Private Link Support for Azure API Management | Private Endpoint for Azure API Management

Microsoft has recently announced the preview of Azure private Link support for Azure API management. In this blog, we will look into what is a

1. private endpoint for Azure API Management.
2. Most importantly, we will look into what business problems it will solve. (Why do we need it and what are the use cases?)
3. We will find out how to configure it with a demo.

To learn about what is Azure API Management, head to…

If you prefer to watch this on youtube…

Private Endpoint

Private Link is a network-level capability that provides private connectivity to Azure PaaS services from a virtual network. PaaS resources are nothing but, a storage account, service bus, APIM etc.

When you create a private endpoint for a PaaS resource, we need to drop it in a virtual network. Now the resources inside the virtual network can access the PaaS resource securely through a private connection. Here private connection is nothing but, a Microsoft backbone network that is NOT INTERNET.

Before we Begin:

There are a couple of important points to be noted.

1. As of this writing, it is still in preview.
2. To enable private endpoints, the APIM should not be VNET injected. This means, that it can’t be configured with an external or internal virtual network.
3. APIM Private endpoint connection supports only incoming traffic to the APIM instance.
4. This is only supported in the managed gateway. Doesn’t support a self-hosted gateway where you create a container and run it on-prem
5. Except for consumption, This feature is available in all tiers - Premium, Standard, Basic and Developer.
6. Creating a private endpoint for APIM does not disable public access as it does for other PaaS resources(like Azure functions, app services etc…). We need to explicitly disable the public access if we don’t want it.
7. Only the API Management instance’s Gateway endpoint currently supports Private Link connections

Private Endpoint for Azure API Management

Now with this support, the APIM gateway can be accessed through Private Endpoint.

What does this exactly mean?

Use case #1

Let’s say we have an APIM gateway(without any virtual network configured) that is managing all our PaaS Services, for example, all the backend services like app services, function apps and HTTP trigger logic apps etc…

If we want to access the API Management endpoints from on-premises, the on-premises firewall needs to trust and allow the outbound connection to API Management.

With Private Endpoint for API Management

We can create a private endpoint for the API Management gateway and place it in a virtual network. The resources inside the Virtual network can access the API Management gateway through a private network which is the Microsoft backbone network.

If this Virtual Network is connected to on-premises via express route or VPN, then we can access the API Management endpoints from on-premises over a private network.

To secure it further - we can also lock in your API Management instance with backend services using an IP address(every APIM instance will have a fixed IP address and it will not change unless you recreate it) and managed identity.

With private endpoint support, we can securely access such an API Management gateway from on-premises over a private network.

Use case #2

It facilitates your external consumers to securely access your API Management gateway (without any virtual network configured)

We can simply create a private endpoint for the API Management gateway and place it in an external consumer virtual network. Yes, private endpoints can be reached from the same Virtual Network, regionally peered virtual networks and globally peered virtual networks and also cross tenants.

Step-by-step guide.

If you are stuck with any of the steps below, you can refer to my YouTube video where I showcased it in detail.

1. Create API Management Endpoint with Azure function as backend and lock it in with IP Address.

Azure functions as a backend for API Management

Lock it with the API Management Gateway IP address

2. Create a Virtual Network and two subnets, one for VM and another to place a private endpoint

   

3. Create VM and place it in subnet-vm without any public IP address

   

4. Create Bastion and access the VM and test the API Management endpoint with nslookup

   

5. Go to API Management —> Virtual Network —> Private Endpoint, create a private Endpoint and place it in subnet-pvt.

   

6. It will be accessible over the internet even after creating a private endpoint. You test this by accessing the endpoint. Disable the public access by running the below command

az rest --method patch --url https://management.azure.com/subscriptions/[SubscriptionID]/resourceGroups/apim/providers/Microsoft.ApiManagement/service/[APIMInstanceName]?api-version=2021-08-01 --body '{\"properties\": {\"publicNetworkAccess\": \"Disabled\"}}'

7. Now if you access the API Management Endpoint URL over the internet, it would through the below error.

   

8. Try accessing the API Management endpoint from VM which is in the same virtual network as the private endpoint.