anonymous user Thank you for reaching out to Microsoft Q&A. Custom domains can be set at Gateway, Developer, Management or SCM endpoints depending on the service tier. They cannot be done at a Product or API level since the validation happens during TLS handshake at the gateway level (Product and API fall under gateway endpoint). Check docs: https://learn.microsoft.com/en-us/azure/api-management/configure-custom-domain?tabs=custom#how-api-management-proxy-server-responds-with-ssl-certificates-in-the-tls-handshake for more info on this.
All APIs are accessible across custom domains. But if you like to restrict a product API(s) to one domain like developerapis.neo.com, you can then create a custom policy like below at product level (or API level) and return 401: unauthorized access when accessed from other domains.
Sample Policy snippet
<choose>
<when condition="@(context.Request.OriginalUrl.Host != "developerapis.neo.com")">
<return-response>
<set-status code="401" reason="Unauthorized"/>
</return-response>
</when>
</choose>
For more info check
context variable - https://learn.microsoft.com/en-us/azure/api-management/api-management-policy-expressions#ContextVariables
return-response - https://learn.microsoft.com/en-us/azure/api-management/api-management-advanced-policies#ReturnResponse
set-status - https://learn.microsoft.com/en-us/azure/api-management/api-management-advanced-policies#SetStatus
I hope this answers your question and feel free to add if you have any questions :). Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.