Hi @Somiya Thanks for reaching out. From the description I believe the actual flow is client -> App Gateway -> APIM -> Backend please correct me if I am wrong here.
in order to limit the request to the API's you can implement Rate limit and quotas policies for more information please refer: https://learn.microsoft.com/en-us/azure/api-management/api-management-access-restriction-policies
Our data plane security model provides other methods to protect the downstream traffic to APIM and you can use any of them to enforce more restriction, below is a diagram that lists the all the methods we provide:
you can implement any of the above methods in conjunction with the subscription Key to improve the security and enforce more restriction's
Kindly let me know incase of further queries, I would you happy to assist you.
Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.
Same question. According to this https://learn.microsoft.com/en-us/azure/application-gateway/ingress-controller-overview the Application Gateway Ingress Controller (AGIC) marries to Application Gateway so AppGateway will be the one making the calls to AKS. I cannot figure out how APIM gets into the picture when AGIC is used?