Azure API Management in Internal VNet Injection Mode - DNS and Custom Domain Requirements

Taranjeet Malik 446 Reputation points
2024-04-28T05:17:47.6166667+00:00

Hi

I need to deploy an Azure APIM instance in internal VNet injection mode. We have forced tunneling enabled in our Azure environment. I've gone through the guidance in the following articles and need to clarify a couple of questions:

  1. https://learn.microsoft.com/en-us/azure/api-management/virtual-network-concepts
  2. https://learn.microsoft.com/en-us/azure/api-management/virtual-network-injection-resources?tabs=stv2
  3. https://learn.microsoft.com/en-us/azure/api-management/api-management-using-with-internal-vnet?tabs=stv2

Understand that when deployed in "Internal" VNet mode, the APIM has a Private IP assigned to all its endpoints (API Gateway, Developer Portal, Git / SCM) except the management plane functions (that still uses Public IP).

Questions:

  1. What's the recommended approach to resolve the private endpoint names (FQDNs) like myapim.azure-api.net, myapim.developer.azure-api.net etc. Microsoft official documentation states to use Private DNS zone, but the following article recommends to use your own / custom DNS within the VNet - https://techcommunity.microsoft.com/t5/fasttrack-for-azure/deploying-azure-api-management-in-an-internal-mode-inside-vnet/ba-p/3033493]
  2. If we're not using custom domain name for the APIM (during the testing), will it impact anything if we create a private DNS zone ending in azure-api.net to host the private IPs of the APIM services?
  3. Can the Azure Private DNS Resolver resource with outbound endpoint and forwarding ruleset to enabled be used to achieve name resolution from Azure APIM (VNet) to on-prem back-ends / services?
  4. With the forced tunneling enabled, understand that the best way to still allow management plane traffic is create a UDR to still force this traffic from Azure APIM directly to Internet (to avoid asymmetric traffic routing for the return traffic) as explained here--> https://learn.microsoft.com/en-us/azure/api-management/api-management-using-with-internal-vnet?tabs=stv2#force-tunnel-traffic-to-on-premises-firewall-using-expressroute-or-network-virtual-appliance. Is this correct or we should be creating exceptions in the on-prem firewall to allow this traffic (port 3443)?

Can you please help clarify the above?

Thanks

Taranjeet Singh

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,818 questions
0 comments No comments
{count} votes

Accepted answer
  1. Sina Salam 4,311 Reputation points
    2024-04-28T14:23:37.21+00:00

    Hello Taranjeet Malik,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    Problem

    Sequel to your questions, I understand that you are looking for help in setting up Azure API Management (APIM) within your company network, focusing on internal VNet injection. You're concerned about things like sorting out DNS, making sure management traffic is routed properly, and dealing with wonky traffic paths caused by forced tunneling. You also want advice that's spot-on to make sure everything runs smoothly and follows the best ways of doing things.

    Solution

    By review the documentation in the links provided and your scenarios, I will provide the holistic answers below:

    Your first question:

    What's the recommended approach to resolve the private endpoint names (FQDNs) like myapim.azure-api.net, myapim.developer.azure-api.net etc. Microsoft official documentation states to use Private DNS zone, but the following article recommends to use your own / custom DNS within the VNet - https://techcommunity.microsoft.com/t5/fasttrack-for-azure/deploying-azure-api-management-in-an-internal-mode-inside-vnet/ba-p/3033493

    Answer:

    The recommended approach, as per Microsoft documentation, is to use Private DNS zones. However, the article you mentioned suggests using custom DNS within the VNet. Both approaches can work depending on your specific requirements and setup. Using a custom DNS within the VNet might offer more control and flexibility, but it requires additional management overhead.

    For more clarifications, I will say both using Private DNS zones and custom DNS within the VNet can be viable solutions. While Microsoft documentation favors Private DNS zones, the choice depends on specific requirements and preferences, as outlined in the provided article.

    Second question:

    If we're not using custom domain name for the APIM (during the testing), will it impact anything if we create a private DNS zone ending in azure-api.net to host the private IPs of the APIM services?

    Answer:

    Creating such a private DNS zone during testing should not have a significant impact, as it helps resolve private IP addresses of APIM services within the VNet.

    Third question:

    Can the Azure Private DNS Resolver resource with outbound endpoint and forwarding ruleset to enabled be used to achieve name resolution from Azure APIM (VNet) to on-prem back-ends / services?

    Answer:

    Yes, you can use Azure Private DNS Resolver with outbound endpoint and forwarding rulesets enabled to achieve name resolution from Azure APIM (VNet) to on-premises back-ends or services. This setup allows APIM to resolve names within the VNet and forward requests to on-premises resources using the configured forwarding rules. Using Azure Private DNS Resolver is the best practice in most scenarios is the best practice.

    Finally

    Fourth question:

    With the forced tunneling enabled, understand that the best way to still allow management plane traffic is create a UDR to still force this traffic from Azure APIM directly to Internet (to avoid asymmetric traffic routing for the return traffic) as explained here--> https://learn.microsoft.com/en-us/azure/api-management/api-management-using-with-internal-vnet?tabs=stv2#force-tunnel-traffic-to-on-premises-firewall-using-expressroute-or-network-virtual-appliance. Is this correct or we should be creating exceptions in the on-prem firewall to allow this traffic (port 3443)?

    Answer:

    With forced tunneling enabled, the best practice is indeed to create a User Defined Route (UDR) to direct management plane traffic from Azure APIM directly to the internet. This ensures that the traffic flows consistently and avoids asymmetric routing issues. Creating exceptions in the on-premises firewall to allow traffic on port 3443 could be an alternative approach, but it might introduce complexity and potential security risks.

    References

    For more information, reading and educational purposes, endeavor to read from additional resources.

    Accept Answer

    I hope this is helpful! Do not hesitate to let me know if you have any other questions.

    ** Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful ** so that others in the community facing similar issues can easily find the solution.

    Best Regards,

    Sina Salam

    0 comments No comments

0 additional answers

Sort by: Most helpful