Merge pull request #275521 from dlepow/intgw

[APIM] SHGW connectivity from internet

Author: prmerger-automator[bot]

articles/api-management/api-management-howto-integrate-internal-vnet-appgateway.md

@@ -68,7 +68,7 @@ In the first setup example, all your APIs are managed only from within your virt
 
 ### Expose the developer portal and management endpoint externally through Application Gateway
 
-In this article, we also expose the *developer portal* and the *management endpoint* to external audiences through the application gateway. Extra steps are needed to create a listener, probe, settings, and rules for each endpoint. All details are provided in their respective steps.
+In this article, we also expose the *developer portal* and the *management endpoint* to external audiences through the application gateway. Extra steps are needed to create a listener, probe, settings, and rules for each endpoint. All details are provided in their respective steps. If you need to expose the *v2 configuration endpoint* of the [self-hosted gateway](self-hosted-gateway-overview.md#fqdn-dependencies), follow similar steps (not shown).
 
 If you use Microsoft Entra ID or third-party authentication, enable the [cookie-based session affinity](../application-gateway/features.md#session-affinity) feature in Application Gateway.
 

articles/api-management/self-hosted-gateway-overview.md

@@ -6,7 +6,7 @@ author: dlepow
 
 ms.service: api-management
 ms.topic: conceptual
-ms.date: 02/28/2024
+ms.date: 05/15/2024
 ms.author: danlep
 ---
 
@@ -110,7 +110,7 @@ To operate properly, each self-hosted gateway needs outbound connectivity on por
 | Endpoints for [Event Hubs integration](api-management-howto-log-event-hubs.md) | Optional<sup>5</sup> | Optional<sup>5</sup> | Learn more in [Azure Event Hubs docs](../event-hubs/network-security.md) |
 | Endpoints for [external cache integration](api-management-howto-cache-external.md) | Optional<sup>5</sup> | Optional<sup>5</sup> | This requirement depends on the external cache that is being used |
 
-<sup>1</sup>For an API Management instance in an internal virtual network, enable private connectivity to the v2 configuration endpoint from the location of the self-hosted gateway, for example, using a private DNS in a peered network.<br/> 
+<sup>1</sup>For an API Management instance in an internal virtual network, see [Connectivity in an internal virtual network](#connectivity-in-internal-virtual-network).<br/>
 <sup>2</sup>Only required in v2 when API inspector or quotas are used in policies.<br/>
 <sup>3</sup>Only required when using Microsoft Entra authentication to verify RBAC permissions.<br/>
 <sup>4</sup>Only required when using Microsoft Entra authentication or Microsoft Entra related policies.<br/>
@@ -121,6 +121,12 @@ To operate properly, each self-hosted gateway needs outbound connectivity on por
 > * The associated storage account names are listed in the service's **Network connectivity status** page in the Azure portal.
 > * Public IP addresses underlying the associated storage accounts are dynamic and can change without notice.
 
+### Connectivity in internal virtual network
+
+ * **Private connectivity** - If the self-hosted gateway is deployed in a virtual network, enable private connectivity to the v2 configuration endpoint from the location of the self-hosted gateway, for example, using a private DNS in a peered network. 
+
+* **Internet connectivity** - If the self-hosted gateway needs to connect to the v2 configuration endpoint over the internet, configure a custom hostname for the configuration endpoint, and expose the endpoint using Application Gateway.<br/>
+
 ### Authentication options
 
 To authenticate the connection between the self-hosted gateway and the cloud-based API Management instance's configuration endpoint, you have the following options in the gateway container's [configuration settings](self-hosted-gateway-settings-reference.md).