I'm currently tasked with setting up a secure, non-public connection between APIM and a Web API, and I've opted to use Private Endpoints for both services. The problem is that when Private Link is enabled on both, APIM can no longer connect to the Web API.
I've searched for similar questions online, but none of them seem to have Private Link enabled on APIM. Here's what I've done so far:
I created a virtual network called VNET1 with two subnets: PrivateLink-Subnet and VM-Subnet.
I deployed a simple Web API as a Web App, enabled private link, and used PrivateLink-Subnet.
Microsoft automatically created a private DNS zone for it. After this setup, the Web App is not accessible to the public, as expected.
To test VNET resources and Private Link, I used a Windows Virtual Machine, and from within the VM, I could access the Web API through "myapi.azurewebsites.net". So far, everything seems to be working well, as the app is only accessible from within the VNET.
For API Management, I selected "None" for the Virtual network settings, as per the documentation, and instead created a Private Endpoint. I chose the same VNET1 and PrivateLink-Subnet for the private endpoint and added a single API to the APIs, pointing to "myapi.azurewebsites.net".
The issue arises when I try to connect to the API through APIM gateway, as it returns a 403 error, saying that the APP has blocked my access. When I do an NSLOOKUP from within the VM, both APIM and the Web App are resolving to the same subnet, which is expected as both private links use the same subnet.
I believe for some reason APIM still try to resolve the API to the public IP address even though the Private DNS zone in Web APP and Private link has a records to sort that out!
I tried putting the private links on different subnets, but still no luck. And if I go to the Networking section of the Web APP and enable public access, everything works like a charm, but that's not what we want. We need this to be accessible via VNET only and then later we'll add a VPN so people can access the APIs through APIM only when connected through the VPN.
FYI, if I choose Virtual Network type of External or Internal on APIM, everything works fine. But we're supposed to use Private Link for both the Web APP and APIM. no exposure to the internet!
In case anyone else encounters the same issue! It turned out Private Endpoints in APIM don't support outbound, hence APIM couldn't communicate with any Web APP which has Private Endpoints enabled on them! To achieve fully internal and private solution, APIM needs to be provisioned in Internal Mode.