Connect to a virtual network using Azure API Management

Je li ova stranica od pomoći?

Imate dodatne povratne informacije?

Povratne informacije će biti poslane kompaniji Microsoft: pritiskom na dugme za slanje, vaše povratne informacije će se koristiti za unapređivanje proizvoda i usluga kompanije Microsoft. Pravila privatnosti.

Azure API Management can be deployed inside an Azure virtual network (VNet) to access backend services within the network. For VNet connectivity options, requirements, and considerations, see Using a virtual network with Azure API Management.

This article explains how to set up VNet connectivity for your API Management instance in the external mode, where the developer portal, API gateway, and other API Management endpoints are accessible from the public internet, and backend services are located in the network.

For configurations specific to the internal mode, where the endpoints are accessible only within the VNet, see Connect to an internal virtual network using Azure API Management.

Note

This article uses the Azure Az PowerShell module, which is the recommended PowerShell module for interacting with Azure. To get started with the Az PowerShell module, see Install Azure PowerShell. To learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az.

Availability

Important

This feature is available in the Premium and Developer tiers of API Management.

Prerequisites

Some prerequisites differ depending on the version (stv2 or stv1) of the compute platform hosting your API Management instance.

Tip

When you use the portal to create or update the network connection of an existing API Management instance, the instance is hosted on the stv2 compute platform.

stv2

• An API Management instance. For more information, see Create an Azure API Management instance.

• A virtual network and subnet in the same region and subscription as your API Management instance. A dedicated subnet is recommended but not required.

• A network security group attached to the subnet above. A network security group (NSG) is required to explicitly allow inbound connectivity, because the load balancer used internally by API Management is secure by default and rejects all inbound traffic. For specific configuration, see Configure NSG rules, later in this article.

• A Standard SKU public IPv4 address. The public IP address resource is required when setting up the virtual network for either external or internal access. With an internal virtual network, the public IP address is used only for management operations. Learn more about IP addresses of API Management.

  • The IP address must be in the same region and subscription as the API Management instance and the virtual network.

  • When creating a public IP resource, ensure you assign a DNS name label to it. The label you choose to use does not matter but a label is required if this resource will be assigned to an API Management service.

  • The value of the IP address is assigned as the virtual public IPv4 address of the API Management instance in that region.

  • When changing from an external to internal virtual network (or vice versa), changing subnets in the network, or updating availability zones for the API Management instance, you must configure a different public IP address.

stv1

• An API Management instance. For more information, see Create an Azure API Management instance.

• A virtual network and subnet in the same region and subscription as your API Management instance.

  The subnet must be dedicated to API Management instances. Attempting to deploy an Azure API Management instance to a Resource Manager VNET subnet that contains other resources will cause the deployment to fail.

Enable VNet connection

Enable VNet connectivity using the Azure portal (stv2 compute platform)

1. Go to the Azure portal to find your API management instance. Search for and select API Management services.

2. Choose your API Management instance.

3. Select Network.

4. Select the External access type.

5. In the list of locations (regions) where your API Management service is provisioned:

   1. Choose a Location.
   2. Select Virtual network, Subnet, and IP address.

   • The VNet list is populated with Resource Manager VNets available in your Azure subscriptions, set up in the region you are configuring.

     

6. Select Apply. The Network page of your API Management instance is updated with your new VNet and subnet choices.

7. Continue configuring VNet settings for the remaining locations of your API Management instance.

8. In the top navigation bar, select Save, then select Apply network configuration.

It can take 15 to 45 minutes to update the API Management instance. The Developer tier has downtime during the process. The Basic and higher SKUs don't have downtime during the process.

Enable connectivity using a Resource Manager template (stv2 compute platform)

• Azure Resource Manager template (API version 2021-08-01)

  

Enable connectivity using Azure PowerShell cmdlets (stv1 platform)

Create or update an API Management instance in a VNet.

Configure NSG rules

Configure custom network rules in the API Management subnet to filter traffic to and from your API Management instance. We recommend the following minimum NSG rules to ensure proper operation and access to your instance.

• For most scenarios, use the indicated service tags instead of service IP addresses to specify network sources and destinations.
• Set the priority of these rules higher than that of the default rules.
• Depending on your use of monitoring and other features, you may need to configure additional rules. For detailed settings, see Virtual network configuration reference.

stv2

Source / Destination Port(s)	Direction	Transport protocol	Service tags Source / Destination	Purpose	VNet type
* / [80], 443	Inbound	TCP	Internet / VirtualNetwork	Client communication to API Management	External only
* / 3443	Inbound	TCP	ApiManagement / VirtualNetwork	Management endpoint for Azure portal and PowerShell	External & Internal
* / 6390	Inbound	TCP	AzureLoadBalancer / VirtualNetwork	Azure Infrastructure Load Balancer (required for Premium service tier)	External & Internal
* / 443	Outbound	TCP	VirtualNetwork / Storage	Dependency on Azure Storage	External & Internal
* / 1433	Outbound	TCP	VirtualNetwork / SQL	Access to Azure SQL endpoints	External & Internal
* / 443	Outbound	TCP	VirtualNetwork / AzureKeyVault	Access to Azure Key Vault	External & Internal

stv1

Source / Destination Port(s)	Direction	Transport protocol	Service tags Source / Destination	Purpose	VNet type
* / [80], 443	Inbound	TCP	Internet / VirtualNetwork	Client communication to API Management	External only
* / 3443	Inbound	TCP	ApiManagement / VirtualNetwork	Management endpoint for Azure portal and PowerShell	External & Internal
* / *	Inbound	TCP	AzureLoadBalancer / VirtualNetwork	Azure Infrastructure Load Balancer (required for Premium service tier)	External & Internal
* / 443	Outbound	TCP	VirtualNetwork / Storage	Dependency on Azure Storage	External & Internal
* / 1433	Outbound	TCP	VirtualNetwork / SQL	Access to Azure SQL endpoints	External & Internal

Connect to a web service hosted within a virtual network

Once you've connected your API Management service to the VNet, you can access backend services within it just as you do public services. When creating or editing an API, type the local IP address or the host name (if a DNS server is configured for the VNet) of your web service into the Web service URL field.

Custom DNS server setup

In external VNet mode, Azure manages the DNS by default. You can optionally configure a custom DNS server.

The API Management service depends on several Azure services. When API Management is hosted in a VNet with a custom DNS server, it needs to resolve the hostnames of those Azure services.

• For guidance on custom DNS setup, including forwarding for Azure-provided hostnames, see Name resolution for resources in Azure virtual networks.
• Outbound network access on port 53 is required for communication with DNS servers. For more settings, see Virtual network configuration reference.

Important

If you plan to use a custom DNS server(s) for the VNet, set it up before deploying an API Management service into it. Otherwise, you'll need to update the API Management service each time you change the DNS Server(s) by running the Apply Network Configuration Operation.

Routing

• A load-balanced public IP address (VIP) is reserved to provide access to the API Management endpoints and resources outside the VNet.
  • The public VIP can be found on the Overview/Essentials blade in the Azure portal.

For more information and considerations, see IP addresses of Azure API Management.

VIP and DIP addresses

Dynamic IP (DIP) addresses will be assigned to each underlying virtual machine in the service and used to access endpoints and resources in the VNet and in peered VNets. The API Management service's public virtual IP (VIP) address will be used to access public-facing resources.

If IP restriction lists secure resources within the VNet or peered VNets, we recommend specifying the entire subnet range where the API Management service is deployed to grant or restrict access from the service.

Learn more about the recommended subnet size.

Common network configuration issues

This section has moved. See Virtual network configuration reference.

Troubleshooting

• Unsuccessful initial deployment of API Management service into a subnet

  • Deploy a virtual machine into the same subnet.
  • Connect to the virtual machine and validate connectivity to one of each of the following resources in your Azure subscription:
    • Azure Storage blob
    • Azure SQL Database
    • Azure Storage Table
    • Azure Key Vault (for an API Management instance hosted on the stv2 platform)

  Important

  After validating the connectivity, remove all the resources in the subnet before deploying API Management into the subnet (required when API Management is hosted on the stv1 platform).

• Verify network status

  • After deploying API Management into the subnet, use the portal to check the connectivity of your instance to dependencies, such as Azure Storage.
  • In the portal, in the left-hand menu, under Deployment and infrastructure, select Network > Network status.

  

  Filter	Description
  Required	Select to review the required Azure services connectivity for API Management. Failure indicates that the instance is unable to perform core operations to manage APIs.
  Optional	Select to review the optional services connectivity. Failure indicates only that the specific functionality will not work (for example, SMTP). Failure may lead to degradation in using and monitoring the API Management instance and providing the committed SLA.

  To address connectivity issues, review network configuration settings and fix required network settings.

• Incremental updates
  When making changes to your network, refer to NetworkStatus API to verify that the API Management service has not lost access to critical resources. The connectivity status should be updated every 15 minutes.

  To apply a network configuration change to the API Management instance using the portal:

  1. In the left-hand menu for your instance, under Deployment and infrastructure, select Virtual network.
  2. Select Apply network configuration.

• Resource navigation links
  An APIM instance hosted on the stv1 compute platform, when deployed into a Resource Manager VNET subnet, reserves the subnet by creating a resource navigation link. If the subnet already contains a resource from a different provider, deployment will fail. Similarly, when you delete an API Management service, or move it to a different subnet, the resource navigation link will be removed.

Next steps

Learn more about:

• Virtual network configuration reference
• Connecting a virtual network to backend using VPN Gateway
• Connecting a virtual network from different deployment models
• Debug your APIs using request tracing
• Virtual Network frequently asked questions
• Service tags