At my client API Management is hosted in an Azure VNet. The specific Azure VNet is publicly accessible. API Management can only be accessed via the Web Application Gateway to guard against OWASP threats.
I was wondering what address to use when accessing an API Management service from a Logic App via the Web Application Gateway. Should I call the Web Application Gateway or should I call API Management?
The answer is Split DNS. In Wikipedia you will find the following definition:
In computer networking, split-horizon DNS, split-view DNS, split-brain DNS, or split DNS is the facility of a Domain Name System (DNS) implementation to provide different IP addresses, depending on the source address of the DNS request. This facility can provide a mechanism for security and privacy management by logical or physical separation of DNS information for network-internal access and access from an unsecure, public network (e.g. the Internet).
- If you wanna call API Management from the Azure VNet (internally), the DNS address will be resolved to the IP address of API Management.
- If you wanna call API Management from outside the Azure VNet (externally, like from a Logic App in the public cloud), the DNS address will be resolved to the IP address of the Web Application Gateway.