Understand why App Insight cannot resolve internal API Management’s request client IP Geo Location
To fully utilize this blog, we should have a basic understanding of
- How App Gateway is integrated with internal mode API management.
- How to check the log that is stored in App Insight.
- How to get API management request trace (ocp-apim-trace)
We have all the resources drew in the above diagram.
- API Management is configured to internal V-Net Mode.
- App Gateway and API Management are in the same V-Net.
- App Gateway uses private IP to connect API management.
- Both API management and Function App have an App Insight to log down requests’ information.
APIM’s App Insight cannot resolve correct Client IP Geo location.
As we can see in the screenshot, the client IP column here is App Gateway’s private IP instead of end users’ actual client public IP. App Insight cannot use this private IP to resolve a correct Geo Location, hence the columns are empty.
App Insight logs down the information sent by the data source. Different data sources treat client IP field in different approaches.
Resources like Function App for example, extracts the end users’ IP addresses from the ‘X-Forwarded-For’ request header.
If we test the request and check the APIM trace, we will see when APIM forwards the request to Function App, there are two IP addresses in the ‘X-Forwarded-For’ header, and the first one is the actual end user’s public IP.
Function App will extract this IP and send this to App Insight.
To prove that, if we check Function App’s App Insight, we can see the Geo Location columns are correctly displayed.
However, on APIM side, we find that APIM is not using this approach to handle client IP field. APIM will send incoming resource’s IP as client IP to App Insight. This is a known issue and we have confirmed with the corresponding product team.
- Enable Azure Monitor log in Application Gateway side and get client IP from there.
- Manually log the “X-Forwarded-For” header in APIM Application Insights. Then manually resolve to Geo Location info.
- Resolve the geo location from X-Forwarded-For header in policy, then use <Trace> policy to log to AI. https://docs.microsoft.com/en-us/azure/api-management/api-management-advanced-policies#Trace
If App Insight is showing Client IP as 0.0.0.0:
The default behavior for App Insight is to mask the IP field and display it as 0.0.0.0.
We need to follow this documentation and set the ‘DisableIpMasking’ property to true.
Azure Application Insights IP address collection - Azure Monitor | Microsoft Docs
Hope this blog helps you understand why we are not able to view client IP geo locations from App Insight. This is a known issue, and the APIM product team already has a work item to discuss the possibility to modify this. For now, we can use the above workarounds I mentioned above.