![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 57.99999999999999%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZL%3C/text%3E%3C/svg%3E)
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,960 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(115.19999999999999, 10%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
zhengzhao liu Thanks for posting your question in Microsoft Q&A. For stv2 Internal VNET mode, we recommend the following minimum NSG rules, and I couldn't find the requirement for outbound connectivity to Internet. Here is doc reference: Configure NSG rules.
So, I don't think outbound to internet is required since your backend APIs are within the subnet. If you can share where it was mentioned as required would be helpful. If you are force tunneling traffic to on-premise firewall, then check out https://learn.microsoft.com/en-us/azure/api-management/api-management-using-with-internal-vnet?tabs=stv2#force-tunnel-traffic-to-on-premises-firewall-using-expressroute-or-network-virtual-appliance as well. I hope this helps and let me know if you have any questions.