Microsoft released the private endpoint feature, for APIM, for all SKUs. Before, it was only for developers and Premium SKU. In this article, we will see how to make our APIm fully private, to publish APIs internally only. The documentation is available here: https://learn.microsoft.com/en-us/azure/api-management/private-endpoint
To start, deploy a basic APIM for example. If I do a curl on the echo api deployed by default, we can see that it works:
curl -v https://starwind-apim.azure-api.net/echo/resource?param1=sample
Now, we will add our private endpoint to be able to disable the public access. Go to the network tab of your APIM, Inbound private endpoint connections and create a new private endpoint, and register it in the private DNS zone:
I created a VM, in the same VNet, to test the connectivity to this Private Endpoint:
As you can see, we can access the API through the private endpoint. So next step is to disable the public access, with az rest command (not available in the portal currently):
|
1 2 3 |
az login az rest --method patch --url https://management.azure.com/subscriptions/ce6d976b-5197-4ae5-8467-173ddf912b64/resourceGroups/Starwind/providers/Microsoft.ApiManagement/service/starwind-apim?api-version=2022-08-01 --body '{"properties": {"publicNetworkAccess": "Disabled"}}' |
After a few minutes, the public access is disabled:
As you can see, we can’t access the APIM anymore through the public path, but we can always target it with the private endpoint:
As you can see, it is very simple to put an APIM private now, and not pay too much 😊
In the next article, we will see how to expose the APIM, through an Azure Application Gateway to have it publicly available and keep the private part too.
