• 4 min read

Secure your APIs with Private Link support for Azure API Management

We are happy to announce the preview of Azure Private Link support for Azure API Management service. With Azure Private Link we can create a private endpoint for the gateway component, which will be exposed through a private IP within your virtual network.

Azure API Management is a fully managed service that enables customers to publish, secure, transform, maintain, and monitor APIs. With a few clicks in the Azure portal, you can create an API facade that acts as a “front door” through which external and internal applications can access data or business logic implemented by your custom-built backend services, running on Azure, for example on Azure App Service or Azure Kubernetes Service, or hosted outside of Azure, in a private datacenter or on-premises. Azure API Management handles all the tasks involved in mediating API calls, including request authentication and authorization, rate limit and quota enforcement, request and response transformation, logging and tracing, and API version management.

Azure API Management helps you in:

  • Unlocking legacy assets—APIs are used to abstract and modernize legacy backends and make them accessible from new cloud services and modern applications. APIs allow innovation without the risk, cost, and delays of migration.
  • Create API-centric app integration—APIs are easily consumable, standards-based, and self-describing mechanisms for exposing and accessing data, applications, and processes. They simplify and reduce the cost of app integration.
  • Enable multi-channel user experiences—APIs are frequently used to enable user experiences such as web, mobile, wearable, or Internet of Things (IoT applications. Reuse APIs to accelerate development and return on investment (ROI).
  • Business-to-business (B2B) integration—APIs exposed to partners and customers lower the barrier to integrate business processes and exchange data between business entities. APIs eliminate the overhead inherent in point-to-point integration. Especially with self-service discovery and onboarding enabled, APIs are the primary tools for scaling B2B integration.

We are happy to announce the preview of Azure Private Link support for Azure API Management service. If you are not familiar with Azure API Management, when you deploy this service, you get three main components: Azure portal, gateway, and management plane. With Azure Private Link we can create a private endpoint for the gateway component, which will be exposed through a private IP within your virtual network. This will allow inbound traffic coming to the private IP to reach Azure API Management gateway.

Azure Private Link

With Azure Private Link, communications between your virtual network and the Azure API Management gateway travel over the Microsoft backbone network privately and securely, eliminating the need to expose the service to public internet. To learn more about Azure Private Link technology and platform as a service (PaaS) services that support it, you can review our Azure Private Link documentation.

Key benefits of Azure Private Link

Through this functionality we will provide the same consistent experience found in other PaaS services with private endpoints:

  • Private access from Azure Virtual Network resources, peered networks, and on-premises networks.
  • Built-in data exfiltration protection for Azure resources.
  • Predictable private IP addresses for PaaS resources.
  • Consistent and unified experience across PaaS services.

Private endpoints and public endpoints

Architecture diagram depicting the secure and private connectivity to Azure API Management Gateway-when using Azure Private Link.

Figure 1: Architecture diagram depicting the secure and private connectivity to Azure API Management Gateway—when using Azure Private Link.

Azure Private Link provides private endpoints to be available through private IPs. In the above case, the contoso.azure-api.net gateway has a private IP of 10.0.0.6 which is only available to resources in contoso-apim-eastus-vnet. This allows the resources in this virtual network to securely communicate. The other resources may be restricted to resources only within the virtual network.

At the same time, the public endpoint for the contoso.azure-api.net gateway may still be public for the development team. In this release, Azure Private Link will support disabling the public endpoint, limiting access to only private endpoints, configured under Private Link.

How to decide which networking model to use with Azure API Management?

Azure API Management also supports virtual network injection, allowing all components to be deployed inside a virtual network. With the addition of private endpoints, we have the following options for integrating inside a custom Azure Virtual Network:

 

Network model

Supported tiers

Supported components

Supported traffic

Virtual network—external

Developer and Premium.

Azure portal, gateway, management plane, and Git repository.

Inbound and outbound traffic can be allowed to internet, peered virtual networks, Express Route, and VPN S2S connections.

Virtual network—internal

Developer and Premium.

Developer portal, Gateway, Management Plane, and Git repository.

Inbound and outbound traffic can be allowed to peered virtual networks, Express Route, and VPN S2S connections.

Private endpoint connection (preview)

Developer, Basic, Standard, and Premium.

Gateway only (managed gateway supported, self-hosted gateway not supported).

Only inbound traffic can be allowed to internet, peered virtual networks, Express Route, and VPN S2S connections.

At this moment, these three options are mutually exclusive, you cannot choose a virtual network integration option (external or internal) in combination with private endpoint connections. Also notice that only our managed gateways will support private endpoint connections, the Self-Hosted Gateway does not support private endpoints in Azure.

Preview limitations

During the preview period, we will only support inbound traffic coming to the gateway, instances using STV2 compute platform, all pricing tiers except consumption, and Azure Private Link is limited to instances that are not using virtual network injection (internal or external). The feature will move to general availability as we assess feedback.

With the preview of Azure Private Link for Azure API Management, you are now empowered to bring your Azure API Management instances to a virtual network using the same consistent experience of other Azure PaaS services. You can create and manage private endpoints for the gateway of your Azure API Management instance. We will be sharing more updates and content in the future, so stay tuned for new updates towards the general availability of this feature.

Learn more