Merge pull request #292205 from MicrosoftDocs/main

12/19/2024 AM Publish

Author: Taojunshen

articles/api-management/api-management-features.md

@@ -26,7 +26,7 @@ Each API Management [pricing tier](api-management-key-concepts.md#api-management
 | -------------------------------------------------------------------------------------------- | ----------- | --------- | --------- | --------- | ----- | -------- | ------- | ------- | 
 | Microsoft Entra integration<sup>1</sup>                                                             | No          | Yes       | No    | Yes      | Yes      | Yes      | Yes     | Yes |
 | Virtual network injection support                                                               | No          | Yes       | No    | No       | No       | No       | Yes    | Yes |
-| Private endpoint support for inbound connections                                                               | No          | Yes       | Yes    | No       | Yes       | No       | Yes  | No   |
+| Private endpoint support for inbound connections                                                               | No          | Yes       | Yes    | No       | Yes       | Yes       | Yes  | No   |
 | Outbound virtual network integration support                                                             | No          | No       | No    | No       | No       | Yes       | No    | Yes |
 | Multi-region deployment                                                                      | No          | No        | No    | No       | No       | No       | Yes     | No |
 | Availability zones                                                                           | No          | No        | No    | No       | No       | No       | Yes     | No  |

articles/api-management/api-management-gateways-overview.md

@@ -77,7 +77,7 @@ The following tables compare features available in the following API Management
 | [Built-in cache](api-management-howto-cache.md) | ✔️ | ✔️ | ❌ | ❌ | ✔️ |
 | [External Redis-compatible cache](api-management-howto-cache-external.md) | ✔️ | ✔️ |✔️ | ✔️ | ❌ |
 | [Virtual network injection](virtual-network-concepts.md)  |  Developer, Premium | Premium v2 | ❌ | ✔️<sup>1,2</sup> | ✔️ |
-| [Inbound private endpoints](private-endpoint.md)  |  Developer, Basic, Standard, Premium | ❌ | ❌ | ❌ | ❌ |
+| [Inbound private endpoints](private-endpoint.md)  |  Developer, Basic, Standard, Premium | Standard v2 | ❌ | ❌ | ❌ |
 | [Outbound virtual network integration](integrate-vnet-outbound.md)  | ❌ | Standard  v2, Premium v2  |  ❌ | ❌ | ✔️ |
 | [Availability zones](zone-redundancy.md)  |  Premium | ❌  | ❌ | ✔️<sup>1</sup> | ✔️<sup>3</sup> |
 | [Multi-region deployment](api-management-howto-deploy-multi-region.md) |  Premium | ❌ |  ❌ | ✔️<sup>1</sup> | ❌ |

articles/api-management/front-door-api-management.md

@@ -20,9 +20,12 @@ Azure Front Door is a modern application delivery network platform providing a s
 
 This article shows how to:
 
-* Set up an Azure Front Door Standard/Premium profile in front of a publicly accessible Azure API Management instance: either non-networked, or injected in a virtual network in [external mode](api-management-using-with-vnet.md). 
+* Set up an Azure Front Door Standard/Premium profile in front of a publicly accessible Azure API Management instance: either non-networked, or a Developer or Premium instance injected in a virtual network in [external mode](api-management-using-with-vnet.md). 
 * Restrict API Management to accept API traffic only from Azure Front Door. 
 
+> [!TIP]
+> You can also configure Azure Front Door Premium to route traffic to an API Management gateway using a [private endpoint](../frontdoor/standard-premium/how-to-enable-private-link-apim.md).
+
 ## Prerequisites
 
 * An API Management instance. 

articles/api-management/media/private-endpoint/create-private-endpoint.png

@@ -5,18 +5,21 @@ ms.service: azure-api-management
 author: dlepow
 ms.author: danlep
 ms.topic: how-to
-ms.date: 09/19/2024
+ms.date: 12/13/2024
 ---
 
 # Connect privately to API Management using an inbound private endpoint
 
-[!INCLUDE [premium-dev-standard-basic.md](../../includes/api-management-availability-premium-dev-standard-basic.md)]
+[!INCLUDE [premium-dev-standard-standardv2-basic.md](../../includes/api-management-availability-premium-dev-standard-standardv2-basic.md)]
 
 You can configure an inbound [private endpoint](../private-link/private-endpoint-overview.md) for your API Management instance to allow clients in your private network to securely access the instance over [Azure Private Link](../private-link/private-link-overview.md). 
 
-* The private endpoint uses an IP address from an Azure VNet in which it's hosted.
+> [!NOTE]
+> Private endpoint support in the Standard v2 tier is currently in limited preview. To sign up, fill [this form](https://aka.ms/privateendpointpreview).
 
-* Network traffic between a client on your private network and API Management traverses over the VNet and a Private Link on the Microsoft backbone network, eliminating exposure from the public internet.
+* The private endpoint uses an IP address from an Azure virtual network in which it's hosted.
+
+* Network traffic between a client on your private network and API Management traverses over the virtual network and a Private Link on the Microsoft backbone network, eliminating exposure from the public internet.
 
 * Configure custom DNS settings or an Azure DNS private zone to map the API Management hostname to the endpoint's private IP address. 
 
@@ -29,13 +32,14 @@ You can configure an inbound [private endpoint](../private-link/private-endpoint
 * Only the API Management instance's Gateway endpoint supports inbound Private Link connections. 
 * Each API Management instance supports at most 100 Private Link connections.
 * Connections aren't supported on the [self-hosted gateway](self-hosted-gateway-overview.md) or on a [workspace gateway](workspaces-overview.md#workspace-gateway). 
+* In the classic API Management tiers, private endpoints aren't supported in instances injected in an internal or external virtual network.
+
 
 ## Prerequisites
 
 - An existing API Management instance. [Create one if you haven't already](get-started-create-service-instance.md). 
-    - The API Management instance must be hosted on the [`stv2` compute platform](compute-infrastructure.md). 
-    - Do not deploy (inject) the instance into an [external](api-management-using-with-vnet.md) or [internal](api-management-using-with-internal-vnet.md) virtual network.
-- A virtual network and subnet to host the private endpoint. The subnet may contain other Azure resources.
+    - When using an instance in the classic Developer or Premium tier, don't deploy (inject) the instance into an [external](api-management-using-with-vnet.md) or [internal](api-management-using-with-internal-vnet.md) virtual network.
+- A virtual network containing a subnet to host the private endpoint. The subnet may contain other Azure resources.
 - (Recommended) A virtual machine in the same or a different subnet in the virtual network, to test the private endpoint.
 [!INCLUDE [azure-cli-prepare-your-environment-no-header.md](~/reusable-content/azure-cli/azure-cli-prepare-your-environment-no-header.md)]
 
@@ -54,9 +58,7 @@ Typically, a network administrator creates a private endpoint. Depending on your
 1. [Get available private endpoint types in subscription](#get-available-private-endpoint-types-in-subscription)
 1. [Disable network policies in subnet](#disable-network-policies-in-subnet)
 1. [Create private endpoint - portal](#create-private-endpoint---portal)
-1. [List private endpoint connections to the instance](#list-private-endpoint-connections-to-the-instance)
-1. [Approve pending private endpoint connections](#approve-pending-private-endpoint-connections)
-1. [Optionally disable public network access](#optionally-disable-public-network-access)
+(#approve-pending-private-endpoint-connections)
 
 ### Get available private endpoint types in subscription
 
@@ -89,10 +91,16 @@ Network policies such as network security groups must be disabled in the subnet
 
 If you use tools such as Azure PowerShell, the Azure CLI, or REST API to configure private endpoints, update the subnet configuration manually. For examples, see [Manage network policies for private endpoints](../private-link/disable-private-endpoint-network-policy.md).
 
-When you use the Azure portal to create a private endpoint, as shown in the next section, network policies are disabled automatically as part of the creation process 
+When you use the Azure portal to create a private endpoint, as shown in the next section, network policies are disabled automatically as part of the creation process. 
 
 ### Create private endpoint - portal
 
+You can create a private endpoint for your API Management instance in the Azure portal.
+
+#### [Classic](#tab/classic)
+
+In the classic API Management tiers, you can create a private endpoint when you create the instance. In an existing instance, use the instance's **Network** blade in the Azure portal.
+
 1. Navigate to your API Management service in the [Azure portal](https://portal.azure.com/).
 
 1. In the left-hand menu, under **Deployment + infrastructure**, select **Network**.
@@ -122,9 +130,12 @@ When you use the Azure portal to create a private endpoint, as shown in the next
 
     :::image type="content" source="media/private-endpoint/create-private-endpoint.png" alt-text="Screenshot showing settings to create a private endpoint in the Azure portal.":::
 
+    > [!IMPORTANT]
+    > Only the **Gateway** sub-resource is supported for API Management. Other sub-resources aren't supported.
+
 1. Select the **Next: Virtual Network** button at the bottom of the screen.
 
-1. In **Networking**, enter or select this information:
+1. In **Virtual Network**, enter or select this information:
 
     | Setting | Value |
     | ------- | ----- |
@@ -146,9 +157,7 @@ When you use the Azure portal to create a private endpoint, as shown in the next
 
 1. Select the **Next: Tabs** button at the bottom of the screen. If you desire, enter tags to organize your Azure resources.
 
-    1. Select the **Next: Review + create** button at the bottom of the screen.
-
-1. Select **Create**.
+1. Select the **Next: Review + create** button at the bottom of the screen. Select **Create**.
 
 ### List private endpoint connections to the instance
 
@@ -168,14 +177,87 @@ If you have sufficient permissions, approve a private endpoint connection on the
 
 You can also use the API Management [Private Endpoint Connection - Create Or Update](/rest/api/apimanagement/private-endpoint-connection/create-or-update) REST API to approve pending private endpoint connections.
 
-### Optionally disable public network access
+#### [Standard v2](#tab/v2)
+
+> [!NOTE]
+> * Currently you can't set up a private endpoint when creating a Standard v2 instance or using the instances's **Network** blade in the Azure portal.
+> * As shown in this article, you must create and manage private endpoint resources separately from an API Management Standard v2 instance.
+
+1. In the [Azure portal](https://portal.azure.com/), go to the **Private Link Center**.
+
+1. Select **Private endpoints** > **+ Create**.
+
+1. In the **Basics** tab of **Create a private endpoint**, enter or select the following information:
+
+    | Setting | Value |
+    | ------- | ----- |
+    | **Project details** | |
+    | Subscription | Select your subscription. |
+    | Resource group | Select an existing resource group, or create a new one. It must be in the same region as your virtual network.|
+    | **Instance details** |  |
+    | Name  | Enter a name for the endpoint such as *myPrivateEndpoint*. |
+    | Network Interface Name | Enter a name for the network interface, such as *myInterface* |
+    | Region | Select a location for the private endpoint. It must be in the same region as your virtual network. It may differ from the region where your API Management instance is hosted. |
+
+1. Select the **Next: Resource** button at the bottom of the screen. 
+
+1. In **Resource**, enter or select this information:
+
+    | Setting | Value |
+    | ------- | ----- |
+    | Subscription | Your subscription is selected. |
+    | Resource type | Select **Microsoft.ApiManagement/service**. |
+    | Resource | Select your API Management Standard v2 instance. |
+    | Target sub-resource | Select **Gateway**. |
+    
+    :::image type="content" source="media/private-endpoint/create-private-endpoint.png" alt-text="Screenshot showing settings to create a private endpoint in the Azure portal.":::
+
+    > [!IMPORTANT]
+    > Only the **Gateway** sub-resource is supported for API Management. Other sub-resources aren't supported.
+
+1. Select the **Next: Virtual Network** button at the bottom of the screen.
 
-To optionally limit incoming traffic to the API Management instance only to private endpoints, disable public network access. 
+1. In **Virtual Network**, enter or select this information:
+
+    | Setting | Value |
+    | ------- | ----- |
+    | Virtual network | Select your virtual network. |
+    | Subnet | Select your subnet. |
+    | Network policy for private endpoints | Leave the default of **Disabled**. |    
+    | Private IP configuration | In most cases, select **Dynamically allocate IP address.** |
+    | Application security group | Optionally select an [application security group](../virtual-network/application-security-groups.md). |
+
+1. Select the **Next: DNS** button at the bottom of the screen.
+
+1. In **Private DNS integration**, enter or select this information:
+
+    | Setting | Value |
+    | ------- | ----- |
+    | Integrate with private DNS zone | Leave the default of **Yes**. |
+    | Subscription | Select your subscription. |
+    | Resource group | Select your resource group. |
+    | Private DNS zones | The default value is displayed: **(new) privatelink.azure-api.net**.
+
+1. Select the **Next: Tabs** button at the bottom of the screen. If you desire, enter tags to organize your Azure resources.
+
+1. Select the **Next: Review + create** button at the bottom of the screen. Select **Create**.
+
+### List private endpoint connections
+
+After the private endpoint is created and the service updated, it appears in the list on the **Private endpoints** page in the **Private Link Center**.
+
+Confirm that the endpoint's **Connection status** is **Approved**. 
+
+---
+
+## Optionally disable public network access
+
+To optionally limit incoming traffic to the API Management instance only to private endpoints, disable the public network access property. 
 
 > [!NOTE] 
-> Public network access can only be disabled in API Management instances configured with a private endpoint, not with other networking configurations such as VNet injection.
+> Public network access can only be disabled in API Management instances configured with a private endpoint, not with other networking configurations.
 
-To disable public network access using the Azure CLI, run the following [az apim update](/cli/azure/apim#az-apim-update) command, substituting the names of your API Management instance and resource group:
+To disable the public network access property using the Azure CLI, run the following [az apim update](/cli/azure/apim#az-apim-update) command, substituting the names of your API Management instance and resource group:
 
 ```azurecli
 az apim update --name my-apim-service --resource-group my-resource-group --public-network-access false
@@ -187,6 +269,8 @@ You can also use the [API Management Service - Update](/rest/api/apimanagement/a
 
 After the private endpoint is created, confirm its DNS settings in the portal:
 
+#### [Classic](#tab/classic)
+
 1. Navigate to your API Management service in the [Azure portal](https://portal.azure.com/).
 
 1. In the left-hand menu, under **Deployment + infrastructure**, select **Network** > **Inbound private endpoint connections**, and select the private endpoint you created.
@@ -195,14 +279,25 @@ After the private endpoint is created, confirm its DNS settings in the portal:
 
 1. Review the DNS records and IP address of the private endpoint. The IP address is a private address in the address space of the subnet where the private endpoint is configured.
 
+
+#### [Standard v2](#tab/v2)
+
+1. In the **Private Link Center**, select **Private endpoints** and then the name of your private endpoint.
+
+1. In the left-hand navigation, under **Settings**, select **DNS configuration**.
+
+1. Review the DNS records and IP address of the private endpoint. The IP address is a private address in the address space of the subnet where the private endpoint is configured.
+
+---
+
 ### Test in virtual network
 
 Connect to a virtual machine you set up in the virtual network.
 
 Run a utility such as `nslookup` or `dig` to look up the IP address of your default Gateway endpoint over Private Link. For example:
 
 ```
-nslookup my-apim-service.azure-api.net
+nslookup my-apim-service.privatelink.azure-api.net
 ```
 
 Output should include the private IP address associated with the private endpoint.
@@ -214,7 +309,7 @@ API calls initiated within the virtual network to the default Gateway endpoint s
 From outside the private endpoint path, attempt to call the API Management instance's default Gateway endpoint. If public access is disabled, output includes an error with status code `403` and a message similar to:
 
 ```
-Request originated from client public IP address xxx.xxx.xxx.xxx, public network access on this 'Microsoft.ApiManagement/service/my-apim-service' is disabled.
+Request originated from client public IP address 192.0.2.12, public network access on this 'Microsoft.ApiManagement/service/my-apim-service' is disabled.
        
 To connect to 'Microsoft.ApiManagement/service/my-apim-service', please use the Private Endpoint from inside your virtual network. 
 ```
@@ -225,5 +320,5 @@ To connect to 'Microsoft.ApiManagement/service/my-apim-service', please use the
 * Learn more about [private endpoints](../private-link/private-endpoint-overview.md) and [Private Link](../private-link/private-link-overview.md), including [Private Link pricing](https://azure.microsoft.com/pricing/details/private-link/).
 * [Manage private endpoint connections](../private-link/manage-private-endpoint.md).
 * [Troubleshoot Azure private endpoint connectivity problems](../private-link/troubleshoot-private-endpoint-connectivity.md).
-* Use a [Resource Manager template](https://azure.microsoft.com/resources/templates/api-management-private-endpoint/) to create an API Management instance and a private endpoint with private DNS integration.
-
+* Use a [Resource Manager template](https://azure.microsoft.com/resources/templates/api-management-private-endpoint/) to create a classic API Management instance and a private endpoint with private DNS integration.
+* [Connect Azure Front Door Premium to an Azure API Management with Private Link (Preview)](../frontdoor/standard-premium/how-to-enable-private-link-apim.md).

articles/api-management/media/private-endpoint/private-endpoint.png

@@ -51,6 +51,8 @@ The latest capabilities of the v2 tiers are supported in API Management API vers
 
 * **Standard v2** and **Premium v2** support **virtual network integration** to allow your API Management instance to reach API backends that are isolated in a single connected virtual network. The API Management gateway, management plane, and developer portal remain publicly accessible from the internet. The virtual network must be in the same region and subscription as the API Management instance. [Learn more](integrate-vnet-outbound.md).
 
+    In preview, *Standard v2* also supports inbound [private endpoint connections](private-endpoint.md) to the API Management gateway.
+
 * **Premium v2** also supports simplified **virtual network injection** for complete isolation of inbound and outbound gateway traffic without requiring network security group rules, route tables, or service endpoints. The virtual network must be in the same region and subscription as the API Management instance. [Learn more](inject-vnet-v2.md).
 
 ### Supported regions
@@ -77,7 +79,6 @@ The following API Management capabilities are currently unavailable in the v2 ti
 * Capacity metric - *replaced by CPU Percentage of Gateway and Memory Percentage of Gateway metrics*
 * Built-in analytics - *replaced by Azure Monitor-based dashboard*
 * Autoscaling
-* Inbound connection using a private endpoint
 * Upgrade to v2 tiers from classic tiers 
 * CA Certificates
 * Sending events to Event Grid