Share via

Accessing Private API in AKS Cluster via APIM

Dixan Lal Thomas 60 Reputation points
2024-06-11T05:36:13.6933333+00:00

I have deployed an API in an AKS cluster within a VNet, and it does not have a public endpoint. I want to access this API exclusively through my APIM. The requirement is that this API should be accessible only via APIM and not directly exposed to the public or other networks.

How can this be achieved in Azure? What strategy should I follow to ensure secure and exclusive access through APIM?

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
2,173 questions
Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
2,145 questions
Accepted answer
  1. JananiRamesh-MSFT 27,916 Reputation points
    2024-06-12T10:51:15.9+00:00

    @Dixan Lal Thomas Thanks for reaching out. please refer option 3 in this doc https://learn.microsoft.com/en-us/azure/api-management/api-management-kubernetes#option-3-deploy-apim-inside-the-cluster-vnet which is a good approach if you want to ensure secure and exclusive access to your API through APIM.

    do let me know incase of further queries, I would be happy to assist you.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Luis Arias 7,121 Reputation points
    2024-06-12T21:43:59.7866667+00:00

    Hello Dixan Lal Thomas,

    So if you want to setup the access only by the Azure APIM, you need to focus on insolate the communicaiton from APIM to your AKS service.

    User access --> APIM --Outbound Integration--> vnet --> Aks service

    Here some guidance how to achieve this setup , however this could vary on your environment:

    • API Management with Outbound Integration: Your API Management instance is integrated with a subnet in the VNet, allowing it to make outbound requests to API backends.
    • AKS on the Same VNet: Your AKS cluster is deployed on the same VNet but in a different subnet. Services in the AKS cluster can be accessed for example by an Internal LoadBalancers, which get a private IP address in the VNet or calling to the ingress controller directly
      • Here depends on how is your network and DNS setup on AKS environment, I adding you the references some interesting articles if you need to deep into.
    • Communication: The API Management instance can communicate with the services in the AKS cluster using the private IP addresses of the Internal LoadBalancers.

    Additional references:

    If the information helped address your question, please Accept the answer.

    Luis

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.