| author | dlepow |
|---|---|
| ms.service | azure-api-management |
| ms.topic | include |
| ms.date | 01/28/2026 |
| ms.author | danlep |
| ms.custom |
Starting January 2026, Azure API Management needs inbound access on port 80 to specific DigiCert IP addresses to renew (rotate) your managed certificate.
If your API Management instance restricts incoming IP addresses, we recommend that you remove or modify existing IP restrictions by using one of the following methods based on your deployment architecture.
Note
Any time you make changes to policy configurations, network security groups, or firewall rules, it's recommended to test access to your APIs to confirm the restrictions have been removed as intended.
If you implemented IP address restrictions by using built-in policies such as ip-filter:
- Sign in to the Azure portal and go to your API Management instance.
- Under APIs, select the API where the policy applies (or All APIs for a global change).
- On the Design tab, in Inbound processing, select the code editor (
</>) icon. - Locate the IP restriction policy statement.
- Do one of the following:
- Delete the entire XML snippet to remove the restriction completely.
- Edit the elements to include or remove specific IP addresses or ranges as needed. We recommend that you add the DigiCert IP addresses to the allow list.
- Select Save to apply changes immediately to the gateway.
If you deploy your API Management instance in a virtual network in external mode, inbound IP restrictions are typically managed using network security group rules on the subnet.
To modify the network security group that you configured on the subnet:
- In the Azure portal, go to Network security groups.
- Select the network security group associated with your API Management subnet.
- Under Settings > Inbound security rules, locate rules that are enforcing the IP restriction (for example, rules with a specific source IP range or service tag that you want to remove or broaden).
- Do one of the following:
- Delete the restrictive rule: Select the rule and choose the Delete option.
- Edit the rule: Change Source to IP Addresses and add the DigiCert IP addresses to the allow list on port 80.
- Select Save.
If your API Management instance is deployed in a virtual network in internal mode and is connected with Azure Application Gateway, Azure Front Door, or Azure Traffic Manager, then you need to implement the following architecture:
Azure Front Door / Traffic Manager → Application Gateway → API Management (internal virtual network)
Both the Application Gateway and API Management instances must be injected in the same virtual network. Learn more about integrating Application Gateway with API Management.
Step 1: Configure Application Gateway in front of API Management and allow DigiCert IP addresses in network security group
- In the Azure portal, go to Network security groups and select the network security group for your API Management subnet.
- Under Settings > Inbound security rules, locate rules that are enforcing the IP restriction (for example, rules with a specific source IP range or service tag that you want to remove or broaden).
- Do one of the following:
- Delete the restrictive rule: Select the rule and choose the Delete option.
- Edit the rule: Change Source to IP Addresses and add the DigiCert IP addresses to the allow list on port 80.
- Select Save.
Step 2: Preserve target custom domain/hostname from the traffic manager through to the API Management instance
Do one or more of the following based on your deployment:
-
Configure Azure Front Door to preserve the host header (forward the original host header).
- Azure Front Door (classic): Set Backend host header to the API Management hostname (not the Application Gateway FQDN), or select Preserve the incoming host header when using custom domains.
- Azure Front Door Standard/Premium: In Route > Origin > Origin settings, enable Forward Host Header and select Original host header.
-
Configure Application Gateway to preserve the host header.
In HTTP settings, do one of the following to ensure that Application Gateway acts as a reverse proxy without rewriting the host header:
- Set Override host name to No.
- If you use hostname override, set Pick hostname from incoming request (recommended).
-
Ensure API Management has a matching custom domain.
API Management in internal virtual network mode still requires the incoming hostname to match an API Management custom domain you configured.
For example:
Layer Host header Client → Azure Front Door api.contoso.comAzure Front Door → Application Gateway api.contoso.comApplication Gateway → API Management api.contoso.comAPI Management rejects requests if the incoming hostname doesn't match a configured custom domain.
[!IMPORTANT] If you configured a free, managed certificate on Azure Front Door on the same domain
api.contoso.com, then you can't use the free, managed certificate feature of API management. Instead, we recommend bringing your own certificate and uploading it to API Management for the custom domain.
If an Azure Firewall protects your API Management instance, modify the firewall's network rules to allow inbound access from DigiCert IP addresses on port 80:
- Go to your Azure Firewall instance.
- Under Settings > Rules (or Network rules), locate the rule collection and the specific rule that restricts inbound access to the API Management instance.
- Edit or delete the rule to add the DigiCert IP addresses to the allow list on port 80.
- Select Save and test API access.