Use a virtual network with Azure API Management

API Management provides several options to secure access to your API Management instance and APIs using an Azure virtual network. API Management supports the following options, which are mutually exclusive:

  • Integration (injection) of the API Management instance into the virtual network, enabling the gateway to access resources in the network.

    You can choose one of two integration modes: external or internal. They differ in whether inbound connectivity to the gateway and other API Management endpoints is allowed from the internet or only from within the virtual network.

The following table compares virtual networking options. For more information, see later sections of this article and links to detailed guidance.

Networking model Supported tiers Supported components Supported traffic Usage scenario
Virtual network - external Developer, Premium Azure portal, gateway, management plane, and Git repository Inbound and outbound traffic can be allowed to internet, peered virtual networks, Express Route, and S2S VPN connections. External access to private and on-premises backends
Virtual network - internal Developer, Premium Developer portal, gateway, management plane, and Git repository. Inbound and outbound traffic can be allowed to peered virtual networks, Express Route, and S2S VPN connections. Internal access to private and on-premises backends

Virtual network integration

With Azure virtual networks (VNets), you can place ("inject") your API Management instance in a non-internet-routable network to which you control access. In a virtual network, your API Management instance can securely access other networked Azure resources and also connect to on-premises networks using various VPN technologies. To learn more about Azure VNets, start with the information in the Azure Virtual Network Overview.

You can use the Azure portal, Azure CLI, Azure Resource Manager templates, or other tools for the configuration. You control inbound and outbound traffic into the subnet in which API Management is deployed by using network security groups.

For detailed deployment steps and network configuration, see:

Access options

Using a virtual network, you can configure the developer portal, API gateway, and other API Management endpoints to be accessible either from the internet (external mode) or only within the VNet (internal mode).

  • External - The API Management endpoints are accessible from the public internet via an external load balancer. The gateway can access resources within the VNet.

    Diagram showing a connection to external VNet.

    Use API Management in external mode to access backend services deployed in the virtual network.

  • Internal - The API Management endpoints are accessible only from within the VNet via an internal load balancer. The gateway can access resources within the VNet.

    Diagram showing a connection to internal VNet.

    Use API Management in internal mode to:

    • Make APIs hosted in your private datacenter securely accessible by third parties by using Azure VPN connections or Azure ExpressRoute.
    • Enable hybrid cloud scenarios by exposing your cloud-based APIs and on-premises APIs through a common gateway.
    • Manage your APIs hosted in multiple geographic locations, using a single gateway endpoint.

Network resource requirements

The following are virtual network resource requirements for API Management.

  • An Azure Resource Manager virtual network is required.
  • The subnet used to connect to the API Management instance must be dedicated to API Management. It can't contain other Azure resource types.
  • The API Management service, virtual network, and subnet resources must be in the same region and subscription.
  • For multi-region API Management deployments, configure virtual network resources separately for each location.

Subnet size

The minimum size of the subnet in which API Management can be deployed is /29, which gives three usable IP addresses. Each extra scale unit of API Management requires two more IP addresses. The minimum size requirement is based on the following considerations:

  • Azure reserves some IP addresses within each subnet that can't be used. The first and last IP addresses of the subnets are reserved for protocol conformance. Three more addresses are used for Azure services. For more information, see Are there any restrictions on using IP addresses within these subnets?.

  • In addition to the IP addresses used by the Azure VNet infrastructure, each API Management instance in the subnet uses:

    • Two IP addresses per unit of Premium SKU, or
    • One IP address for the Developer SKU.
  • When deploying into an internal VNet, the instance requires an extra IP address for the internal load balancer.

Routing

See the Routing guidance when deploying your API Management instance into an external VNet or internal VNet.

Learn more about the IP addresses of API Management.

DNS

  • In external mode, the VNet enables Azure-provided name resolution by default for your API Management endpoints and other Azure resources. It doesn't provide name resolution for on-premises resources. Optionally, configure your own DNS solution.

  • In internal mode, you must provide your own DNS solution to ensure name resolution for API Management endpoints and other required Azure resources. We recommend configuring an Azure private DNS zone.

For more information, see the DNS guidance when deploying your API Management instance into an external VNet or internal VNet.

Related information:

Important

If you plan to use a custom DNS solution for the VNet, set it up before deploying an API Management service into it. Otherwise, you'll need to update the API Management service each time you change the DNS server(s) by running the Apply Network Configuration Operation, or by selecting Apply network configuration in the service instance's network configuration window in the Azure portal.

Limitations

  • A subnet containing API Management instances can't be moved across subscriptions.
  • For multi-region API Management deployments configured in internal VNet mode, users own the routing and are responsible for managing the load balancing across multiple regions.
  • To import an API to API Management from an OpenAPI specification, the specification URL must be hosted at a publicly accessible internet address.
  • Due to platform limitations, connectivity between a resource in a globally peered VNet in another region and an API Management service in internal mode won't work. For more information, see the virtual network documentation.

Next steps

Learn more about:

Virtual network configuration with API Management:

Related articles: