What is the use case of Private Endpoints on API Gateway?

Jerghiuta, Dan 31 Reputation points

I was excited to hear last month that private endpoints for API management are in preview https://azure.microsoft.com/en-in/blog/secure-your-apis-with-private-link-support-for-azure-api-management/. When I started to try it out though, I'm confused about its target use case.

The API gateway can either be deployed in a VNet, or have a private endpoint, but not both.

  • If I deploy it in a VNet, it can communicate privately with the backends through the VNet, but the inbound communication comes over a public endpoint.
  • If I deploy it with a private endpoint, the inbound communication is private. But without a VNet integration for outbound, the communication with the back-ends is public.

Am I missing something? Is there a way to have the traffic private end-to-end? I have internal APIs that I'd like to expose to internal services without having to expose them publicly.

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,861 questions
Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
481 questions
{count} votes

Accepted answer
  1. VenkateshDodda-MSFT 19,621 Reputation points Microsoft Employee

    @Liviu Jerghiuta , Thanks for reaching out. Unfortunately, using private endpoints it is not possible to have end-to-end (inbound, outbound) private traffic in APIM.
    I would suggest you raise a feedback request using the link.I will check with my team on this feature request and will keep you posted.

    **Update 04/25: **
    I have gotten an update from my team as of now there is no private end-to-end (inbound, outbound) private traffic support in APIM. The team is currently working on this feature request but unfortunately there is no ETA as of now. If there are any updates in future, I will update this thread.

    2 people found this answer helpful.

2 additional answers

Sort by: Most helpful
  1. Bas Pruijn 951 Reputation points

    I do agree the use cases for private endpoints are somewhat limited. However, if you want to use API Mgt to harmonize your outbound API calls to third parties, you can make sure the connection between your own code and API Mgt is secured, and that only API Mgt will execute the outbound calls.

    It would be great to see API Mgt having an outbound VNET integration, like functions and app services do. Preferably not only in the highest (most expensive) tiers.

    You could link API Mgr with Application Gateway and only allow API Mgt to connect to the Application Gateway. This combination would close the loop for you, where you will have secure connection from VNET to API Mgt via private link, and then a secure connection from API Mgt to VNET via Application Gateway. This is a working, quite secure, set-up.

    0 comments No comments

  2. Jerghiuta, Dan 31 Reputation points

    @Bas Pruijn you are right, the combination App Gateway -> private DNS -> APIM with internal vnet integration -> private endpoints to back end is possible now and it works quite well.
    My comment was in regards to the private endpoint at the front-end of the APIM, which is the new feature. App Gateway also has the feature, but to my knowledge it hasn't reached GA yet.

    I would like to be able to route some traffic privately in this chain. So far there are two candidates for a solution:

    • App Gateway private link
    • APIM private endpoint if it could coexist with internal vnet integration

    Whichever goes GA first, it's a winner for me. For now I'm still waiting.