Comment 6 for bug 1436191

The way the Azure provider does this is by just not reporting the API port in its Instance.Ports method. That way, the firewaller never thinks it needs to close the port, and API ports are opened only for state server instances.