Merge pull request #310900 from dlepow/certip

[APIM] Incoming IP address requirements for managed cert

Author: JillGrant615

articles/api-management/breaking-changes/managed-certificates-suspension-august-2025.md

@@ -6,31 +6,40 @@ author: dlepow
 ms.service: azure-api-management
 ms.topic: reference
 ai-usage: ai-assisted
-ms.date: 07/18/2025
+ms.date: 01/26/2026
 ms.author: danlep
 ---
 
 # Creation of managed certificates temporarily suspended for custom domains (August 2025 - March 2026)
 
 [!INCLUDE [premium-dev-standard-basic.md](../../../includes/api-management-availability-premium-dev-standard-basic.md)]
 
-Creation of Azure-managed certificates for custom domains in API Management will be temporarily turned off from August 15, 2025 to March 15, 2026. Existing managed certificates will be autorenewed and remain unaffected.
+Creation of Azure-managed certificates for custom domains in API Management will be temporarily turned off from August 15, 2025 to March 15, 2026. Existing managed certificates will be autorenewed as long as your API Management service allows inbound traffic from DigiCert IP addresses on port 80 and DNS is properly configured.
 
 In the classic service tiers, Azure API Management offers [free, managed TLS certificates for custom domains](../configure-custom-domain.md#domain-certificate-options) (preview), allowing customers to secure their endpoints without purchasing and managing their own certificates. Because of an industry-wide deprecation of CNAME-based Domain Control Validation (DCV), our Certificate Authority (CA), DigiCert, is moving to a new open-source software (OSS) domain control validation (DCV) platform that provides transparency and accountability increasing the trustworthiness of domain validation. As part of this transition, DigiCert will deprecate support for the legacy CNAME Delegation DCV workflow. This migration requires us to temporarily suspend the creation of managed certificates for custom domains.
 
 Note that this does not impact the standard CNAME DCV workflow (where DigiCert validates a random value in the CNAME record) which is still supported in the OSS validation system. This change affects several Azure services that currently rely on the soon-to-be deprecated CNAME for automated certificate issuance and renewal.
 
 ## Is my service affected by this?
 
-You're affected if you plan to create new managed certificates for custom domains in Azure API Management between August 15, 2025 and March 15, 2026. Existing managed certificates will be autorenewed before August 15, 2025 and will continue to function normally. There's no impact to existing managed certificates or custom domains already using them.
+You're affected if you plan to create new managed certificates for custom domains in Azure API Management between August 15, 2025 and March 15, 2026. 
+
+As part of this change, starting January 2026, for Azure API Management to be able to renew (rotate) your existing managed certificate, inbound access is required on port 80 to allow [specific DigiCert IP addresses](https://knowledge.digicert.com/alerts/ip-address-domain-validation?utm_medium=organic&utm_source=docs-digicert&referrer=https://docs.digicert.com/en/certcentral/manage-certificates/domain-control-validation-methods/automatic-domain-control-validation-check.html). 
 
 ## What is the deadline for the change?
 
 The suspension of managed certificates for custom domains will be enforced from August 15, 2025 to March 15, 2026. The capability to create managed certificates will resume after the migration to the new validation platform is complete.
 
 ## What do I need to do?
 
-No action is required if you already have managed certificates for your custom domains. If you need to add new managed certificates, plan to do so before August 15, 2025 or after March 15, 2026. During the suspension period, you can still configure custom domains with certificates you manage from other sources.
+If you need to add new managed certificates, plan to do so before August 15, 2025 or after March 15, 2026. During the suspension period, you can still configure custom domains with certificates you manage from other sources.
+
+If you already have managed certificates for your custom domains, do the following to ensure continued access:
+
+- Ensure that your API Management service allows [inbound traffic from DigiCert IP addresses on port 80](#allow-access-to-digicert-ip-addresses). This access is now required for the certificate autorenewal process.
+
+
+[!INCLUDE [api-management-managed-certificate-ip-access.md](../../../includes/api-management-managed-certificate-ip-access.md)]
 
 ## Help and support
 

articles/api-management/configure-custom-domain.md

@@ -115,7 +115,7 @@ API Management offers a free, managed TLS certificate for your domain, if you do
 > [!NOTE]
 > The free, managed TLS certificate is in preview. 
 
-#### Limitations
+### Limitations
 
 * Currently can be used only with the Gateway endpoint of your API Management service
 * Not supported in the v2 tiers
@@ -126,7 +126,7 @@ API Management offers a free, managed TLS certificate for your domain, if you do
 * Supports only public domain names
 * Can only be configured when updating an existing API Management instance, not when creating an instance
 
-
+[!INCLUDE [api-management-managed-certificate-ip-access.md](../../includes/api-management-managed-certificate-ip-access.md)]
 
 ---
 ## Set a custom domain name - portal
@@ -185,18 +185,19 @@ Choose the steps according to the [domain certificate](#domain-certificate-optio
 
 ## DNS configuration
 
-* Configure a CNAME record for your custom domain. 
-* When using API Management's free, managed certificate, also configure a TXT record to establish your ownership of the domain.
+Configure your DNS provider to map your custom domain name to the default domain name of your API Management instance.
 
-> [!NOTE]
-> The free certificate is issued by DigiCert. For some domains, you must explicitly allow DigiCert as a certificate issuer by creating a [CAA domain record](https://wikipedia.org/wiki/DNS_Certification_Authority_Authorization) with the value: `0 issue digicert.com`.
+# [Custom](#tab/custom)
 
-### CNAME record
+[!INCLUDE [api-management-custom-domain-dns-configuration.md](../../includes/api-management-custom-domain-dns-configuration.md)]
 
-Configure a CNAME record that points from your custom domain name (for example, `api.contoso.com`) to your API Management service hostname (for example, `<apim-service-name>.azure-api.net`). A CNAME record is more stable than an A-record in case the IP address changes. For more information, see [IP addresses of Azure API Management](api-management-howto-ip-addresses.md#changes-to-ip-addresses) and the [API Management FAQ](./api-management-faq.yml#how-can-i-secure-the-connection-between-the-api-management-gateway-and-my-backend-services-).
+# [Key Vault](#tab/key-vault)
 
-> [!NOTE]
-> Some domain registrars only allow you to map subdomains when using a CNAME record, such as `www.contoso.com`, and not root names, such as `contoso.com`. For more information on CNAME records, see the documentation provided by your registrar or [IETF Domain Names - Implementation and Specification](https://tools.ietf.org/html/rfc1035).
+[!INCLUDE [api-management-custom-domain-dns-configuration.md](../../includes/api-management-custom-domain-dns-configuration.md)]
+
+# [Managed](#tab/managed)
+
+[!INCLUDE [api-management-custom-domain-dns-configuration.md](../../includes/api-management-custom-domain-dns-configuration.md)]
 
 > [!CAUTION]
 > When you use the free, managed certificate and configure a CNAME record with your DNS provider, make sure that it resolves to the default API Management service hostname (`<apim-service-name>.azure-api.net`). Currently, API Management doesn't automatically renew the certificate if the CNAME record doesn't resolve to the default API Management hostname. For example, if you're using the free, managed certificate and you use Cloudflare as your DNS provider, make sure that DNS proxy isn't enabled on the CNAME record. 
@@ -212,6 +213,8 @@ When you use the portal to configure the free, managed certificate for your cust
 
 You can also get a domain ownership identifier by calling the [Get Domain Ownership Identifier](/rest/api/apimanagement/current-ga/api-management-service/get-domain-ownership-identifier) REST API.
 
+---
+
 [!INCLUDE [api-management-custom-domain](../../includes/api-management-custom-domain.md)]
 
 [!INCLUDE [api-management-standard-v2-limitation](../../includes/api-management-standard-v2-limitation.md)]

includes/api-management-custom-domain-dns-configuration.md

@@ -0,0 +1,14 @@
+---
+author: dlepow
+ms.service: azure-api-management
+ms.topic: include
+ms.date: 01/29/2026
+ms.author: danlep
+ms.custom:
+---
+### CNAME record
+
+Configure a CNAME record that points from your custom domain name (for example, `api.contoso.com`) to your API Management service hostname (for example, `yourapim-service-name.azure-api.net`). A CNAME record is more stable than an A record in case the IP address changes. For more information, see [IP addresses of Azure API Management](../articles/api-management/api-management-howto-ip-addresses.md#changes-to-ip-addresses) and the [API Management FAQ](../articles/api-management/api-management-faq.yml#how-can-i-secure-the-connection-between-the-api-management-gateway-and-my-backend-services-).
+
+> [!NOTE]
+> Some domain registrars only allow you to map subdomains when using a CNAME record, such as `www.contoso.com`, and not root names, such as `contoso.com`. For more information on CNAME records, see the documentation provided by your registrar or [IETF Domain Names - Implementation and Specification](https://tools.ietf.org/html/rfc1035).

includes/api-management-managed-certificate-ip-access.md

@@ -0,0 +1,102 @@
+---
+author: dlepow
+ms.service: azure-api-management
+ms.topic: include
+ms.date: 01/28/2026
+ms.author: danlep
+ms.custom:
+---
+
+### Allow access to DigiCert IP addresses
+
+Starting January 2026, Azure API Management needs inbound access on port 80 to [specific DigiCert IP addresses](https://knowledge.digicert.com/alerts/ip-address-domain-validation?utm_medium=organic&utm_source=docs-digicert&referrer=https://docs.digicert.com/en/certcentral/manage-certificates/domain-control-validation-methods/automatic-domain-control-validation-check.html) to renew (rotate) your managed certificate.  
+
+If your API Management instance restricts incoming IP addresses, we recommend that you remove or modify existing IP restrictions by using one of the following methods based on your deployment architecture.
+
+> [!NOTE]
+> Any time you make changes to policy configurations, network security groups, or firewall rules, it's recommended to test access to your APIs to confirm the restrictions have been removed as intended.
+
+### Remove or edit IP filter policies in API Management
+
+If you implemented IP address restrictions by using built-in policies such as [ip-filter](../articles/api-management/ip-filter-policy.md):
+
+1. Sign in to the Azure portal and go to your API Management instance.
+1. Under **APIs**, select the API where the policy applies (or **All APIs** for a global change).
+1. On the **Design** tab, in **Inbound processing**, select the code editor (`</>`) icon.
+1. Locate the IP restriction policy statement.
+1. Do one of the following:
+   - Delete the entire XML snippet to remove the restriction completely.
+   - Edit the elements to include or remove specific IP addresses or ranges as needed. We recommend that you add the DigiCert IP addresses to the allow list.
+1. Select **Save** to apply changes immediately to the gateway.
+
+### Modify network security group  rules (external virtual network deployment)
+
+If you deploy your API Management instance in a [virtual network in external mode](../articles/api-management/api-management-using-with-vnet.md), inbound IP restrictions are typically managed using network security group rules on the subnet.
+
+To modify the network security group that you configured on the subnet:
+
+1. In the Azure portal, go to **Network security groups**.
+1. Select the network security group associated with your API Management subnet.
+1. Under **Settings** > **Inbound security rules**, locate rules that are enforcing the IP restriction (for example, rules with a specific source IP range or service tag that you want to remove or broaden).
+1. Do one of the following:
+   - **Delete** the restrictive rule: Select the rule and choose the **Delete** option.
+   - **Edit the rule**: Change **Source** to **IP Addresses** and add the DigiCert IP addresses to the allow list on port 80.
+1. Select **Save**.
+
+### Internal virtual network deployment
+
+If your API Management instance is deployed in a [virtual network in internal mode](../articles/api-management/api-management-using-with-internal-vnet.md) and is connected with Azure Application Gateway, Azure Front Door, or Azure Traffic Manager, then you need to implement the following architecture:
+
+Azure Front Door / Traffic Manager → Application Gateway → API Management (internal virtual network)
+
+Both the Application Gateway and API Management instances must be injected in the same virtual network. [Learn more about integrating Application Gateway with API Management](../articles/api-management/api-management-howto-integrate-internal-vnet-appgateway.md).
+
+**Step 1: Configure Application Gateway in front of API Management and allow DigiCert IP addresses in network security group**
+
+1. In the Azure portal, go to **Network security groups** and select the network security group for your API Management subnet.
+1. Under **Settings** > **Inbound security rules**, locate rules that are enforcing the IP restriction (for example, rules with a specific source IP range or service tag that you want to remove or broaden).
+1. Do one of the following:
+   - **Delete** the restrictive rule: Select the rule and choose the **Delete** option.
+   - **Edit the rule**: Change **Source** to **IP Addresses** and add the DigiCert IP addresses to the allow list on port 80.
+1. Select **Save**.
+
+**Step 2: Preserve target custom domain/hostname from the traffic manager through to the API Management instance**
+
+Do one or more of the following based on your deployment:
+
+- Configure Azure Front Door to preserve the host header (forward the original host header).
+    - **Azure Front Door (classic):** Set **Backend host header** to the API Management hostname (not the Application Gateway FQDN), or select **Preserve the incoming host header** when using custom domains.
+    - **Azure Front Door Standard/Premium:** In **Route > Origin > Origin settings**, enable **Forward Host Header** and select **Original host header**.
+
+- Configure Application Gateway to preserve the host header.
+
+    In **HTTP settings**, do one of the following to ensure that Application Gateway acts as a reverse proxy without rewriting the host header:
+
+    - Set **Override host name** to **No**.
+    - If you use hostname override, set **Pick hostname from incoming request** (recommended).
+
+- Ensure API Management has a matching custom domain.
+
+    API Management in internal virtual network mode still requires the incoming hostname to match an API Management custom domain you configured.
+    
+    For example:
+    
+    | Layer | Host header |
+    |-------|-------------|
+    | Client → Azure Front Door | `api.contoso.com` |
+    | Azure Front Door → Application Gateway | `api.contoso.com` |
+    | Application Gateway → API Management | `api.contoso.com` |
+    
+    API Management rejects requests if the incoming hostname doesn't match a configured custom domain.
+    
+    > [!IMPORTANT]
+    > If you configured a free, managed certificate on Azure Front Door on the same domain `api.contoso.com`, then you can't use the free, managed certificate feature of API management. Instead, we recommend bringing your own certificate and uploading it to API Management for the custom domain.
+
+### Modify Azure Firewall rules if used
+
+If an Azure Firewall protects your API Management instance, modify the firewall's network rules to allow inbound access from DigiCert IP addresses on port 80:
+
+1. Go to your **Azure Firewall** instance.
+1. Under **Settings** > **Rules** (or **Network rules**), locate the rule collection and the specific rule that restricts inbound access to the API Management instance.
+1. Edit or delete the rule to add the DigiCert IP addresses to the allow list on port 80.
+1. Select **Save** and test API access.