Using Azure API Management service with an internal virtual network

With Azure Virtual Networks, Azure API Management can manage APIs not accessible on the internet. A number of VPN technologies are available to make the connection. API Management can be deployed in two main modes inside a virtual network:

  • External
  • Internal

When API Management deploys in internal virtual network mode, all the service endpoints (the proxy gateway, the Developer portal, direct management, and Git) are only visible within a virtual network that you control the access to. None of the service endpoints are registered on the public DNS server.

Note

Because there are no DNS entries for the service endpoints, these endpoints will not be accessible until DNS is configured for the virtual network.

Using API Management in internal mode, you can achieve the following scenarios:

  • Make APIs hosted in your private datacenter securely accessible by third parties outside of it by using site-to-site or Azure ExpressRoute VPN connections.
  • Enable hybrid cloud scenarios by exposing your cloud-based APIs and on-premises APIs through a common gateway.
  • Manage your APIs hosted in multiple geographic locations by using a single gateway endpoint.

Availability

Important

This feature is available in the Premium and Developer tiers of API Management.

Prerequisites

To perform the steps described in this article, you must have:

Creating an API Management in an internal virtual network

The API Management service in an internal virtual network is hosted behind an internal load balancer (classic). This is the only option available and can't be changed.

Enable a virtual network connection using the Azure portal

  1. Browse to your Azure API Management instance in the Azure portal.

  2. Select Virtual network.

  3. Configure the API Management instance to be deployed inside the virtual network.

    Menu for setting up an Azure API Management in an internal virtual network

  4. Select Save.

After the deployment succeeds, you should see private virtual IP address and public virtual IP address of your API Management service on the overview blade. The private virtual IP address is a load balanced IP address from within the API Management delegated subnet over which gateway, portal, management and scm endpoints can be accessed. The public virtual IP address is used only for control plane traffic to management endpoint over port 3443 and can be locked down to the ApiManagement servicetag.

API Management dashboard with an internal virtual network configured

Note

The Test console available on the Azure Portal will not work for Internal VNET deployed service, as the Gateway Url is not registered on the Public DNS. You should instead use the Test Console provided on the Developer portal.

Enable a virtual network connection by using PowerShell cmdlets

Note

This article has been updated to use the new Azure PowerShell Az module. You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. For Az module installation instructions, see Install Azure PowerShell.

You can also enable virtual network connectivity by using PowerShell cmdlets.

  • Create an API Management service inside a virtual network: Use the cmdlet New-AzApiManagement to create an Azure API Management service inside a virtual network and configure it to use the internal virtual network type.

  • Update an existing deployment of an API Management service inside a virtual network: Use the cmdlet Update-AzApiManagementRegion to move an existing API Management service inside a virtual network and configure it to use the internal virtual network type.

DNS configuration

When API Management is in external virtual network mode, the DNS is managed by Azure. For internal virtual network mode, you have to manage your own routing.

Note

API Management service does not listen to requests coming from IP addresses. It only responds to requests to the host name configured on its service endpoints. These endpoints include gateway, the Azure portal and the Developer portal, direct management endpoint, and Git.

Access on default host names

When you create an API Management service, named "contosointernalvnet" for example, the following service endpoints are configured by default:

  • Gateway or proxy: contosointernalvnet.azure-api.net

  • The Developer portal: contosointernalvnet.portal.azure-api.net

  • The new Developer portal: contosointernalvnet.developer.azure-api.net

  • Direct management endpoint: contosointernalvnet.management.azure-api.net

  • Git: contosointernalvnet.scm.azure-api.net

To access these API Management service endpoints, you can create a virtual machine in a subnet connected to the virtual network in which API Management is deployed. Assuming the internal virtual IP address for your service is 10.1.0.5, you can map the hosts file, %SystemDrive%\drivers\etc\hosts, as follows:

  • 10.1.0.5 contosointernalvnet.azure-api.net

  • 10.1.0.5 contosointernalvnet.portal.azure-api.net

  • 10.1.0.5 contosointernalvnet.developer.azure-api.net

  • 10.1.0.5 contosointernalvnet.management.azure-api.net

  • 10.1.0.5 contosointernalvnet.scm.azure-api.net

You can then access all the service endpoints from the virtual machine you created. If you use a custom DNS server in a virtual network, you can also create A DNS records and access these endpoints from anywhere in your virtual network.

Access on custom domain names

  1. If you don’t want to access the API Management service with the default host names, you can set up custom domain names for all your service endpoints as shown in the following image:

    Setting up a custom domain for API Management

  2. Then you can create records in your DNS server to access the endpoints that are only accessible from within your virtual network.

Routing

  • A load balanced private virtual IP address from the subnet range will be reserved and used to access the API Management service endpoints from within the virtual network. This private IP address can be found on the Overview blade for the service in the Azure portal. This address must be registered with the DNS servers used by the virtual network.
  • A load balanced public IP address (VIP) will also be reserved to provide access to the management service endpoint over port 3443. This public IP address can be found on the Overview blade for the service in the Azure portal. The public IP address is used only for control plane traffic to the management endpoint over port 3443 and can be locked down to the ApiManagement servicetag.
  • IP addresses from the subnet IP range (DIP) will be assigned to each VM in the service and will used to access resources within the virtual network. A public IP address (VIP) will be used to access resources outside the virtual network. If IP restriction lists are used to secure resources within the virtual network, the entire range for the subnet where the API Management service is deployed must specified to grant or restrict access from the service.
  • The load balanced public and private IP addresses can be found on the Overview blade in the Azure portal.
  • The IP addresses assigned for public and private access may change if the service is removed from and then added back into the virtual network. If this happens, it may be necessary to update DNS registrations, routing rules, and IP restriction lists within the virtual network.

To learn more, see the following articles: