You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
| Azure AD integration<sup>1</sup> | No | Yes | No | Yes | Yes |
24
24
| Virtual Network (VNet) support | No | Yes | No | No | Yes |
25
+
| Private endpoint support for inbound connections | No | Yes | Yes | Yes | Yes |
25
26
| Multi-region deployment | No | No | No | No | Yes |
26
27
| Availability zones | No | No | No | No | Yes |
27
28
| Multiple custom domain names | No | Yes | No | No | Yes |
@@ -45,5 +46,5 @@ Each API Management [pricing tier](https://aka.ms/apimpricing) offers a distinct
45
46
<sup>1</sup> Enables the use of Azure AD (and Azure AD B2C) as an identity provider for user sign in on the developer portal.<br/>
46
47
<sup>2</sup> Including related functionality such as users, groups, issues, applications, and email templates and notifications.<br/>
47
48
<sup>3</sup> See [Gateway overview](api-management-gateways-overview.md#feature-comparison-managed-versus-self-hosted-gateways) for a feature comparison of managed versus self-hosted gateways. In the Developer tier self-hosted gateways are limited to a single gateway node. <br/>
48
-
<sup>4</sup> The following policies aren't available in the Consumption tier: rate limit by key and quota by key. <br/>
49
+
<sup>4</sup> See [Gateway overview](api-management-gateways-overview.md#policies) for differences in policy support in the dedicated, consumption, and self-hosted gateways. <br/>
49
50
<sup>5</sup> GraphQL subscriptions aren't supported in the Consumption tier.
Copy file name to clipboardExpand all lines: articles/api-management/private-endpoint.md
+35-32Lines changed: 35 additions & 32 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,35 +1,25 @@
1
1
---
2
-
title: Set up private endpoint for Azure API Management Preview
3
-
description: Learn how to restrict access to an Azure API Management instance by using an Azure private endpoint and Azure Private Link.
2
+
title: Set up inbound private endpoint for Azure API Management
3
+
description: Learn how to restrict inbound access to an Azure API Management instance by using an Azure private endpoint and Azure Private Link.
4
4
ms.service: api-management
5
5
author: dlepow
6
6
ms.author: danlep
7
7
ms.topic: how-to
8
-
ms.date: 03/31/2022
8
+
ms.date: 03/20/2023
9
9
10
10
---
11
11
12
-
# Connect privately to API Management using a private endpoint
12
+
# Connect privately to API Management using an inbound private endpoint
13
13
14
-
You can configure a[private endpoint](../private-link/private-endpoint-overview.md) for your API Management instance to allow clients in your private network to securely access the instance over [Azure Private Link](../private-link/private-link-overview.md).
14
+
You can configure an inbound[private endpoint](../private-link/private-endpoint-overview.md) for your API Management instance to allow clients in your private network to securely access the instance over [Azure Private Link](../private-link/private-link-overview.md).
15
15
16
-
* The private endpoint uses an IP address from your Azure VNet address space.
16
+
* The private endpoint uses an IP address from an Azure VNet in which it's hosted.
17
17
18
18
* Network traffic between a client on your private network and API Management traverses over the VNet and a Private Link on the Microsoft backbone network, eliminating exposure from the public internet.
19
19
20
20
* Configure custom DNS settings or an Azure DNS private zone to map the API Management hostname to the endpoint's private IP address.
21
21
22
-
:::image type="content" source="media/private-endpoint/api-management-private-endpoint.png" alt-text="Diagram that shows a secure connection to API Management using private endpoint.":::
23
-
24
-
With a private endpoint and Private Link, you can:
25
-
26
-
- Create multiple Private Link connections to an API Management instance.
27
-
28
-
- Use the private endpoint to send inbound traffic on a secure connection.
29
-
30
-
- Use policy to distinguish traffic that comes from the private endpoint.
31
-
32
-
- Limit incoming traffic only to private endpoints, preventing data exfiltration.
22
+
:::image type="content" source="media/private-endpoint/api-management-private-endpoint.png" alt-text="Diagram that shows a secure inbound connection to API Management using private endpoint.":::
:::image type="content" source="media/private-endpoint/add-endpoint-from-instance.png" alt-text="Add a private endpoint using Azure portal":::
114
104
@@ -120,7 +110,8 @@ When you use the Azure portal to create a private endpoint, as shown in the next
120
110
| Subscription | Select your subscription. |
121
111
| Resource group | Select an existing resource group, or create a new one. It must be in the same region as your virtual network.|
122
112
|**Instance details**||
123
-
| Name | Enter a name for the endpoint such as **myPrivateEndpoint**. |
113
+
| Name | Enter a name for the endpoint such as *myPrivateEndpoint*. |
114
+
| Network Interface Name | Enter a name for the network interface, such as *myInterface*|
124
115
| Region | Select a location for the private endpoint. It must be in the same region as your virtual network. It may differ from the region where your API Management instance is hosted. |
125
116
126
117
1. Select the **Resource** tab or the **Next: Resource** button at the bottom of the page. The following information about your API Management instance is already populated:
@@ -132,28 +123,37 @@ When you use the Azure portal to create a private endpoint, as shown in the next
132
123
133
124
:::image type="content" source="media/private-endpoint/create-private-endpoint.png" alt-text="Create a private endpoint in Azure portal":::
134
125
135
-
1. Select the **Configuration** tab or the **Next: Configuration** button at the bottom of the screen.
126
+
1. Select the **Virtual Network** tab or the **Next: Virtual Network** button at the bottom of the screen.
136
127
137
-
1. In **Configuration**, enter or select this information:
128
+
1. In **Networking**, enter or select this information:
138
129
139
130
| Setting | Value |
140
131
| ------- | ----- |
141
-
|**Networking**||
142
132
| Virtual network | Select your virtual network. |
143
133
| Subnet | Select your subnet. |
144
-
|**Private DNS integration**||
134
+
| Private IP configuration | In most cases, select **Dynamically allocate IP address.**|
135
+
| Application security group | Optionally select an [application security group](../virtual-network/application-security-groups.md). |
136
+
137
+
1. Select the **DNS** tab or the **Next: DNS** button at the bottom of the screen.
138
+
139
+
1. In **Private DNS integration**, enter or select this information:
140
+
141
+
| Setting | Value |
142
+
| ------- | ----- |
145
143
| Integrate with private DNS zone | Leave the default of **Yes**. |
146
144
| Subscription | Select your subscription. |
147
145
| Resource group | Select your resource group. |
148
-
| Private DNS zones | Leave the default of**(new) privatelink.azure-api.net**.
146
+
| Private DNS zones | The default value is displayed:**(new) privatelink.azure-api.net**.
149
147
150
-
1. Select **Review + create**.
148
+
1. Select the **Tags** tab or the **Next: Tabs** button at the bottom of the screen. If you desire, enter tags to organize your Azure resources.
149
+
150
+
1. Select **Review + create**.
151
151
152
152
1. Select **Create**.
153
153
154
154
### List private endpoint connections to the instance
155
155
156
-
After the private endpoint is created, it appears in the list on the API Management instance's **Private endpoint connections** page in the portal.
156
+
After the private endpoint is created, it appears in the list on the API Management instance's **Inbound private endpoint connections** page in the portal.
157
157
158
158
You can also use the [Private Endpoint Connection - List By Service](/rest/api/apimanagement/current-ga/private-endpoint-connection/list-by-service) REST API to list private endpoint connections to the service instance.
159
159
@@ -200,9 +200,12 @@ Use the following JSON body:
200
200
201
201
After the private endpoint is created, confirm its DNS settings in the portal:
202
202
203
-
1. In the portal, navigate to the **Private Link Center**.
204
-
1. Select **Private endpoints** and select the private endpoint you created.
203
+
1. Navigate to your API Management service in the [Azure portal](https://portal.azure.com/).
204
+
205
+
1. In the left-hand menu, select **Network** > **Inbound private endpoint connections**, and select the private endpoint you created.
206
+
205
207
1. In the left-hand navigation, select **DNS configuration**.
208
+
206
209
1. Review the DNS records and IP address of the private endpoint. The IP address is a private address in the address space of the subnet where the private endpoint is configured.
207
210
208
211
### Test in virtual network
@@ -232,7 +235,7 @@ To connect to 'Microsoft.ApiManagement/service/my-apim-service', please use the
232
235
## Next steps
233
236
234
237
* Use [policy expressions](api-management-policy-expressions.md#ref-context-request) with the `context.request` variable to identify traffic from the private endpoint.
235
-
* Learn more about [private endpoints](../private-link/private-endpoint-overview.md) and [Private Link](../private-link/private-link-overview.md).
238
+
* Learn more about [private endpoints](../private-link/private-endpoint-overview.md) and [Private Link](../private-link/private-link-overview.md), including [Private Link pricing](https://azure.microsoft.com/pricing/details/private-link/).
236
239
* Learn more about [managing private endpoint connections](../private-link/manage-private-endpoint.md).
* Use a [Resource Manager template](https://azure.microsoft.com/resources/templates/api-management-private-endpoint/) to create an API Management instance and a private endpoint with private DNS integration.
Copy file name to clipboardExpand all lines: articles/api-management/virtual-network-concepts.md
+7-14Lines changed: 7 additions & 14 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@ author: dlepow
5
5
6
6
ms.service: api-management
7
7
ms.topic: conceptual
8
-
ms.date: 05/26/2022
8
+
ms.date: 03/09/2023
9
9
ms.author: danlep
10
10
ms.custom:
11
11
---
@@ -17,15 +17,15 @@ API Management provides several options to secure access to your API Management
17
17
18
18
You can choose one of two integration modes: *external* or *internal*. They differ in whether inbound connectivity to the gateway and other API Management endpoints is allowed from the internet or only from within the virtual network.
19
19
20
-
***Enabling secure and private connectivity** to the API Management gateway using a *private endpoint* (preview).
20
+
***Enabling secure and private inbound connectivity** to the API Management gateway using a *private endpoint*.
21
21
22
22
The following table compares virtual networking options. For more information, see later sections of this article and links to detailed guidance.
|**[Virtual network - external](#virtual-network-integration)** | Developer, Premium | Azure portal, gateway, management plane, and Git repository | Inbound and outbound traffic can be allowed to internet, peered virtual networks, Express Route, and S2S VPN connections. | External access to private and on-premises backends
27
27
|**[Virtual network - internal](#virtual-network-integration)** | Developer, Premium | Developer portal, gateway, management plane, and Git repository. | Inbound and outbound traffic can be allowed to peered virtual networks, Express Route, and S2S VPN connections. | Internal access to private and on-premises backends
28
-
|**[Private endpoint (preview)](#private-endpoint)**| Developer, Basic, Standard, Premium | Gateway only (managed gateway supported, self-hosted gateway not supported). | Only inbound traffic can be allowed from internet, peered virtual networks, Express Route, and S2S VPN connections. | Secure client connection to API Management gateway |
28
+
|**[Inbound private endpoint](#inbound-private-endpoint)**| Developer, Basic, Standard, Premium | Gateway only (managed gateway supported, self-hosted gateway not supported). | Only inbound traffic can be allowed from internet, peered virtual networks, Express Route, and S2S VPN connections. | Secure client connection to API Management gateway |
29
29
30
30
## Virtual network integration
31
31
With Azure virtual networks (VNets), you can place ("inject") your API Management instance in a non-internet-routable network to which you control access. In a virtual network, your API Management instance can securely access other networked Azure resources and also connect to on-premises networks using various VPN technologies. To learn more about Azure VNets, start with the information in the [Azure Virtual Network Overview](../virtual-network/virtual-networks-overview.md).
@@ -141,26 +141,19 @@ Some virtual network limitations differ depending on the version (`stv2` or `stv
141
141
* A subnet containing API Management instances can't be moved across subscriptions.
142
142
* For multi-region API Management deployments configured in internal VNet mode, users own the routing and are responsible for managing the load balancing across multiple regions.
143
143
* To import an API to API Management from an [OpenAPI specification](import-and-publish.md), the specification URL must be hosted at a publicly accessible internet address.
144
-
* Due to platform limitations, connectivity between a resource in a globally peered VNet in another region and an API Management service in internal mode won't work. For more information, see the [virtual network documentation](../virtual-network/virtual-network-manage-peering.md#requirements-and-constraints).
144
+
* Due to platform limitations, connectivity between a resource in a globally peered VNet in another region and an API Management service in internal mode doesn't work. For more information, see the [virtual network documentation](../virtual-network/virtual-network-manage-peering.md#requirements-and-constraints).
145
145
146
146
---
147
147
148
-
## Private endpoint
148
+
## Inbound private endpoint
149
149
150
-
API Management supports [private endpoints](../private-link/private-endpoint-overview.md). A private endpoint enables secure client connectivity to your API Management instance using a private IP address from your virtual network and Azure Private Link.
150
+
API Management supports [private endpoints](../private-link/private-endpoint-overview.md) for secure inbound client connections to your API Management instance. Each secure connection uses a private IP address from your virtual network and Azure Private Link.
151
151
152
152
:::image type="content" source="media/virtual-network-concepts/api-management-private-endpoint.png" alt-text="Diagram showing a secure connection to API Management using private endpoint." lightbox="media/virtual-network-concepts/api-management-private-endpoint.png":::
153
153
154
-
With a private endpoint and Private Link, you can:
155
-
156
-
* Create multiple Private Link connections to an API Management instance.
157
-
* Use the private endpoint to send inbound traffic on a secure connection.
158
-
* Use policy to distinguish traffic that comes from the private endpoint.
159
-
* Limit incoming traffic only to private endpoints, preventing data exfiltration.
Copy file name to clipboardExpand all lines: includes/api-management-private-endpoint.md
+13-3Lines changed: 13 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -2,10 +2,20 @@
2
2
author: dlepow
3
3
ms.service: api-management
4
4
ms.topic: include
5
-
ms.date: 11/15/2022
5
+
ms.date: 03/09/2023
6
6
ms.author: danlep
7
7
---
8
+
9
+
With a private endpoint and Private Link, you can:
10
+
11
+
- Create multiple Private Link connections to an API Management instance.
12
+
13
+
- Use the private endpoint to send inbound traffic on a secure connection.
14
+
15
+
- Use policy to distinguish traffic that comes from the private endpoint.
16
+
17
+
- Limit incoming traffic only to private endpoints, preventing data exfiltration.
18
+
8
19
> [!IMPORTANT]
9
-
> *API Management support for private endpoints is currently in **preview**.
20
+
> *You can only configure a private endpoint connection for **inbound** traffic to the API Management instance. Currently, outbound traffic isn't supported.
10
21
> * To enable private endpoints, the API Management instance can't already be configured with an external or internal [virtual network](../articles/api-management/virtual-network-concepts.md).
11
-
> * During the preview period, a private endpoint connection supports only **inbound** traffic to the API Management instance. Outbound traffic isn't supported.
0 commit comments