APIM recommendation with service endpoints

Pulin Gupta 0

With respect to this article, I would like to understand what is the latest recommendation when it comes to APIM networking

Art: https://learn.microsoft.com/en-us/azure/api-management/api-management-using-with-vnet?tabs=stv2

Can you suggest why private endpoints are not recommended in this case while in all cases use of private networking is promoted by microsoft?

1 answer

Ben Gimblett 4,530 Reputation points Microsoft Employee

2024-05-03T08:38:49.9533333+00:00

Hi - Thanks for the question

APIM Premium (stv2) is what we refer to as a "vnet injected" service - so when you associate a VNet to APIM Premium then you're in effect deploying the compute for the service "Into" the VNet

Although Private endpoints are available on APIM there is a limitation with APIM STV2 whereby the private endpoint cannot be added once APIM is associated with a VNET

However, once associated with a VNET you can switch APIM to use a private load balancer rather than public. In otherwords the data plane is only accessible on the private path which gives you the private inbound and outbound access into your VNET and connected/peered networks

The new "V2" tiers of APIM which are in public preview will work slightly differently to this. for more info see https://learn.microsoft.com/en-us/azure/api-management/v2-service-tiers-overview
Please sign in to rate this answer.
Pulin Gupta 0 Reputation points

2024-05-07T13:14:52.48+00:00

Does it mean that Private Endpoint are not supported if I plan to associate vnet with apim before or after whatsoever?

Also is it important to associate APIM with vnet?

Ben Gimblett 4,530 Reputation points Microsoft Employee

2024-05-07T13:21:08.5633333+00:00

You would associate with a VNET if you needed to reach backends which are private/internal to a network

If all the backends are public it's not required. The Standard V2 tier also allows you to reach private backends (in a similar way to functions/app service) but this tier of APIM is still in preview.

Another reason would be if you wanted private ingress - but as you know you can do that via a private endpoint too

Unfortunately you cant do both - you cant have a premium version of APIM which is associated/attached to the Vnet AND private endpoint.

Pulin Gupta 0 Reputation points

2024-05-07T13:26:53.8866667+00:00

is it so that we cannot connect to backend using internal peered network using private endpoint?

Ben Gimblett 4,530 Reputation points Microsoft Employee

2024-05-07T13:42:47.1833333+00:00

With either standard V2 (preview) or Premium/Dev your APIM can be associated with a VNet - meaning it can address backends via a private interface/IP (a VM for example) and that includes any backend exposed via a private endpoint.
The backend can be on the same VNet or a peered/connected network if there's access allowed.

For both Standard V2 and Premium/Dev Tiers APIM uses the DNS settings inherited from the VNet

Pulin Gupta 0 Reputation points

2024-05-07T13:59:41.71+00:00

So shall I consider it as recommended approach to connect outgress using private endpoint?

Ben Gimblett 4,530 Reputation points Microsoft Employee

2024-05-07T14:52:28.05+00:00

you could certainly reach a backend via a private endpoint in your VNet from APIM with Standard V2 or APIM Premium/Developer connected to the VNet yes so long as there's "line of sight" (in other words no firewall or Network security groups blocking access)

Pulin Gupta 0 Reputation points

2024-05-08T07:37:34.8166667+00:00

The reason I am stressing on recommendation for both ingress and outgress when it comes to use of private endpoints is because

My Azure environment recommends use of private endpoints for inter communication, and it is based on Microsoft Cloud Adaption Principles, but if APIM recommends vnet integration and service endpoints I need to know?

Ben Gimblett 4,530 Reputation points Microsoft Employee

2024-05-08T09:27:02.5166667+00:00

One doesn't preclude the other though ! VNET Integration is often preferred because private endpoints are one-way-only (uni-directional). They are good for ingress but no good if you want a resource to connect onwards. They work really well for PaaS (Key Vault is a great example) where ingress only is required and they're recommended in this context to avoid switching to the public interface (although remember all intra-PaaS traffic in Azure stays on the Microsoft backbone - it does not transit the Internet).

My recommendation is to use Private endpoints where they make sense, for proxy services such as APIM , Application Gateway etc etc then being part of the VNet makes more sense as these services would often be required to communicate to private backends. For some services (App Service based products as an example) then both are possible.

Pulin Gupta 0 Reputation points

2024-05-09T06:49:16.38+00:00

I am not clear as to why application management when connecting to private backend will become a problem? those private backend can use private endpoints to go further.

When we set policies to the environment, MS made it clear that private endpoint must be enforced to all paas resources. So why is there no clear path in this case?

Even though APIM would be using Microsoft backbone but I am loosing control to network operations with service endpoints. So I am not preferring any resource to use unknown network.

There can only be 2 clear statements, 1. is Recommendation 2. is Support.

Is MS recommending not to use PE for APIM, if yes please point me to link?

If MS is not supporting PE for APIM, if yes please point me to link?

Why is this provided https://learn.microsoft.com/en-us/azure/api-management/private-endpoint, for ingress

And For all backend, if all my backend network are peered using hub spoke model, there is no case of isolated network so why secured PE use is not recommended?

Ben Gimblett 4,530 Reputation points Microsoft Employee

2024-05-09T08:24:07.0233333+00:00

Trying to be clearer:

Assuming you can only use GA services
(1) APIM Premium which is the only GA service which can connect to private backends - this would be a requirement if any API you integrate with through APIM is not public - does not support private endpoints (see doc link above). However, APIM can be deployed in "internal" mode which means it will only be addressable via a Internal Load Balancer (DNS resolves to an IP from the subnet it's deployed into). This provides the same overall functionality (private interface for ingress).
(2) Aside from APIM Private endpoints are otherwise strongly recommended for securing all public PaaS which support them to limit traffic to the virtual network.

Hope this clears up any remaining confusion ! :)
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

APIM recommendation with service endpoints

1 answer

Your answer