Hi,
I am trying to allow only inbound traffic to App Gateway from APIM only and deny all traffic if it comes from other sources.

I setup NSG and associate it to subnet that App Gateway is in. My inbound rule is

This did not work. APIM could not connect to App Gateway.
I then looked at https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview#available-service-tags and found an interesting piece of text at API Management row: "Management traffic for Azure API Management-dedicated deployments"
Does this mean APIM Consumption tier does not have its Service Tag? Is it only for developer, basic, premium, etc tiers? If so, how could I restrict inbound traffic to be only from APIM Consumption tier?
Thank you.

