Events
Mar 17, 9 p.m. - Mar 21, 10 a.m.
Join the meetup series to build scalable AI solutions based on real-world use cases with fellow developers and experts.
Register nowNetwork resource requirements for integration of a workspace gateway into a virtual network
APPLIES TO: Premium
Network isolation is an optional feature of an API Management workspace gateway. This article provides network resource requirements when you integrate your gateway in an Azure virtual network. Some requirements differ depending on the desired inbound and outbound access mode. The following modes are supported:
- Public inbound access, private outbound access (Public/Private)
- Private inbound access, private outbound access (Private/Private)
For information about networking options in API Management, see Use a virtual network to secure inbound or outbound traffic for Azure API Management.
Note
- The network configuration of a workspace gateway is independent of the network configuration of the API Management instance.
- Currently, a workspace gateway can only be configured in a virtual network when the gateway is created. You can't change the gateway's network configuration or settings later.
- The virtual network must be in the same region and Azure subscription as the API Management instance.
- The subnet used for virtual network integration can only be used by a single workspace gateway. It can't be shared with another Azure resource.
- Minimum: /27 (32 addresses)
- Maximum: /24 (256 addresses) - recommended
The subnet must be delegated as follows to enable the desired inbound and outbound access.
For information about configuring subnet delegation, see Add or remove a subnet delegation.
For Public/Private mode, the subnet needs to be delegated to the Microsoft.Web/serverFarms service.
Note
You might need to register the Microsoft.Web/serverFarms resource provider in the subscription so that you can delegate the subnet to the service.
A network security group (NSG) must be attached to the subnet to explicitly allow inbound connectivity. Configure the following rules in the NSG. Set the priority of these rules higher than that of the default rules.
| Source / Destination Port(s) | Direction | Transport protocol | Source | Destination | Purpose |
|---|---|---|---|---|---|
| */80 | Inbound | TCP | AzureLoadBalancer | Workspace gateway subnet range | Allow internal health ping traffic |
| */80,443 | Inbound | TCP | Internet | Workspace gateway subnet range | Allow inbound traffic |
In the Private/Private network configuration, you have to manage your own DNS to enable inbound access to your workspace gateway.
We recommend:
- Configure an Azure DNS private zone.
- Link the Azure DNS private zone to the VNet into which you've deployed your workspace gateway.
Learn how to set up a private zone in Azure DNS.
When you create an API Management workspace, the workspace gateway is assigned a default hostname. The hostname is visible in the Azure portal on the workspace gateway's Overview page, along with its private virtual IP address. The default hostname is in the format <gateway-name>-<random hash>.gateway.<region>-<number>.azure-api.net. Example: team-workspace-123456abcdef.gateway.uksouth-01.azure-api.net.
Note
The workspace gateway only responds to requests to the hostname configured on its endpoint, not its private VIP address.
Create an A record in your DNS server to access the workspace from within your VNet. Map the endpoint record to the private VIP address of your workspace gateway.
For testing purposes, you might update the hosts file on a virtual machine in a subnet connected to the VNet in which API Management is deployed. Assuming the private virtual IP address for your workspace gateway is 10.1.0.5, you can map the hosts file as shown in the following example. The hosts mapping file is at %SystemDrive%\drivers\etc\hosts (Windows) or /etc/hosts (Linux, macOS).
| Internal virtual IP address | Gateway hostname |
|---|---|
| 10.1.0.5 | teamworkspace.gateway.westus.azure-api.net |
Additional resources
Training
Module
Configure the network for your virtual machines - Training
Learn how to connect your local on-premises networks into Azure using virtual networks, VPN gateways, and Azure ExpressRoute.
Certification
Microsoft Certified: Azure Network Engineer Associate - Certifications
Demonstrate the design, implementation, and maintenance of Azure networking infrastructure, load balancing traffic, network routing, and more.
Documentation
-
Integrate API Management in private network
Learn how to integrate an Azure API Management instance in the Standard v2 or Premium v2 tier with a virtual network to access backend APIs in the network.
-
Azure API Management with an Azure virtual network
Learn about scenarios and requirements to secure inbound or outbound traffic for your API Management instance using an Azure virtual network.
-
Inject API Management in virtual network - Premium v2
Learn how to deploy (inject) an Azure API Management instance in the Premium v2 tier in a virtual network to isolate inbound and outbound traffic.