Since the basic tier of APIM can't be deployed into a VNET, you will have to expose your services. You could either go for a load balancer + ingress controller combo or use Azure Application Gateway Ingress.
Since APIM has a Static IP, you can setup an NSG rule to allow traffic only from APIM to your exposed service.