Support VNET for Basic Tier of APIM
Our APIs are deployed to Service Fabric cluster in a VNET. If we want to expose our APIs through APIM, we have to use the Premium Tier of APIM since that's the only tier where VNET support is included.
Premium Tier of APIM has bunch of other features like AD authentication, Multi-region support, 4000 reqs/sec etc., which we don't need and don't care.
Why are all those features clubbed together and provided as an all or nothing solution?
Basic Tier fits our use case perfectly, if only we can deploy it in a VNET.
Service Fabric integration with APIM is one of it's coolest features and can help in it's adoption. But Microsoft strategy of artificially inflating the pricing and forcing customers to pay for features they don't need isn't going to work well.
Right now, the only way to use Service Fabric in production with APIM is to pay $7000 per cluster. Think about it for a minute.Yes, there are other ways to implement APIM but any advantage Service Fabric has over Kubernetes or Docker swarm is being thrown away. The pricing level will deter most customers from even trying the platform.
It's a cool integration but out of reach of most people!
Samuel Stenton commented
I'm amazed that just to allow APIM to connect to a VNET you need to fork out 1000s. This should be basic functionality. Team, please make this feature available to other tiers, I don't want any of the other features. Just the ability to connect to VNETs.
I have however found a workaround:
At the basic tiers this costs <$200/pm and requires some an application gateway, an NSG and some DNS records.
Along with the basic tier APIM, you'll need to create a public Application Gateway (V2 for static ip) with an NSG blocking all internet traffic except your APIM gateway. You will then add your backend service to the AppGW and point your APIM API configuration to the external AppGW IP.
If you have more than one service behind AppGW you'll need to assign a DNS entry for each instead. So:
Add api1.yoursite.com and api2.yoursite.com to your DNS with an A record pointing to the AppGW. Then add those both to the AppGW as listeners. Then finally add the new domains to the APIM.
The issue here is technically you're breaking out into the internet, some risk is remediated through the use of the NSG however you will incur extra bandwidth charges for the egress.
I hope this helps someone.
We're blocked on Premium level only because we need VNETs, the amount of savings that could have been done if it was available in Basic tier...
Totally unacceptable that a very basic security feature requires Premium tier.
Robert Zandberg - Bencom Group commented
Any updates about this topic?
The workaround I am now testing is one I've found in StackOverflow (https://stackoverflow.com/questions/46234665/azure-api-management-to-vnet)
An App Service Environment as an external interface and APIM talking to that.
Amir sayyar commented
is there any workaround? like using proxy with our apim outside of vnet to be able to communicate with your vnet ?
This has been "Under Review" for over 2 years ago. Seems like Microsoft doesn't care. Come on, even AWS API Gateway supports VPC.
Totally agree with all of you! It's a house without walls but... with a front door
Any update team
Christian Weiss commented
Having VNET-integration as a Premium-only feature is a 100% blocker for this entire product.
I don't understand how you can advertise this product as being able to "secure backend APIs" when you pretty much force anybody who can't afford Premium to publish the backend APIs to public endpoints. What's the point of having authentication in the API management when the actual backend API is public and unprotected?! It's not the hardest thing in the world to e.g. enumerate through App Service URLs and look for OpenApi URLs on them.
VNET integration must be included in every tier in my opinion.
Just saw the Isolated tier in preview, but all we need is the Basic or Standard tier that supports VNET to connect to our private backend. When can this be made available?
Any update team.
Any update on this?
After two years of this request, is there any update from Microsoft?
Remy Belanger commented
Any update on this ?
David GROSPELIER commented
We absolutely need it for APIM and also for other components of the integration area like Logic Apps (need an ISE, very expensive), ...
We really need standard tier of APIM to have VNET integration. Very difficult to explain going to premium just to get VNET integration. This is a basic feature most security teams want, APIM is of no use if you can't connect to private backend for any enterprise customer. Going to premium changes the TCO savings, hence the business case.
nandita sharma commented
is there any update on this feature??
Harendra Prasad commented
Any update on this feature??
Prachi Sawant commented
Any update on the feature