Merge pull request #293867 from dlepow/peupd

[APIM] PE scenarios

Author: Stacyrch140

articles/api-management/integrate-vnet-outbound.md

@@ -5,20 +5,20 @@ author: dlepow
 ms.author: danlep
 ms.service: azure-api-management
 ms.topic: how-to 
-ms.date: 03/20/2025
+ms.date: 04/03/2025
 ---
 
 # Integrate an Azure API Management instance with a private virtual network for outbound connections 
 
 [!INCLUDE [api-management-availability-standardv2-premiumv2](../../includes/api-management-availability-standardv2-premiumv2.md)] 
 
-This article guides you through the process of configuring *virtual network integration* for your Standard v2 or Premium v2 (preview) Azure API Management instance. With virtual network integration, your instance can make outbound requests to APIs hosted in a delegated subnet of a single connected virtual network.
+This article guides you through the process of configuring *virtual network integration* for your Standard v2 or Premium v2 (preview) Azure API Management instance. With virtual network integration, your instance can make outbound requests to APIs that are isolated in a single connected virtual network.
 
 When an API Management instance is integrated with a virtual network for outbound requests, the gateway and developer portal endpoints remain publicly accessible. The API Management instance can reach both public and network-isolated backend services.
 
 :::image type="content" source="./media/integrate-vnet-outbound/vnet-integration.png" alt-text="Diagram of integrating API Management instance with a virtual network for outbound traffic."  :::
 
-If you want to inject a Premium v2 API Management instance into a virtual network to isolate both inbound and outbound traffic, see [Inject a Premium v2 instance into a virtual network](inject-vnet-v2.md).
+If you want to inject a Premium v2 (preview) API Management instance into a virtual network to isolate both inbound and outbound traffic, see [Inject a Premium v2 instance into a virtual network](inject-vnet-v2.md).
 
 > [!IMPORTANT]
 > * Outbound virtual network integration described in this article is available only for API Management instances in the Standard v2 and Premium v2 tiers. For networking options in the different tiers, see [Use a virtual network with Azure API Management](virtual-network-concepts.md).
@@ -48,7 +48,7 @@ If you want to inject a Premium v2 API Management instance into a virtual networ
 
 ### Network security group
 
-A network security group must be associated with the subnet. No specific rules are required. To set up a network security group, see [Create a network security group](../virtual-network/manage-network-security-group.md).
+A network security group must be associated with the subnet. Configure any network security group rules that you need for the gateway to access your API backends. To set up a network security group, see [Create a network security group](../virtual-network/manage-network-security-group.md).
 
 ### Subnet delegation
 
@@ -76,21 +76,14 @@ You must have at least the following role-based access control permissions on th
 
 ## Configure virtual network integration
 
-This section guides you through the process of configure external virtual network integration for an existing Azure API Management instance.
+This section guides you through the process to configure external virtual network integration for an existing Azure API Management instance. You can also configure virtual network integration when you create a new API Management instance.
 
 
 1. In the [Azure portal](https://portal.azure.com), navigate to your API Management instance.
-1. In the left menu, under **Deployment + Infrastructure**, select **Network**.
-1. On the **Outbound traffic** card, select **virtual network integration**.
-
-    :::image type="content" source="media/integrate-vnet-outbound/integrate-vnet.png" lightbox="media/integrate-vnet-outbound/integrate-vnet.png" alt-text="Screenshot of virtual network integration in the portal.":::
-
-1. In the **Virtual network** blade, enable the **Virtual network** checkbox.
-1. Select the location of your API Management instance.
-1. In **Virtual network**, select the virtual network and the delegated subnet that you want to integrate. 
-1. Select **Apply**, and then select **Save**. The virtual network is integrated.
-
-    :::image type="content" source="media/integrate-vnet-outbound/vnet-settings.png" lightbox="media/integrate-vnet-outbound/vnet-settings.png" alt-text="Screenshot of virtual network settings in the portal.":::
+1. In the left menu, under **Deployment + Infrastructure**, select **Network** > **Edit**.
+1. On the **Network configuration** page, under **Outbound features**, select **Enable** virtual network integration.
+1. Select the virtual network and the delegated subnet that you want to integrate. 
+1. Select **Save**. The virtual network is integrated.
 
 ## (Optional) Test virtual network integration
 

articles/api-management/media/integrate-vnet-outbound/integrate-vnet.png

@@ -5,7 +5,7 @@ ms.service: azure-api-management
 author: dlepow
 ms.author: danlep
 ms.topic: how-to
-ms.date: 12/13/2024
+ms.date: 04/04/2025
 ---
 
 # Connect privately to API Management using an inbound private endpoint
@@ -15,7 +15,7 @@ ms.date: 12/13/2024
 You can configure an inbound [private endpoint](../private-link/private-endpoint-overview.md) for your API Management instance to allow clients in your private network to securely access the instance over [Azure Private Link](../private-link/private-link-overview.md). 
 
 > [!NOTE]
-> Private endpoint support in the Standard v2 tier is currently in limited preview. To sign up, fill [this form](https://aka.ms/privateendpointpreview).
+> Private endpoint support in the Standard v2 tier is currently in preview. 
 
 * The private endpoint uses an IP address from an Azure virtual network in which it's hosted.
 
@@ -29,11 +29,20 @@ You can configure an inbound [private endpoint](../private-link/private-endpoint
 
 ## Limitations
 
-* Only the API Management instance's Gateway endpoint supports inbound Private Link connections. 
+* Only the API Management instance's **Gateway endpoint** supports inbound Private Link connections. 
 * Each API Management instance supports at most 100 Private Link connections.
 * Connections aren't supported on the [self-hosted gateway](self-hosted-gateway-overview.md) or on a [workspace gateway](workspaces-overview.md#workspace-gateway). 
 * In the classic API Management tiers, private endpoints aren't supported in instances injected in an internal or external virtual network.
 
+## Typical scenarios
+
+Use an inbound private endpoint to enable private-only access directly to the API Management gateway to limit exposure of sensitive data or backends.
+
+Supported configurations include:
+
+* Pass client requests through a firewall and configure rules to route requests privately to the API Management gateway.
+* Configure Azure Front Door (or Azure Front Door with Azure Application Gateway) to receive external traffic and then route traffic privately to the API Management gateway. For example, see [Connect Azure Front Door Premium to an Azure API Management with Private Link](../frontdoor/standard-premium/how-to-enable-private-link-apim.md).
+
 
 ## Prerequisites
 
@@ -94,11 +103,11 @@ When you use the Azure portal to create a private endpoint, as shown in the next
 
 ### Create private endpoint - portal
 
-You can create a private endpoint for your API Management instance in the Azure portal.
+You can create a private endpoint when you create an API Management instance in the Azure portal, or you can add a private endpoint to an existing instance. You can also create a private endpoint using the [Private Link Center](/azure/private-link/create-private-endpoint-portal).
 
 #### [Classic](#tab/classic)
 
-In the classic API Management tiers, you can create a private endpoint when you create the instance. In an existing instance, use the instance's **Network** blade in the Azure portal.
+To add a private endpoint to an existing API Management instance:
 
 1. Navigate to your API Management service in the [Azure portal](https://portal.azure.com/).
 
@@ -108,7 +117,7 @@ In the classic API Management tiers, you can create a private endpoint when you
 
     :::image type="content" source="media/private-endpoint/add-endpoint-from-instance.png" alt-text="Screenshot showing how to add a private endpoint using the Azure portal.":::
 
-1. In the **Basics** tab of **Create a private endpoint**, enter or select the following information:
+1. In the **Basics** tab, enter or select the following information:
 
     | Setting | Value |
     | ------- | ----- |
@@ -158,94 +167,93 @@ In the classic API Management tiers, you can create a private endpoint when you
 
 1. Select the **Next: Review + create** button at the bottom of the screen. Select **Create**.
 
+
 ### List private endpoint connections to the instance
 
 After the private endpoint is created and the service updated, it appears in the list on the API Management instance's **Inbound private endpoint connections** page in the portal.
 
 
-Note the endpoint's **Connection status**:
+Note the endpoint's **Connection state**:
 
 * **Approved** indicates that the API Management resource automatically approved the connection. 
 * **Pending** indicates that the connection must be manually approved by the resource owner.
 
 ### Approve pending private endpoint connections
 
-If a private endpoint connection is in pending status, an owner of the API Management instance must manually approve it before it can be used.
+If a private endpoint connection is in a pending state, an owner of the API Management instance must manually approve it before it can be used.
 
 If you have sufficient permissions, approve a private endpoint connection on the API Management instance's **Private endpoint connections** page in the portal. In the connection's context (...) menu, select **Approve**.
 
 You can also use the API Management [Private Endpoint Connection - Create Or Update](/rest/api/apimanagement/private-endpoint-connection/create-or-update) REST API to approve pending private endpoint connections.
 
 #### [Standard v2](#tab/v2)
 
-> [!NOTE]
-> * Currently you can't set up a private endpoint when creating a Standard v2 instance or using the instances's **Network** blade in the Azure portal.
-> * As shown in this article, you must create and manage private endpoint resources separately from an API Management Standard v2 instance.
+### Create private endpoint when creating API Management Standard v2 instance
 
-1. In the [Azure portal](https://portal.azure.com/), go to the **Private Link Center**.
+1. In the **Create API Management service wizard**, select the **Networking** tab.
 
-1. Select **Private endpoints** > **+ Create**.
+1. In **Network configuration**, select **Inbound private link and/or outbound virtual network integration**.
 
-1. In the **Basics** tab of **Create a private endpoint**, enter or select the following information:
+1. Next to **Private endpoints**, select **Create new**.
+
+1. On the **Create private endpoint** page, enter or select the following information:
 
     | Setting | Value |
     | ------- | ----- |
-    | **Project details** | |
     | Subscription | Select your subscription. |
     | Resource group | Select an existing resource group, or create a new one. It must be in the same region as your virtual network.|
-    | **Instance details** |  |
+    | Location |  Select a location for the private endpoint. It must be in the same region as your virtual network. It may differ from the region where your API Management instance is hosted.  |
     | Name  | Enter a name for the endpoint such as *myPrivateEndpoint*. |
-    | Network Interface Name | Enter a name for the network interface, such as *myInterface* |
-    | Region | Select a location for the private endpoint. It must be in the same region as your virtual network. It may differ from the region where your API Management instance is hosted. |
+    | Sub-resource | Select **Gateway**. |
 
-1. Select the **Next: Resource** button at the bottom of the screen. 
+1. Under **Networking**, enter or select the virtual network and subnet for your private endpoint.
 
-1. In **Resource**, enter or select this information:
+1. Under **Private DNS integration**, select **Integrate with private DNS zone**. The default DNS zone is displayed: **privatelink.azure-api.net**.
 
-    | Setting | Value |
-    | ------- | ----- |
-    | Subscription | Your subscription is selected. |
-    | Resource type | Select **Microsoft.ApiManagement/service**. |
-    | Resource | Select your API Management Standard v2 instance. |
-    | Target sub-resource | Select **Gateway**. |
-    
-    :::image type="content" source="media/private-endpoint/create-private-endpoint.png" alt-text="Screenshot showing settings to create a private endpoint in the Azure portal.":::
+1. Select **OK**.
 
-    > [!IMPORTANT]
-    > Only the **Gateway** sub-resource is supported for API Management. Other sub-resources aren't supported.
+1. Optionally configure settings for [outbound virtual network integration](integrate-vnet-outbound.md).
 
-1. Select the **Next: Virtual Network** button at the bottom of the screen.
+1. Continue with the creation of the API Management instance.
 
-1. In **Virtual Network**, enter or select this information:
+### Create private endpoint for existing API Management Standard v2 instance
 
-    | Setting | Value |
-    | ------- | ----- |
-    | Virtual network | Select your virtual network. |
-    | Subnet | Select your subnet. |
-    | Network policy for private endpoints | Leave the default of **Disabled**. |    
-    | Private IP configuration | In most cases, select **Dynamically allocate IP address.** |
-    | Application security group | Optionally select an [application security group](../virtual-network/application-security-groups.md). |
+1. In the [Azure portal](https://portal.azure.com/), navigate to your API Management Standard v2 instance.
 
-1. Select the **Next: DNS** button at the bottom of the screen.
+1. In the left-hand menu, under **Deployment + infrastructure**, select **Network** > **Edit**.
 
-1. In **Private DNS integration**, enter or select this information:
+1. Under **Inbound features**, next to  **Private endpoints**, select **Create new**.
+
+1. On the **Create private endpoint** page, enter or select the following information:
 
     | Setting | Value |
     | ------- | ----- |
-    | Integrate with private DNS zone | Leave the default of **Yes**. |
     | Subscription | Select your subscription. |
-    | Resource group | Select your resource group. |
-    | Private DNS zones | The default value is displayed: **(new) privatelink.azure-api.net**.
+    | Resource group | Select an existing resource group, or create a new one. It must be in the same region as your virtual network.|
+    | Location |  Select a location for the private endpoint. It must be in the same region as your virtual network. It may differ from the region where your API Management instance is hosted.  |
+    | Name  | Enter a name for the endpoint such as *myPrivateEndpoint*. |
+    | Sub-resource | Select **Gateway**. |
 
-1. Select the **Next: Tabs** button at the bottom of the screen. If you desire, enter tags to organize your Azure resources.
+1. Under **Configure virtual network**, enter or select the virtual network and subnet for your private endpoint.
+
+1. Under **Private DNS integration**, select **Enable**, and select your **Subscription** and **Resource group**. The default DNS zone is displayed: **privatelink.azure-api.net**.
+
+1. Select **Create**. By default, the endpoint's **Connection state** is **Approved**.
 
-1. Select the **Next: Review + create** button at the bottom of the screen. Select **Create**.
 
 ### List private endpoint connections
 
-After the private endpoint is created and the service updated, it appears in the list on the **Private endpoints** page in the **Private Link Center**.
+To list private endpoint connections to the API Management instance:
+
+1. In the [Azure portal](https://portal.azure.com/), navigate to your API Management Standard v2 instance.
+
+1. In the left-hand menu, under **Deployment + infrastructure**, select **Network**.
+
+1. Next to **Private endpoints**, select the link.
+
+1. On the **Private endpoints** page, review the private endpoints to the API Management instance.
 
-Confirm that the endpoint's **Connection status** is **Approved**. 
+1. To change the connection state or delete the endpoint, select an endpoint, then select the context **(...)** menu. Choose the appropriate command on the menu.
 
 ---
 
@@ -258,7 +266,7 @@ To optionally limit incoming traffic to the API Management instance only to priv
 
 #### [Classic](#tab/classic)
 
-To disable the public network access property using the Azure CLI, run the following [az apim update](/cli/azure/apim#az-apim-update) command, substituting the names of your API Management instance and resource group:
+To disable the public network access property in the classic tiers using the Azure CLI, run the following [az apim update](/cli/azure/apim#az-apim-update) command, substituting the names of your API Management instance and resource group:
 
 ```azurecli
 az apim update --name my-apim-service --resource-group my-resource-group --public-network-access false
@@ -268,23 +276,19 @@ You can also use the [API Management Service - Update](/rest/api/apimanagement/a
 
 #### [Standard v2](#tab/v2)
 
-To disable the public network access property in a Standard v2 instance using the Azure CLI, run the following [az rest](/cli/azure/reference-index#az-rest) command.
+You can use the portal to disable the public network access property in a Standard v2 instance.
 
+1. In the [Azure portal](https://portal.azure.com/), navigate to your API Management Standard v2 instance.
 
-```azurecli
-SUBSCRIPTION_ID=<your-subscription-id>
-RESOURCE_GROUP=<your-resource-group>
-SERVICE_NAME=<your-api-management-service-name>
+1. In the left-hand menu, under **Deployment + infrastructure**, select **Network** > **Edit**.
+
+1. Under **Inbound features**, in the **Public network access** section, select **Disable**.
 
-az rest --method patch \
-    --uri "https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.ApiManagement/service/$SERVICE_NAME?api-version=2024-05-01" \
-    --body "{ \"properties\": { \"publicNetworkAccess\": \"Disabled\" } }"
-```
 ---
 
 ## Validate private endpoint connection
 
-After the private endpoint is created, confirm its DNS settings in the portal:
+After the private endpoint is created, confirm its DNS settings in the portal.
 
 #### [Classic](#tab/classic)
 
@@ -299,11 +303,11 @@ After the private endpoint is created, confirm its DNS settings in the portal:
 
 #### [Standard v2](#tab/v2)
 
-1. In the **Private Link Center**, select **Private endpoints** and then the name of your private endpoint.
+1. Navigate to your API Management service in the [Azure portal](https://portal.azure.com/).
 
-1. In the left-hand navigation, under **Settings**, select **DNS configuration**.
+1. In the left-hand menu, under **Deployment + infrastructure**, select **Network** > **Edit**, and select the private endpoint you created.
 
-1. Review the DNS records and IP address of the private endpoint. The IP address is a private address in the address space of the subnet where the private endpoint is configured.
+1. On the **Private endpoint** page, review the endpoint's virtual network and private DNS integration settings.
 
 ---
 
@@ -338,4 +342,3 @@ To connect to 'Microsoft.ApiManagement/service/my-apim-service', please use the
 * [Manage private endpoint connections](../private-link/manage-private-endpoint.md).
 * [Troubleshoot Azure private endpoint connectivity problems](../private-link/troubleshoot-private-endpoint-connectivity.md).
 * Use a [Resource Manager template](https://azure.microsoft.com/resources/templates/api-management-private-endpoint/) to create a classic API Management instance and a private endpoint with private DNS integration.
-* [Connect Azure Front Door Premium to an Azure API Management with Private Link (Preview)](../frontdoor/standard-premium/how-to-enable-private-link-apim.md).