Azure APIM Internal Vnet integration. Not able to deploy/create APIs & [Failed to connect to management endpoint]

Question

I have Azure APIM setup and deployed few apis into the apim instance using the azure devops pipelines. Later we wanted to Integrate the APIM with the Vnet, so assigned the apim instance to a Vnet, with dedicated subnet and also assigned NSG rules with recommended ports open as per the MSFT documentation. Also attached certificates and defined some custom domain names as well. But end of the day, I was not able to see and APIs nor create/deploy the to the instance again. Not exactly sure what the issue is?

This is one of the error I see everytime I get to the instance page.

**Failed to connect to management endpoint at apim-xxx-xxx-dev-xxx.management.azure-api.net:3443 for a service deployed in a virtual network. Make sure to follow guidance at https://aka.ms/apim-vnet-common-issues.**

Not sure whether this is the issue or something else....

Any help or information is highly appreciated.

Answer 1

As @wali mentioned in his answer, with the internal VNet integration, all APIM service endpoints can only be accessed from within the VNet.

If you want to expose backend APIs in a VNet to external users via APIM, you can consider using the external VNet integration.

If you want both the external and internal users to access the APIs via APIM, you can use the internal VNet integration with an Application Gateway, like what is mentioned in this document.

Answer 2

In the internal VNet integration, the API Management gateway and developer portal are accessible only from within the virtual network via an internal load balancer. See the documentation here. In this type of deployment, you will have to use a VPN or express route connection to the Azure VNet.