there are general guidance documents by using them you can adapt firewall rules
https://learn.microsoft.com/en-us/azure/api-management/api-management-using-with-internal-vnet
https://learn.microsoft.com/en-us/azure/virtual-network/service-tags-overview
as a summary
- Internal VNet mode implies forced tunneling. All outbound traffic will be routed through the Azure Firewall. You must ensure appropriate routing and firewall rules allow the required communication.
- Both the APIM management endpoint and developer portal require outbound connectivity.
- Your APIM instance likely communicates with backend APIs or services. Identify the firewall rules needed to allow this traffic.
and while creating it is better to use servicetags
https://learn.microsoft.com/en-us/azure/virtual-network/service-tags-overview
required rules
Source | Destination | Protocol | Ports | Action |
ApiManagement | APIM Subnet | TCP | 3443 | Allow |
APIM Subnet | Internet | HTTPS | 443 | Allow |
APIM Subnet | AzureStorage | HTTPS | 443 | Allow |
APIM Subnet | <Backend Service IP> | <Backend Protocol> | <Backend Port> | Allowpen_spark |