%26quot%3B4%5C%26quot%3B%22%3EAPIM%E2%80%99s%20App%20Insight%20cannot%20resolve%20correct%20Client%20IP%20Geo%20location.%26lt%3B%5C%2FFONT%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F347231i05CEB738CBD30D94%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22Yixuan_Wang_1-1644559103657.png%22%20alt%3D%22%5C%26quot%3BYixuan_Wang_1-1644559103657.png%5C%26quot%3B%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%22%5C%26quot%3B4%5C%26quot%3B%22%3EAs%20we%20can%20see%20in%20the%20screenshot%2C%20the%20client%20IP%20column%20here%20is%20App%20Gateway%E2%80%99s%20private%20IP%20instead%20of%20end%20users%E2%80%99%20actual%20client%20public%20IP.%20App%20Insight%20cannot%20use%20this%20private%20IP%20to%20resolve%20a%20correct%20Geo%20Location%2C%20hence%20the%20columns%20are%20empty.%26lt%3B%5C%2FFONT%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%22%5C%26quot%3B5%5C%26quot%3B%22%20color%3D%22%5C%26quot%3B%231460AA%5C%26quot%3B%22%3E%3CSTRONG%3EExplanation%3A%26lt%3B%5C%2FSTRONG%26gt%3B%26lt%3B%5C%2FFONT%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%22%5C%26quot%3B4%5C%26quot%3B%22%3EApp%20Insight%20logs%20down%20the%20information%20sent%20by%20the%20data%20source.%20Different%20data%20sources%20treat%20client%20IP%20field%20in%20different%20approaches.%26lt%3B%5C%2FFONT%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%22%5C%26quot%3B4%5C%26quot%3B%22%3EResources%20like%20Function%20App%20for%20example%2C%20extracts%20the%20end%20users%E2%80%99%20IP%20addresses%20from%20the%20%E2%80%98%3CSTRONG%3EX-Forwarded-For%26lt%3B%5C%2FSTRONG%26gt%3B%E2%80%99%20request%20header.%26lt%3B%5C%2FFONT%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%22%5C%26quot%3B4%5C%26quot%3B%22%3EIf%20we%20test%20the%20request%20and%20check%20the%20APIM%20trace%2C%20we%20will%20see%20when%20APIM%20forwards%20the%20request%20to%20Function%20App%2C%20there%20are%20two%20IP%20addresses%20in%20the%20%E2%80%98%3CSTRONG%3EX-Forwarded-For%E2%80%99%26lt%3B%5C%2FSTRONG%26gt%3B%20header%2C%20and%20the%20first%20one%20is%20the%20actual%20end%20user%E2%80%99s%20public%20IP.%26lt%3B%5C%2FFONT%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F347230i3CD77EFD7B7062E0%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22Yixuan_Wang_2-1644559103667.png%22%20alt%3D%22%5C%26quot%3BYixuan_Wang_2-1644559103667.png%5C%26quot%3B%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%22%5C%26quot%3B4%5C%26quot%3B%22%3EFunction%20App%20will%20extract%20this%20IP%20and%20send%20this%20to%20App%20Insight.%26lt%3B%5C%2FFONT%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%22%5C%26quot%3B4%5C%26quot%3B%22%3ETo%20prove%20that%2C%20if%20we%20check%20Function%20App%E2%80%99s%20App%20Insight%2C%20we%20can%20see%20the%20Geo%20Location%20columns%20are%20correctly%20displayed.%26lt%3B%5C%2FFONT%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F347232i1143D0774134D054%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22Yixuan_Wang_3-1644559103675.png%22%20alt%3D%22%5C%26quot%3BYixuan_Wang_3-1644559103675.png%5C%26quot%3B%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%22%5C%26quot%3B4%5C%26quot%3B%22%3EHowever%2C%20on%20APIM%20side%2C%20we%20find%20that%20APIM%20is%20not%20using%20this%20approach%20to%20handle%20client%20IP%20field.%20%3CSTRONG%3EAPIM%20will%20send%20incoming%20resource%E2%80%99s%20IP%20as%20client%20IP%20to%20App%20Insight%26lt%3B%5C%2FSTRONG%26gt%3B.%20This%20is%20a%20%3CSTRONG%3Eknown%20issue%26lt%3B%5C%2FSTRONG%26gt%3B%20and%20we%20have%20confirmed%20with%20the%20corresponding%20product%20team.%26lt%3B%5C%2FFONT%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSTRONG%3E%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSTRONG%3E%26nbsp%3B%26lt%3B%5C%2FSTRONG%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%22%5C%26quot%3B5%5C%26quot%3B%22%20color%3D%22%5C%26quot%3B%231460AA%5C%26quot%3B%22%3E%3CSTRONG%3EWorkaround%3A%26lt%3B%5C%2FSTRONG%26gt%3B%26lt%3B%5C%2FFONT%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3COL%3E%5Cn%3CLI%3E%3CFONT%20size%3D%22%5C%26quot%3B4%5C%26quot%3B%22%3EEnable%20Azure%20Monitor%20log%20in%20Application%20Gateway%20side%26nbsp%3Band%20get%20client%20IP%20from%20there.%26lt%3B%5C%2FFONT%26gt%3B%26lt%3B%5C%2FLI%26gt%3B%5Cn%3C%2FFONT%3E%3C%2FLI%3E%3CLI%3E%3CFONT%20size%3D%22%5C%26quot%3B4%5C%26quot%3B%22%3EManually%20log%20the%20%E2%80%9CX-Forwarded-For%E2%80%9D%20header%20in%20APIM%20Application%20Insights.%26nbsp%3BThen%20manually%20resolve%20to%20Geo%20Location%20info.%26lt%3B%5C%2FFONT%26gt%3B%26lt%3B%5C%2FLI%26gt%3B%5Cn%3C%2FFONT%3E%3C%2FLI%3E%3CLI%3E%3CFONT%20size%3D%22%5C%26quot%3B4%5C%26quot%3B%22%3EResolve%20the%20geo%20location%20from%20X-Forwarded-For%20header%20in%20policy%2C%20then%20use%20%3CTRACE%3E%20policy%20to%20log%20to%20AI.%20%3CA%20href%3D%22%5C%26quot%3Bhttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fapi-management%2Fapi-management-advanced-policies%2523Trace%5C%26quot%3B%22%20target%3D%22%5C%26quot%3B_blank%5C%26quot%3B%22%20rel%3D%22%5C%26quot%3Bnoopener%20nofollow%20noopener%20noreferrer%22%20noreferrer%3D%22%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fapi-management%2Fapi-management-advanced-policies%23Trace%26lt%3B%5C%2FA%26gt%3B%26lt%3B%5C%2FFONT%26gt%3B%26lt%3B%5C%2FLI%26gt%3B%5Cn%26lt%3B%5C%2FOL%26gt%3B%5Cn%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%22%5C%26quot%3B5%5C%26quot%3B%22%20color%3D%22%5C%26quot%3B%231460AA%5C%26quot%3B%22%3E%3CSTRONG%3EIf%20App%20Insight%20is%20showing%20Client%20IP%20as%200.0.0.0%3A%26lt%3B%5C%2FSTRONG%26gt%3B%26lt%3B%5C%2FFONT%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%22%5C%26quot%3B4%5C%26quot%3B%22%3EThe%20default%20behavior%20for%20App%20Insight%20is%20to%20mask%20the%20IP%20field%20and%20display%20it%20as%200.0.0.0.%26lt%3B%5C%2FFONT%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%22%5C%26quot%3B4%5C%26quot%3B%22%3EWe%20need%20to%20follow%20this%20documentation%20and%20set%20the%20%E2%80%98DisableIpMasking%E2%80%99%20property%20to%20true.%26lt%3B%5C%2FFONT%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%22%5C%26quot%3B4%5C%26quot%3B%22%3E%3C%2FFONT%3E%3C%2FP%3E%3C%2FA%3E%3CA%20href%3D%22%5C%26quot%3Bhttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fapp%2Fip-collection%3Ftabs%3Dnet%5C%26quot%3B%22%20target%3D%22%5C%26quot%3B_blank%5C%26quot%3B%22%20rel%3D%22%5C%26quot%3Bnoopener%20nofollow%20noopener%20noreferrer%22%20noreferrer%3D%22%22%3EAzure%20Application%20Insights%20IP%20address%20collection%20-%20Azure%20Monitor%20%7C%20Microsoft%20Docs%26lt%3B%5C%2FA%26gt%3B%26lt%3B%5C%2FFONT%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3CP%3E%3CSTRONG%3E%26nbsp%3B%26lt%3B%5C%2FSTRONG%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%22%5C%26quot%3B5%5C%26quot%3B%22%20color%3D%22%5C%26quot%3B%231460AA%5C%26quot%3B%22%3E%3CSTRONG%3EConclusion%3A%26lt%3B%5C%2FSTRONG%26gt%3B%26lt%3B%5C%2FFONT%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%22%5C%26quot%3B4%5C%26quot%3B%22%3EHope%20this%20blog%20helps%20you%20understand%20why%20we%20are%20not%20able%20to%20view%20client%20IP%20geo%20locations%20from%20App%20Insight.%20This%20is%20a%20known%20issue%2C%20and%20the%20APIM%20product%20team%20already%20has%20a%20work%20item%20to%20discuss%20the%20possibility%20to%20modify%20this.%20For%20now%2C%20we%20can%20use%20the%20above%20workarounds%20I%20mentioned%20above.%26lt%3B%5C%2FFONT%26gt%3B%26lt%3B%5C%2FP%26gt%3B%26lt%3B%5C%2Flingo-body%26gt%3B%3CLINGO-TEASER%20id%3D%22%5C%26quot%3Blingo-teaser-3152990%5C%26quot%3B%22%20slang%3D%22%5C%26quot%3Ben-US%5C%26quot%3B%22%3E%3C%2FLINGO-TEASER%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3EAPIM%E2%80%99s%20App%20Insight%20cannot%20resolve%20correct%20Client%20IP%20Geo%20location.%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EAs%20we%20can%20see%20in%20the%20screenshot%2C%20the%20client%20IP%20column%20here%20is%20App%20Gateway%E2%80%99s%20private%20IP%20instead%20of%20end%20users%E2%80%99%20actual%20client%20public%20IP.%20App%20Insight%20cannot%20use%20this%20private%20IP%20to%20resolve%20a%20correct%20Geo%20Location%2C%20hence%20the%20columns%20are%20empty.%26lt%3B%5C%2FP%26gt%3B%26lt%3B%5C%2Flingo-teaser%26gt%3B%3C%2FP%3E%3C%2FA%3E%3C%2FTRACE%3E%3C%2FFONT%3E%3C%2FLI%3E%3C%2FOL%3E%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%3C%2FFONT%3E%3C%2FLI%3E%3C%2FUL%3E%3C%2FFONT%3E%3C%2FP%3E%3C%2FFONT%3E%3C%2FLI%3E%3C%2FUL%3E%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3C%2FLINGO-SUB%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3152990%22%20slang%3D%22en-US%22%3EUnderstand%20why%20App%20Insight%20cannot%20resolve%20internal%20API%20Management%E2%80%99s%20request%20client%20IP%20Geo%20Location%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3152990%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3EUnderstand%20why%20App%20Insight%20cannot%20resolve%20internal%20API%20Management%E2%80%99s%20request%20client%20IP%20Geo%20Location%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%225%22%20color%3D%22%231460AA%22%3E%3CSTRONG%3EPrerequisites%3A%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3ETo%20fully%20utilize%20this%20blog%2C%20we%20should%20have%20a%20basic%20understanding%20of%3C%2FFONT%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CFONT%20size%3D%224%22%3EHow%20App%20Gateway%20is%20integrated%20with%20internal%20mode%20API%20management.%3C%2FFONT%3E%3C%2FLI%3E%0A%3CLI%3E%3CFONT%20size%3D%224%22%3EHow%20to%20check%20the%20log%20that%20is%20stored%20in%20App%20Insight.%3C%2FFONT%3E%3C%2FLI%3E%0A%3CLI%3E%3CFONT%20size%3D%224%22%3EHow%20to%20get%20API%20management%20request%20trace%20(ocp-apim-trace)%3C%2FFONT%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CFONT%20size%3D%225%22%20color%3D%22%231460AA%22%3E%3CSTRONG%3ESetup%3A%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Yixuan_Wang_0-1644559103646.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F347229iDEF7900A64DC104E%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Yixuan_Wang_0-1644559103646.png%22%20alt%3D%22Yixuan_Wang_0-1644559103646.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3EWe%20have%20all%20the%20resources%20drew%20in%20the%20above%20diagram.%3C%2FFONT%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CFONT%20size%3D%224%22%3EAPI%20Management%20is%20configured%20to%20internal%20V-Net%20Mode.%3C%2FFONT%3E%3C%2FLI%3E%0A%3CLI%3E%3CFONT%20size%3D%224%22%3EApp%20Gateway%20and%20API%20Management%20are%20in%20the%20same%20V-Net.%3C%2FFONT%3E%3C%2FLI%3E%0A%3CLI%3E%3CFONT%20size%3D%224%22%3EApp%20Gateway%20uses%20private%20IP%20to%20connect%20API%20management.%3C%2FFONT%3E%3C%2FLI%3E%0A%3CLI%3E%3CFONT%20size%3D%224%22%3EBoth%20API%20management%20and%20Function%20App%20have%20an%20App%20Insight%20to%20log%20down%20requests%E2%80%99%20information.%3C%2FFONT%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%225%22%20color%3D%22%231460AA%22%3E%3CSTRONG%3EProblem%3C%2FSTRONG%3E%3A%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3EAPIM%E2%80%99s%20App%20Insight%20cannot%20resolve%20correct%20Client%20IP%20Geo%20location.%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Yixuan_Wang_1-1644559103657.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F347231i05CEB738CBD30D94%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Yixuan_Wang_1-1644559103657.png%22%20alt%3D%22Yixuan_Wang_1-1644559103657.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3EAs%20we%20can%20see%20in%20the%20screenshot%2C%20the%20client%20IP%20column%20here%20is%20App%20Gateway%E2%80%99s%20private%20IP%20instead%20of%20end%20users%E2%80%99%20actual%20client%20public%20IP.%20App%20Insight%20cannot%20use%20this%20private%20IP%20to%20resolve%20a%20correct%20Geo%20Location%2C%20hence%20the%20columns%20are%20empty.%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%225%22%20color%3D%22%231460AA%22%3E%3CSTRONG%3EExplanation%3A%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3EApp%20Insight%20logs%20down%20the%20information%20sent%20by%20the%20data%20source.%20Different%20data%20sources%20treat%20client%20IP%20field%20in%20different%20approaches.%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3EResources%20like%20Function%20App%20for%20example%2C%20extracts%20the%20end%20users%E2%80%99%20IP%20addresses%20from%20the%20%E2%80%98%3CSTRONG%3EX-Forwarded-For%3C%2FSTRONG%3E%E2%80%99%20request%20header.%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3EIf%20we%20test%20the%20request%20and%20check%20the%20APIM%20trace%2C%20we%20will%20see%20when%20APIM%20forwards%20the%20request%20to%20Function%20App%2C%20there%20are%20two%20IP%20addresses%20in%20the%20%E2%80%98%3CSTRONG%3EX-Forwarded-For%E2%80%99%3C%2FSTRONG%3E%20header%2C%20and%20the%20first%20one%20is%20the%20actual%20end%20user%E2%80%99s%20public%20IP.%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Yixuan_Wang_2-1644559103667.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F347230i3CD77EFD7B7062E0%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Yixuan_Wang_2-1644559103667.png%22%20alt%3D%22Yixuan_Wang_2-1644559103667.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3EFunction%20App%20will%20extract%20this%20IP%20and%20send%20this%20to%20App%20Insight.%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3ETo%20prove%20that%2C%20if%20we%20check%20Function%20App%E2%80%99s%20App%20Insight%2C%20we%20can%20see%20the%20Geo%20Location%20columns%20are%20correctly%20displayed.%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Yixuan_Wang_3-1644559103675.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F347232i1143D0774134D054%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Yixuan_Wang_3-1644559103675.png%22%20alt%3D%22Yixuan_Wang_3-1644559103675.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3EHowever%2C%20on%20APIM%20side%2C%20we%20find%20that%20APIM%20is%20not%20using%20this%20approach%20to%20handle%20client%20IP%20field.%20%3CSTRONG%3EAPIM%20will%20send%20incoming%20resource%E2%80%99s%20IP%20as%20client%20IP%20to%20App%20Insight%3C%2FSTRONG%3E.%20This%20is%20a%20%3CSTRONG%3Eknown%20issue%3C%2FSTRONG%3E%20and%20we%20have%20confirmed%20with%20the%20corresponding%20product%20team.%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%225%22%20color%3D%22%231460AA%22%3E%3CSTRONG%3EWorkaround%3A%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3E%3CFONT%20size%3D%224%22%3EEnable%20Azure%20Monitor%20log%20in%20Application%20Gateway%20side%26nbsp%3Band%20get%20client%20IP%20from%20there.%3C%2FFONT%3E%3C%2FLI%3E%0A%3CLI%3E%3CFONT%20size%3D%224%22%3EManually%20log%20the%20%E2%80%9CX-Forwarded-For%E2%80%9D%20header%20in%20APIM%20Application%20Insights.%26nbsp%3BThen%20manually%20resolve%20to%20Geo%20Location%20info.%3C%2FFONT%3E%3C%2FLI%3E%0A%3CLI%3E%3CFONT%20size%3D%224%22%3EResolve%20the%20geo%20location%20from%20X-Forwarded-For%20header%20in%20policy%2C%20then%20use%20%3CTRACE%3E%20policy%20to%20log%20to%20AI.%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fapi-management%2Fapi-management-advanced-policies%2523Trace%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fapi-management%2Fapi-management-advanced-policies%23Trace%3C%2FA%3E%3C%2FTRACE%3E%3C%2FFONT%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%225%22%20color%3D%22%231460AA%22%3E%3CSTRONG%3EIf%20App%20Insight%20is%20showing%20Client%20IP%20as%200.0.0.0%3A%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3EThe%20default%20behavior%20for%20App%20Insight%20is%20to%20mask%20the%20IP%20field%20and%20display%20it%20as%200.0.0.0.%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3EWe%20need%20to%20follow%20this%20documentation%20and%20set%20the%20%E2%80%98DisableIpMasking%E2%80%99%20property%20to%20true.%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fapp%2Fip-collection%3Ftabs%3Dnet%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20Application%20Insights%20IP%20address%20collection%20-%20Azure%20Monitor%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%225%22%20color%3D%22%231460AA%22%3E%3CSTRONG%3EConclusion%3A%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3EHope%20this%20blog%20helps%20you%20understand%20why%20we%20are%20not%20able%20to%20view%20client%20IP%20geo%20locations%20from%20App%20Insight.%20This%20is%20a%20known%20issue%2C%20and%20the%20APIM%20product%20team%20already%20has%20a%20work%20item%20to%20discuss%20the%20possibility%20to%20modify%20this.%20For%20now%2C%20we%20can%20use%20the%20above%20workarounds%20I%20mentioned%20above.%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-3152990%22%20slang%3D%22en-US%22%3E%3CP%3EAPIM%E2%80%99s%20App%20Insight%20cannot%20resolve%20correct%20Client%20IP%20Geo%20location.%3C%2FP%3E%0A%3CP%3EAs%20we%20can%20see%20in%20the%20screenshot%2C%20the%20client%20IP%20column%20here%20is%20App%20Gateway%E2%80%99s%20private%20IP%20instead%20of%20end%20users%E2%80%99%20actual%20client%20public%20IP.%20App%20Insight%20cannot%20use%20this%20private%20IP%20to%20resolve%20a%20correct%20Geo%20Location%2C%20hence%20the%20columns%20are%20empty.%3C%2FP%3E%3C%2FLINGO-TEASER%3E
Co-Authors
Version history
Last update:
‎Feb 10 2022 10:02 PM
Updated by: