Making Outbound Connections from an Azure APIM Instance in a Private Subnet

Rachit R 0

An Azure API Management (APIM) instance is deployed in a private subnet and is publicly accessible through Azure Application Gateway. What are the recommended methods to establish outbound connections to a public backend API from this private APIM instance? API Consumer (Internet) -> Azure Application Gateway -> APIM -> Backend API (Internet)

Silvia Wibowo 5,286 Reputation points Microsoft Employee

2025-01-14T00:17:52.36+00:00
Hi @Rachit R , please clarify:

What SKU of APIM are you using: classic or v2, which tier (Basic, Developer, Standard, Premium?

Which network configuration? Reference: Use a virtual network to secure inbound or outbound traffic for Azure API Management

If you need public inbound and public outbound access, why did you deploy the APIM instance as private subnet?
Rachit R 0 Reputation points

2025-01-31T15:58:19.5333333+00:00
@Silvia Wibowo Here is the answer to your questions

SKU: APIM - Developer (as we are still in development); APP GW - WAF_v2

Network Configuration: https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-integrate-internal-vnet-appgateway

We need to protect APIM, so that's why we put it behind the App GW and the APIM is only accessible within the VNET.

As we were unable to use App GW as a forward proxy to route traffic from APIM to the internet we moved on to a slightly different configuration. We have added a rule in Azure Firewall to allow outbound connectivity to this particular Backend API and associated that rule to the APIM subnet.
Silvia Wibowo 5,286 Reputation points Microsoft Employee

2025-02-03T06:59:07.35+00:00
Hi @Rachit R , I understand you're using APIM - Developer SKU (classic). You have a requirement to limit inbound access to APIM to private only.

Options:

Internal vnet injection (classic tier), which you have now. Note that you need to provide outbound path, which could be a Firewall or NAT Gateway. This is ideal if you want to be able to control and/or audit the inbound and outbound traffic of the APIM.

APIM with Inbound Private Endpoint. You can disable public endpoint, to make all inbound use private endpoint. Outbound goes straight to internet, no additional cost of Firewall or NAT Gateway.
Rachit R 0 Reputation points

2025-02-03T18:06:24.76+00:00

Thanks. We went with Option 1.
Rachit R 0 Reputation points

2025-02-03T18:11:54.7133333+00:00

Thanks. We went with Option 1.

1 answer

Silvia Wibowo 5,286 Reputation points Microsoft Employee

2025-02-26T20:20:58.28+00:00
Hi @Rachit R , I understand you're using APIM - Developer SKU (classic). You have a requirement to limit inbound access to APIM to private only. You have configured APIM with internal vnet injection (classic tier).

Your question is about outbound path to internet. Answer: you need to provide outbound path, which could be a Firewall (seems you've chosen this one) or a NAT Gateway.

More info:

Deploy and configure Azure Firewall and policy using the Azure portal

Create a NAT gateway using the Azure portal

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Making Outbound Connections from an Azure APIM Instance in a Private Subnet

1 answer

Your answer