Skip to content

Files

Latest commit

dlepowdlepow
PR review issues - image refs
May 26, 2022
8230d43 · May 26, 2022

History

History
240 lines (159 loc) · 12.9 KB

private-endpoint.md

File metadata and controls

240 lines (159 loc) · 12.9 KB
title description ms.service author ms.author ms.topic ms.date
Set up private endpoint for Azure API Management Preview
Learn how to restrict access to an Azure API Management instance by using an Azure private endpoint and Azure Private Link.
api-management
dlepow
danlep
how-to
03/31/2022

Connect privately to API Management using a private endpoint

You can configure a private endpoint for your API Management instance to allow clients in your private network to securely access the instance over Azure Private Link.

  • The private endpoint uses an IP address from your Azure VNet address space.

  • Network traffic between a client on your private network and API Management traverses over the VNet and a Private Link on the Microsoft backbone network, eliminating exposure from the public internet.

  • Configure custom DNS settings or an Azure DNS private zone to map the API Management hostname to the endpoint's private IP address.

:::image type="content" source="media/private-endpoint/api-management-private-endpoint.png" alt-text="Diagram that shows a secure connection to API Management using private endpoint.":::

With a private endpoint and Private Link, you can:

  • Create multiple Private Link connections to an API Management instance.

  • Use the private endpoint to send inbound traffic on a secure connection.

  • Use policy to distinguish traffic that comes from the private endpoint.

  • Limit incoming traffic only to private endpoints, preventing data exfiltration.

Important

  • API Management support for private endpoints is currently in preview.
  • To enable private endpoints, the API Management instance can't already be configured with an external or internal virtual network.
  • A private endpoint connection supports only incoming traffic to the API Management instance.

[!INCLUDE premium-dev-standard-basic.md]

Limitations

  • Only the API Management instance's Gateway endpoint currently supports Private Link connections.
  • Each API Management instance currently supports at most 100 Private Link connections.
  • Connections are not supported on the self-hosted gateway.

Prerequisites

  • An existing API Management instance. Create one if you haven't already.
    • The API Management instance must be hosted on the stv2 compute platform. For example, create a new instance or, if you already have an instance in the Premium service tier, enable zone redundancy.
    • Do not deploy (inject) the instance into an external or internal virtual network.
  • A virtual network and subnet to host the private endpoint. The subnet may contain other Azure resources.
  • (Recommended) A virtual machine in the same or a different subnet in the virtual network, to test the private endpoint.

Approval method for private endpoint

Typically, a network administrator creates a private endpoint. Depending on your Azure role-based access control (RBAC) permissions, a private endpoint that you create is either automatically approved to send traffic to the API Management instance, or requires the resource owner to manually approve the connection.

Approval method Minimum RBAC permissions
Automatic Microsoft.Network/virtualNetworks/**
Microsoft.Network/virtualNetworks/subnets/**
Microsoft.Network/privateEndpoints/**
Microsoft.Network/networkinterfaces/**
Microsoft.Network/locations/availablePrivateEndpointTypes/read
Microsoft.ApiManagement/service/**
Microsoft.ApiManagement/service/privateEndpointConnections/**
Manual Microsoft.Network/virtualNetworks/**
Microsoft.Network/virtualNetworks/subnets/**
Microsoft.Network/privateEndpoints/**
Microsoft.Network/networkinterfaces/**
Microsoft.Network/locations/availablePrivateEndpointTypes/read

Steps to configure private endpoint

  1. Get available private endpoint types in subscription
  2. Disable network policies in subnet
  3. Create private endpoint - portal
  4. List private endpoint connections to the instance
  5. Approve pending private endpoint connections
  6. Optionally disable public network access

Get available private endpoint types in subscription

Verify that the API Management private endpoint type is available in your subscription and location. In the portal, find this information by going to the Private Link Center. Select Supported resources.

You can also find this information by using the Available Private Endpoint Types - List REST API.

GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Network/locations/{region}/availablePrivateEndpointTypes?api-version=2021-03-01

Output should include the Microsoft.ApiManagement.service endpoint type:

[...]

      "name": "Microsoft.ApiManagement.service",
      "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Network/AvailablePrivateEndpointTypes/Microsoft.ApiManagement.service",
      "type": "Microsoft.Network/AvailablePrivateEndpointTypes",
      "resourceName": "Microsoft.ApiManagement/service",
      "displayName": "Microsoft.ApiManagement/service",
      "apiVersion": "2021-04-01-preview"
    }
[...]

Disable network policies in subnet

Network policies such as network security groups must be disabled in the subnet used for the private endpoint.

If you use tools such as Azure PowerShell, the Azure CLI, or REST API to configure private endpoints, update the subnet configuration manually. For examples, see Manage network policies for private endpoints.

When you use the Azure portal to create a private endpoint, as shown in the next section, network policies are disabled automatically as part of the creation process

Create private endpoint - portal

  1. Navigate to your API Management service in the Azure portal.

  2. In the left-hand menu, select Network.

  3. Select Private endpoint connections > + Add endpoint.

    :::image type="content" source="media/private-endpoint/add-endpoint-from-instance.png" alt-text="Add a private endpoint using Azure portal":::

  4. In the Basics tab of Create a private endpoint, enter or select the following information:

    Setting Value
    Project details
    Subscription Select your subscription.
    Resource group Select an existing resource group, or create a new one. It must be in the same region as your virtual network.
    Instance details
    Name Enter a name for the endpoint such as myPrivateEndpoint.
    Region Select a location for the private endpoint. It must be in the same region as your virtual network. It may differ from the region where your API Management instance is hosted.

  5. Select the Resource tab or the Next: Resource button at the bottom of the page. The following information about your API Management instance is already populated:

    • Subscription
    • Resource group
    • Resource name

  6. In Resource, in Target sub-resource, select Gateway.

    :::image type="content" source="media/private-endpoint/create-private-endpoint.png" alt-text="Create a private endpoint in Azure portal":::

  7. Select the Configuration tab or the Next: Configuration button at the bottom of the screen.

  8. In Configuration, enter or select this information:

    Setting Value
    Networking
    Virtual network Select your virtual network.
    Subnet Select your subnet.
    Private DNS integration
    Integrate with private DNS zone Leave the default of Yes.
    Subscription Select your subscription.
    Resource group Select your resource group.
    Private DNS zones Leave the default of (new) privatelink.azure-api.net.

  9. Select Review + create.

  10. Select Create.

List private endpoint connections to the instance

After the private endpoint is created, it appears in the list on the API Management instance's Private endpoint connections page in the portal.

You can also use the Private Endpoint Connection - List By Service REST API to list private endpoint connections to the service instance.

Note the endpoint's Connection status:

  • Approved indicates that the API Management resource automatically approved the connection.
  • Pending indicates that the connection must be manually approved by the resource owner.

Approve pending private endpoint connections

If a private endpoint connection is in pending status, an owner of the API Management instance must manually approve it before it can be used.

If you have sufficient permissions, approve a private endpoint connection on the API Management instance's Private endpoint connections page in the portal.

You can also use the API Management Private Endpoint Connection - Create Or Update REST API.

PATCH https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ApiManagement/service/{apimServiceName}privateEndpointConnections/{privateEndpointConnectionName}?api-version=2021-08-01

Optionally disable public network access

To optionally limit incoming traffic to the API Management instance only to private endpoints, disable public network access. Use the API Management Service - Create Or Update REST API.

PATCH https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ApiManagement/service/{apimServiceName}?api-version=2021-08-01
Authorization: Bearer {{authToken.response.body.access_token}}
Content-Type: application/json

Use the following JSON body:

{
  [...]
  "properties": {
    "publicNetworkAccess": "Disabled"
  }
}

Validate private endpoint connection

After the private endpoint is created, confirm its DNS settings in the portal:

  1. In the portal, navigate to the Private Link Center.
  2. Select Private endpoints and select the private endpoint you created.
  3. In the left-hand navigation, select DNS configuration.
  4. Review the DNS records and IP address of the private endpoint. The IP address is a private address in the address space of the subnet where the private endpoint is configured.

Test in virtual network

Connect to a virtual machine you set up in the virtual network.

Run a utility such as nslookup or dig to look up the IP address of your default Gateway endpoint over Private Link. For example:

nslookup my-apim-service.azure-api.net

Output should include the private IP address associated with the private endpoint.

API calls initiated within the virtual network to the default Gateway endpoint should succeed.

Test from internet

From outside the private endpoint path, attempt to call the API Management instance's default Gateway endpoint. If public access is disabled, output will include an error with status code 403 and a message similar to:

Request originated from client public IP address xxx.xxx.xxx.xxx, public network access on this 'Microsoft.ApiManagement/service/my-apim-service' is disabled.
       
To connect to 'Microsoft.ApiManagement/service/my-apim-service', please use the Private Endpoint from inside your virtual network.

Next steps