Can backend apis'( function apps with Private Endpoint associated with External vnet APIM) work from app gateway waf v2 ?

Prabha 216 Reputation points


I have a question on APIM with app gateway integration for the function apps as apis connected with apim and has private endpoints.

so will backend api's work from App gateway ?

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,236 questions
Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
3,019 questions
Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
670 questions
{count} votes

1 answer

Sort by: Most helpful
  1. VasimTamboli 3,185 Reputation points

    Yes, it is possible to use Azure API Management (APIM) with an Application Gateway WAF v2 to route traffic to function apps that have private endpoints associated with an external Virtual Network (VNet).

    Here is how the setup would work:

    Private Endpoint for Function Apps: Configure private endpoints for your function apps, ensuring that they are associated with an external VNet. This allows the function apps to have private access only within the VNet.

    Azure API Management (APIM): Create an instance of APIM and configure it to expose APIs. Connect the function apps as backends to the APIM instance.

    Application Gateway WAF v2: Set up an Application Gateway WAF v2 and configure it to integrate with your APIM instance. This integration allows the Application Gateway to act as the frontend for APIM, providing additional features such as Web Application Firewall (WAF) protection and traffic management.

    Routing Traffic: Configure the Application Gateway's listeners and rules to route incoming requests to the appropriate APIs in the APIM instance. The APIM instance will then forward the requests to the corresponding function apps that have private endpoints.

    By setting up this architecture, the Application Gateway WAF v2 acts as a secure entry point for your APIs, providing additional security and traffic management capabilities. It can route traffic to the backend function apps, even if they have private endpoints associated with an external VNet.

    Make sure to configure the necessary network settings, such as peering and network rules, to allow connectivity between the different components (APIM, Application Gateway, and function apps) and the external VNet.

    It's important to note that this setup requires proper configuration and adherence to security best practices to ensure a secure and functional architecture.