API accessibility in Apim with app gateway in internal mode

Question

We are building a setup where we want to have a single apim accessible to both internal and external customer, for that we have provisioned our apim in internal mode behind an app gateway. We have setup custom domain on apim which let's the traffic flows through app gateway and reach apim. This setup is working fine and we are able to access the apim perfectly fine. We have also this scenario where we.wanr certain API to be only accessible to internal customer with no public access. How can we achieve this in this setup without applying wan IP restrictions policy on the api in apim. Can we do some setting on app gateway or build two custom domain one for internal and one for external and provide internal customer the internal endpoint to call apim. This doesn't solve the problem as I believe if someone knows the full endpoint url they can still call it from the external hostname. Our apim is on premium sku.

Answer 1

Sumit Gaur Thanks for posting your question in Microsoft Q&A. Yes, you can create a custom domain that map to Private Virtual IP address as described in https://learn.microsoft.com/en-us/azure/api-management/api-management-using-with-internal-vnet?tabs=stv2#routing. This way, APIM endpoints are accessible only from the VM/services in the VNET.

Then, you add a condition in your APIM policy to check if the request is coming from a specific host name via Context Variable - context.Request.

I hope this helps and let me know if any questions.

---

If you found the answer to your question helpful, please take a moment to mark it as Yes for others to benefit from your experience. Or simply add a comment tagging me and would be happy to answer your questions.