Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
V2 Standard does not support backups:-
https://learn.microsoft.com/en-us/azure/api-management/api-management-features
Unable to backup APIM instance to storage account
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 56.00000000000001%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
curious17
20
Reputation points
I have a Standard V2 APIM instance and a storage account that has public access disabled but allows traffic from the Integration subnet of the APIM and the "Microsoft.ApiManagement/Service" resource type and the specific instance of APIM allowed access. It also has the "Allow trusted MIcrosoft Services to access this resource" selected.
Integration subnet of APIM has the "Microsoft.Storage" service connection configured.
I am following this MS KB to setup the backup:-
https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-disaster-recovery-backup-restore?tabs=powershell#back-up-an-api-management-service
And using the "Access using managed identity" method. The Service principal that I am using in Powershell & Managed Identity of APIM has been given the "Storage Blob Data Contributor" role on the storage account.
When I run the following 2 commands from a VM in the same VNET as the APIM Instance I get error: "Backup-AzApiManagement : Long running operation failed with status 'BadRequest'."
$storageContext = New-AzStorageContext -StorageAccountName $storageAccountName
Backup-AzApiManagement -ResourceGroupName $apiManagementResourceGroup -Name $apiManagementName -StorageContext $storageContext -TargetContainerName $containerName -TargetBlobName $blobName -AccessType "SystemAssignedManagedIdentity"
Storage logs seems to indicate that it successfully does the "putblob" operation and within few milliseconds does the "DeleteBlob" operation.
APIM activity logs have the following error for "Backup API Management Service":-
"message": "Unable to backup API service at this time. Please, retry the operation.If the issue persists, please contact support providing correlation ID
How can I troubleshoot this further or what needs to change in my setup to allow the backup?
Azure API Management
3 answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 65%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPK%3C/text%3E%3C/svg%3E)
Pravallika KV 15,465 Reputation points Microsoft External Staff Moderator2026-05-14T15:50:03.5833333+00:00 Hi curious17,
Thanks for reaching out to Microsoft Q&A.
Everything in your networking and RBAC setup is correct, but you’re on a Standard V2 SKU and unfortunately the V2 tiers (Basic V2 and Standard V2) don’t support the backup/restore feature yet as mentioned in MSDOC . That’s why the operation immediately fails with a BadRequest, even though you see the blob creation/deletion in storage logs.
What you can do:
- Verify your SKU/version
- Go to your APIM overview in the portal and confirm it’s Standard V2.
Note: In the docs under Backup and Restore not available in Basic v2 and Standard v2 tiers that v2 tiers don’t support backup.
- Migrate or repurpose
- If you need true backup/restore, you’ll have to use a v1 tier (Standard v1, Premium, Developer) or scale up to Premium V1.
- Alternatively, export your API/Policy configuration via ARM templates or the APIM “Export” APIs and store those in source control as a “poor-man’s backup.”
- Test backup on a supported tier
- Spin up a Standard V1 APIM (or Developer/Premium) in the same VNet.
- Grant its system-assigned identity the same Storage Blob Data Contributor role.
- Retry the Backup-AzApiManagement cmdlet.
If after moving to a supported tier you still see the same error, let us know and we can dig into the correlation ID from your APIM activity logs.
Hope this helps!
If the resolution was helpful, kindly take a moment to click on
and click on Yes for was this answer helpful. And, if you have any further query do let us know.
-
Jose Benjamin Solis Nolasco 8,076 Reputation points Volunteer Moderator2026-05-14T15:15:32.2633333+00:00 Hello mcstudy2022,
Welcome to Microsoft Q&A
Noticing that the
PutBlobandDeleteBloboperations succeeded right before theBadRequest....What you are experiencing is a disconnect between the APIM Control Plane and the Standard V2 Data Plane.
When you trigger the backup, the APIM Resource Provider (Control Plane) does a pre-flight check. It logs in using the Managed Identity, and because you properly configured the "Trusted Services" and "Resource Instance" rules, Azure Storage lets it through to do the Put/Delete test.
However, once the test passes, the Control Plane tasks the actual APIM background workers to upload the backup. This is where it breaks. In Standard V2, background management traffic (like backups) does not flow through your VNet Integration subnet; it routes out over the public internet. When those background workers attempt the upload using a delegated SAS token instead of direct Entra ID, the Azure Storage firewall drops the connection. This happens because "Resource Instance" exceptions explicitly do not apply to SAS traffic.
To get this working, you simply need to add your Standard V2 APIM instance's Outbound Public IP address directly to the Storage Account's firewall whitelist.
One quick note: Make sure your Storage Account is in a different region than your APIM instance! If they are in the exact same region, the traffic gets routed over an internal Azure backbone IP instead of your public IP, which means your new firewall whitelist won't trigger.
😊 If my answer helped you resolve your issue, please consider marking it as the correct answer. This helps others in the community find solutions more easily. Thanks!
-
curious17 20 Reputation points
2026-05-14T15:54:57.5366667+00:00 Thanks Jose for the quick reply. MS KB (https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-ip-addresses) mentions the following:-
IP addresses of Consumption, Basic v2, Standard v2, and Premium v2 tier API Management instances If your API Management instance is created in a service tier that runs on a shared infrastructure, it doesn't have a dedicated IP address. Currently, instances in the following service tiers run on a shared infrastructure and without a deterministic IP address: Consumption, Basic v2, Standard v2, Premium v2. If you need to add the outbound IP addresses used by your Consumption, Basic v2, Standard v2, or Premium v2 tier instance to an allowlist, you can add the instance's datacenter (Azure region) to an allowlist. You can download a JSON file that lists IP addresses for all Azure datacenters. Then find the JSON fragment that applies to the region that your instance runs in.Does that mean I have to add the Azure Datacenter (region) to the storage firewall whitelist?
Also, while troubleshooting I had turned on public access to the storage account but still it was failing. -
curious17 20 Reputation points
2026-05-15T04:42:23.3733333+00:00 Thanks Jose, for your help. I think I found the answer in the features doc from Microsoft.
Sign in to comment -