If you are setting up API Management with Internal network (vNet/Subnet) and a public IP.
There are a few prepreqs, among them is to add an NSG to the subnet with a number of predefined rules, these are documented by Microsoft and are rather easy to get hold of.
What also is a requirement, is if you have a peered vNet…then you need to add a Route table to the subnet with a User Defined Route, this to route the API Management traffic straight out to the internet to access the management service.
If you create the APIM service without the route, you will get an error that the APIM management service can’t be contected.
Running the diagnostic in the network gui gets us this dialogue:
The UDR is easy enough to add using the portal, but…if you are a IaC shop, and want to deploy using Bicep, then its an undocumented feature.
And you do want to use the Service Tag, because the IP/IP range can change to the API Management.
I solved it after some research, this is what you do.
Simple add the Service Tag name as the addressPrefix. This will when deploying the UDR set it to use Service Tag and set it to the correct one.
The bicep resources would look something like this:
resource routeTable 'Microsoft.Network/routeTables@2023-04-01' = {
name: 'rt-${appPrefix}-${appName}'
location: location
properties: {
disableBgpRoutePropagation: false
routes: []
}
}
resource route 'Microsoft.Network/routeTables/routes@2023-04-01' = {
name: 'ApiManagement'
parent: routeTable
properties: {
addressPrefix: 'ApiManagement'
nextHopType: 'Internet'
hasBgpOverride: false
}
}
References
Private Endpoint Overview (GitHub) (Go here in case there are updates…)
https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/private-link/private-endpoint-overview.md
___________________________________________________________________________________________________
Enjoy!
Regards