api-management-using-with-vnet.md

title	description	services	author	ms.service	ms.topic	ms.date	ms.author
Deploy Azure API Management instance to external VNet	Learn how to deploy (inject) your Azure API instance to a virtual network in external mode and access API backends through it.	api-management	dlepow	azure-api-management	how-to	05/15/2024	danlep

Deploy your Azure API Management instance to a virtual network - external mode

[!INCLUDE premium-dev.md]

Azure API Management can be deployed (injected) inside an Azure virtual network (VNet) to access backend services within the network. For VNet connectivity options, requirements, and considerations, see:

• Using a virtual network with Azure API Management
• Network resource requirements for API Management injection into a virtual network

This article explains how to set up VNet connectivity for your API Management instance in the external mode, where the developer portal, API gateway, and other API Management endpoints are accessible from the public internet, and backend services are located in the network.

:::image type="content" source="media/api-management-using-with-vnet/api-management-vnet-external.png" alt-text="Connect to external VNet":::

For configurations specific to the internal mode, where the endpoints are accessible only within the VNet, see Deploy your Azure API Management instance to a virtual network - internal mode.

[!INCLUDE updated-for-az]

[!INCLUDE api-management-service-update-behavior]

[!INCLUDE api-management-virtual-network-prerequisites]

Enable VNet connection

Enable VNet connectivity using the Azure portal (stv2 compute platform)

1. Go to the Azure portal to find your API management instance. Search for and select API Management services.

2. Choose your API Management instance.

3. Select Network.

4. Select the External access type. :::image type="content" source="media/api-management-using-with-vnet/api-management-menu-vnet.png" alt-text="Select VNet in Azure portal.":::

5. In the list of locations (regions) where your API Management service is provisioned:

   1. Choose a Location.
   2. Select Virtual network, Subnet, and (optionally) IP address.

   • The VNet list is populated with Resource Manager VNets available in your Azure subscriptions, set up in the region you are configuring.

     :::image type="content" source="media/api-management-using-with-vnet/api-management-using-vnet-select.png" alt-text="VNet settings in the portal.":::

6. Select Apply. The Network page of your API Management instance is updated with your new VNet and subnet choices.

7. Continue configuring VNet settings for the remaining locations of your API Management instance.

8. In the top navigation bar, select Save.

Enable connectivity using a Resource Manager template (stv2 compute platform)

• Azure Resource Manager template (API version 2021-08-01)

  :::image type="content" source="~/reusable-content/ce-skilling/azure/media/template-deployments/deploy-to-azure-button.svg" alt-text="Button to deploy the Resource Manager template to Azure." border="false" link="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.apimanagement%2Fapi-management-create-with-external-vnet-publicip%2Fazuredeploy.json":::

Enable connectivity using Azure PowerShell cmdlets (stv1 platform)

Create or update an API Management instance in a VNet.

[!INCLUDE api-management-recommended-nsg-rules]

Connect to a web service hosted within a virtual network

Once you've connected your API Management service to the VNet, you can access backend services within it just as you do public services. When creating or editing an API, type the local IP address or the host name (if a DNS server is configured for the VNet) of your web service into the Web service URL field.

:::image type="content" source="media/api-management-using-with-vnet/api-management-using-vnet-add-api.png" alt-text="Add API from VNet":::

Custom DNS server setup

In external VNet mode, Azure manages the DNS by default. You can optionally configure a custom DNS server.

The API Management service depends on several Azure services. When API Management is hosted in a VNet with a custom DNS server, it needs to resolve the hostnames of those Azure services.

• For guidance on custom DNS setup, including forwarding for Azure-provided hostnames, see Name resolution for resources in Azure virtual networks.
• Outbound network access on port 53 is required for communication with DNS servers. For more settings, see Virtual network configuration reference.

Important

If you plan to use a custom DNS server(s) for the VNet, set it up before deploying an API Management service into it. Otherwise, you'll need to update the API Management service each time you change the DNS Server(s) by running the Apply Network Configuration Operation.

Routing

• A load-balanced public IP address (VIP) is reserved to provide access to the API Management endpoints and resources outside the VNet.
  • The public VIP can be found on the Overview/Essentials blade in the Azure portal.

For more information and considerations, see IP addresses of Azure API Management.

[!INCLUDE api-management-virtual-network-vip-dip]

[!INCLUDE api-management-virtual-network-forced-tunneling]

Common network configuration issues

This section has moved. See Virtual network configuration reference.

[!INCLUDE api-management-virtual-network-troubleshooting]

Related content

Learn more about:

• Virtual network configuration reference
• Connecting a virtual network to backend using VPN Gateway
• Connecting a virtual network from different deployment models
• Debug your APIs using request tracing
• Virtual Network frequently asked questions
• Service tags