Yes, it is possible to use Azure API Management (APIM) with an Application Gateway WAF v2 to route traffic to function apps that have private endpoints associated with an external Virtual Network (VNet).
Here is how the setup would work:
Private Endpoint for Function Apps: Configure private endpoints for your function apps, ensuring that they are associated with an external VNet. This allows the function apps to have private access only within the VNet.
Azure API Management (APIM): Create an instance of APIM and configure it to expose APIs. Connect the function apps as backends to the APIM instance.
Application Gateway WAF v2: Set up an Application Gateway WAF v2 and configure it to integrate with your APIM instance. This integration allows the Application Gateway to act as the frontend for APIM, providing additional features such as Web Application Firewall (WAF) protection and traffic management.
Routing Traffic: Configure the Application Gateway's listeners and rules to route incoming requests to the appropriate APIs in the APIM instance. The APIM instance will then forward the requests to the corresponding function apps that have private endpoints.
By setting up this architecture, the Application Gateway WAF v2 acts as a secure entry point for your APIs, providing additional security and traffic management capabilities. It can route traffic to the backend function apps, even if they have private endpoints associated with an external VNet.
Make sure to configure the necessary network settings, such as peering and network rules, to allow connectivity between the different components (APIM, Application Gateway, and function apps) and the external VNet.
It's important to note that this setup requires proper configuration and adherence to security best practices to ensure a secure and functional architecture.