API Management VNet Integration

Initiallly, API Management (APIM) could only be hosted in the public cloud. Currently we can also use VNet integration to host APIM in a private VNet. You can either use external mode or internal mode. In external mode APIM can be publicly accessed. In internal mode APIM can only be accessed from within the VNet. For public exposure of internal mode APIM we can use Application Gateway.

Why would we use APIM with VNet integration. One, for added security. That is, to add network security next to Identity&Access Management. But what if we use APIM in external mode. Still, that’s a secure setup. APIM external is added to a VNet and can be used in a hub-and-spoke architecture with VNet peering. APIM is hosted in the spoke VNet. The hub VNet can be used as a hub with Azure Firewall to integrate with external SaaS solutions and/or your on-prem environment.

Do we still use Application Gateway with APIM external mode. No, Application Gateway is a load balancer and web application firewall (WAF) used within an Azure VNet. If we need the same functionality outside a VNet, we can use Azure FrontDoor. To make sure APIM is only accessed via FrontDoor, we must configure a route table and a check-header policy in APIM.