[DO NOT MERGE][APIM] Private endpoint - Standard v2

Author: gitName

articles/api-management/media/private-endpoint-v2-tiers/create-private-endpoint.png

@@ -0,0 +1,216 @@
+---
+title: Set up inbound private endpoint for Azure API Management - Standard v2
+description: Learn how to restrict inbound access to an Azure API Management instance by using an Azure private endpoint and Azure Private Link.
+ms.service: azure-api-management
+author: dlepow
+ms.author: danlep
+ms.topic: how-to
+ms.date: 09/19/2024
+---
+
+# Set up inbound private endpoint for Azure API Management - Standard v2
+
+[!INCLUDE [standard-v2.md](../../includes/api-management-availability-standard-v2.md)]
+
+You can configure an inbound [private endpoint](../private-link/private-endpoint-overview.md) (preview) for your API Management Standard v2 instance to allow clients in your private network to securely access the API Management gateway over [Azure Private Link](../private-link/private-link-overview.md). 
+
+* The private endpoint uses an IP address from an Azure virtual network in which it's hosted.
+
+* Network traffic between a client on your private network and API Management traverses over the virtual network and a Private Link on the Microsoft backbone network, eliminating exposure from the public internet.
+
+* Configure custom DNS settings or an Azure DNS private zone to map the API Management hostname to the endpoint's private IP address. 
+
+:::image type="content" source="media/private-endpoint-v2-tiers/private-endpoint.png" alt-text="Diagram that shows a secure inbound connection to API Management using private endpoint.":::
+
+With a private endpoint and Private Link, you can:
+
+- Create multiple Private Link connections to an API Management instance. 
+
+- Use the private endpoint to send inbound traffic on a secure connection. 
+
+- Use policy to distinguish traffic that comes from the private endpoint. 
+
+- Limit incoming traffic only to private endpoints, preventing data exfiltration.
+
+- Combine with outbound [virtual network integration](integrate-vnet-outbound.md) to provide end-to-end network isolation of your API Management clients and backend services.
+
+
+## Limitations
+
+* Only the API Management instance's Gateway endpoint supports inbound Private Link connections. 
+* Each API Management instance supports at most 100 Private Link connections.
+* The **Network** blade for the API Management Standard v2 instance in the Azure portal currently doesn't support creation or management of private endpoints. 
+
+    As shown in this article, you create or manage private endpoint resources independently from the API Management instance.
+ 
+## Prerequisites
+
+- An existing API Management Standard v2 instance. [Create one if you haven't already](get-started-create-service-instance.md). 
+- A virtual network containing a subnet to host the private endpoint. The subnet may contain other Azure resources.
+- (Recommended) A virtual machine in the same or a different subnet in the virtual network, to test the private endpoint.
+[!INCLUDE [azure-cli-prepare-your-environment-no-header.md](~/reusable-content/azure-cli/azure-cli-prepare-your-environment-no-header.md)]
+
+## Approval method for private endpoint
+
+Typically, a network administrator creates a private endpoint. Depending on your Azure role-based access control (RBAC) permissions, a private endpoint that you create is either *automatically approved* to send traffic to the API Management instance, or requires the resource owner to *manually approve* the connection.
+
+
+|Approval method     |Minimum RBAC permissions  |
+|---------|---------|
+|Automatic     | `Microsoft.Network/virtualNetworks/**`<br/>`Microsoft.Network/virtualNetworks/subnets/**`<br/>`Microsoft.Network/privateEndpoints/**`<br/>`Microsoft.Network/networkinterfaces/**`<br/>`Microsoft.Network/locations/availablePrivateEndpointTypes/read`<br/>`Microsoft.ApiManagement/service/**`<br/>`Microsoft.ApiManagement/service/privateEndpointConnections/**`        |
+|Manual     | `Microsoft.Network/virtualNetworks/**`<br/>`Microsoft.Network/virtualNetworks/subnets/**`<br/>`Microsoft.Network/privateEndpoints/**`<br/>`Microsoft.Network/networkinterfaces/**`<br/>`Microsoft.Network/locations/availablePrivateEndpointTypes/read`           |
+
+## Steps to configure private endpoint
+
+1. [Get available private endpoint types in subscription](#get-available-private-endpoint-types-in-subscription)
+1. [Create private endpoint - portal](#create-private-endpoint---portal)
+1. [List private endpoint connections to the instance](#list-private-endpoint-connections-to-the-instance)
+1. [Approve pending private endpoint connections](#approve-pending-private-endpoint-connections)
+1. [Optionally disable public network access](#optionally-disable-public-network-access)
+
+### Get available private endpoint types in subscription
+
+Verify that the API Management private endpoint type is available in your subscription and location. In the portal, find this information by going to the **Private Link Center**. Select **Supported resources**.  
+
+You can also find this information by using the [Available Private Endpoint Types - List](/rest/api/virtualnetwork/available-private-endpoint-types) REST API.
+
+```rest
+GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Network/locations/{region}/availablePrivateEndpointTypes?api-version=2021-03-01
+```
+
+Output should include the `Microsoft.ApiManagement.service` endpoint type:
+
+```JSON
+[...]
+
+      "name": "Microsoft.ApiManagement.service",
+      "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Network/AvailablePrivateEndpointTypes/Microsoft.ApiManagement.service",
+      "type": "Microsoft.Network/AvailablePrivateEndpointTypes",
+      "resourceName": "Microsoft.ApiManagement/service",
+      "displayName": "Microsoft.ApiManagement/service",
+      "apiVersion": "2021-04-01-preview"
+    }
+[...]
+```
+
+### Create private endpoint - portal
+
+1. In the [Azure portal](https://portal.azure.com/), go to the **Private Link Center**.
+
+1. Select **Private endpoints** > **+ Create**.
+
+1. In the **Basics** tab of **Create a private endpoint**, enter or select the following information:
+
+    | Setting | Value |
+    | ------- | ----- |
+    | **Project details** | |
+    | Subscription | Select your subscription. |
+    | Resource group | Select an existing resource group, or create a new one. It must be in the same region as your virtual network.|
+    | **Instance details** |  |
+    | Name  | Enter a name for the endpoint such as *myPrivateEndpoint*. |
+    | Network Interface Name | Enter a name for the network interface, such as *myInterface* |
+    | Region | Select a location for the private endpoint. It must be in the same region as your virtual network. It may differ from the region where your API Management instance is hosted. |
+
+1. Select the **Next: Resource** button at the bottom of the screen. The following information about your API Management instance is already populated:
+    * Subscription
+    * Resource type
+    * Resource name
+    
+1. In **Resource**, in **Target sub-resource**, select **Gateway**.
+
+    :::image type="content" source="media/private-endpoint/create-private-endpoint.png" alt-text="Screenshot showing settings to create a private endpoint in the Azure portal.":::
+
+    > [!IMPORTANT]
+    > Only **Gateway** is supported for API Management. Other sub-resources aren't supported.
+
+1. Select the **Next: Virtual Network** button at the bottom of the screen.
+
+1. In **Networking**, enter or select this information:
+
+    | Setting | Value |
+    | ------- | ----- |
+    | Virtual network | Select your virtual network. |
+    | Subnet | Select your subnet. |
+    | Network policy for private endpoints | Leave the default of **Disabled**. |    
+    | Private IP configuration | In most cases, select **Dynamically allocate IP address.** |
+    | Application security group | Optionally select an [application security group](../virtual-network/application-security-groups.md). |
+
+1. Select the **Next: DNS** button at the bottom of the screen.
+
+1. In **Private DNS integration**, enter or select this information:
+
+    | Setting | Value |
+    | ------- | ----- |
+    | Integrate with private DNS zone | Leave the default of **Yes**. |
+    | Subscription | Select your subscription. |
+    | Resource group | Select your resource group. |
+    | Private DNS zones | The default value is displayed: **(new) privatelink.azure-api.net**.
+
+1. Select the **Next: Tabs** button at the bottom of the screen. If you desire, enter tags to organize your Azure resources.
+
+    1. Select the **Next: Review + create** button at the bottom of the screen.
+
+1. Select **Create**.
+
+### List private endpoint connections
+
+After the private endpoint is created and the service updated, it appears in the list on the **Private endpoints** page in the **Private Link Center**.
+
+Confirm that the endpoint's **Connection status** is **Approved**. 
+
+### Optionally disable public network access
+
+To optionally limit incoming traffic to the API Management instance only to private endpoints, disable public network access. 
+
+> [!NOTE] 
+> Disabling the public network access property only affects API Management instances configured with a private endpoint.
+
+To disable public network access using the Azure CLI, run the following [az apim update](/cli/azure/apim#az-apim-update) command, substituting the names of your API Management instance and resource group:
+
+```azurecli
+az apim update --name my-apim-service --resource-group my-resource-group --public-network-access false
+```
+
+You can also use the [API Management Service - Update](/rest/api/apimanagement/api-management-service/update) REST API to disable public network access, by setting the `publicNetworkAccess` property to `Disabled`.
+
+## Validate private endpoint connection
+
+After the private endpoint is created, confirm its DNS settings in the portal:
+
+1. In the **Private Link Center**, select **Private endpoints** <name of your private endpoint>.
+
+1. In the left-hand navigation, under **Settings**, select **DNS configuration**.
+
+1. Review the DNS records and IP address of the private endpoint. The IP address is a private address in the address space of the subnet where the private endpoint is configured.
+
+### Test in virtual network
+
+Connect to a virtual machine you set up in the virtual network.
+
+Run a utility such as `nslookup` or `dig` to look up the IP address of your default Gateway endpoint over Private Link. For example:
+
+```
+nslookup my-apim-service.azure-api.net
+```
+
+Output should include the private IP address associated with the private endpoint.
+
+API calls initiated within the virtual network to the default Gateway endpoint should succeed.
+
+### Test from internet
+
+From outside the private endpoint path, attempt to call the API Management instance's default Gateway endpoint. If public access is disabled, output includes an error with status code `403` and a message similar to:
+
+```
+Request originated from client public IP address xxx.xxx.xxx.xxx, public network access on this 'Microsoft.ApiManagement/service/my-apim-service' is disabled.
+       
+To connect to 'Microsoft.ApiManagement/service/my-apim-service', please use the Private Endpoint from inside your virtual network. 
+```
+
+## Related content
+
+* Use [policy expressions](api-management-policy-expressions.md#ref-context-request) with the `context.request` variable to identify traffic from the private endpoint.
+* Learn more about [private endpoints](../private-link/private-endpoint-overview.md) and [Private Link](../private-link/private-link-overview.md), including [Private Link pricing](https://azure.microsoft.com/pricing/details/private-link/).
+* [Manage private endpoint connections](../private-link/manage-private-endpoint.md).
+* [Troubleshoot Azure private endpoint connectivity problems](../private-link/troubleshoot-private-endpoint-connectivity.md).
+