Azure API Management with internal backend API

Question

I have an internal service that is deployed on a Windows VM within a virtual network and doesn't have access to the internet.

This service has API endpoints that I would like to expose to our clients, the service itself doesn't offer any authentication, so I'm looking at using Azure API management to sit in front of it and handle oauth2 authentication before forwarding the request onto the service.

I'm getting a little confused with the different SKUs offered with API Management though, am i right in thinking that without exposing the service to the internet, the only way for API Management to be able to route traffic to it, is if API Management is deployed on a VNET (which would then require the expensive premium SKU?).

If so, are there any other options for my above requirement where I could use say the consumption SKU? (Expose to internet but lock down to only allow API Management traffic?)

Not sure if it matters, but the plan is to also have an application gateway + WAF sit in front of the APIM.

thanks for any help you can give me!

Answer 1

That is correct. Currently, to deploy into a VNET you need to use the Azure APIM Premium Tier.

If it is acceptable to expose the API in the VM to the internet, you can set up NSG rules to allow traffic from APIM to access the VM.

But since the Consumption Plan does not have a static IP address, you would have to opt for at least the Basic Tier.

Also, note that the traffic from your VM to APIM would be over public internet and as such ensure it is encrypted (HTTPS), and perhaps even leverage mutual certificate authentication.

You could also use other services here instead of directly exposing the VM like using Application Gateway or Azure Firewall, or use a reverse proxy like Nginx deployed in the VNET and exposed. This service could have aspects like SSL termination and mutual certificate authentication, letting you decouple these requirements from your API.