Expose Internal APIs through Azure API Management

Question

I would like to expose our APIs which are hosted on-prem and are inside our network to external vendors through the Azure API Management service. We would like to provide service account credentials to our vendors and secure the endpoints with Azure AD/Entra. I am having difficulty finding practical guidance on how to go about doing this. I would like to know of any limitations based on the implementation I've outlined, such as whether the internal APIs can be hosted on-prem.

Answer 1

Hi Chris - thanks for the question

Today you have a choice to use either "premium" (which is now referred to as part of the "classic" tiers) which is fully part of the Virtual network

Or, you can opt for Standard V2 which allows outbound calls into a VNet/subnet - and therefore onto another connected network. The difference here from a networking point of view is that V2 is not part of your VNet rather you link it to your VNet/subnet so it can make outbound calls (e.g. to a backend which is otherwise private)

In both cases you'd require on-prem to Az and Az to on-premises DNS resolution and a network path from On premises to Azure and visa versa (over a Express Route link or VPN)

In both cases any NVA (firewall , reverse proxy etc) would need to allow the traffic to APIM can address your on premises backend.

More info see https://learn.microsoft.com/en-us/azure/api-management/virtual-network-concepts

For the Authorization this is possible as explained here https://learn.microsoft.com/en-us/azure/api-management/authentication-authorization-overview

Note: Whilst Az PaaS supports modern Auth it doesn't support Windows Auth (Kerberos/NTLM).

Please have a read of the high level concepts here and add comments for further info