Hey everyone! I've been having a tough time figuring out how to re-architect our setup with an enterprise-wide API Management (APIM). The common method for protecting this using a Web Application Firewall (WAF) seems to be through a front door, but I'm confused about the three deployment options for the Premium V1 APIM.
1. **No Virtual Network Integration**: This allows a private endpoint but restricts internal resource communication, creating a gap.
2. **External VNET**: This setup allows private communication with internal resources, but once traffic reaches the Front Door, it must flow back through a public IP, which also leaves a gap.
3. **Internal VNET**: This option enables private communication with internal resources, but it cannot route traffic from Front Door due to the lack of a public IP.
It seems strange that you can have an APIM on a private network with no private endpoint for Front Door, or you can have the endpoint but still restrict internal traffic.
I've also checked out V2 for APIM, which offers:
1. **Standard**: Supports private endpoints but no VNET integration.
2. **Premium**: Offers VNET access but no private endpoints.
I feel like I'm missing something crucial here because none of these options seem to provide a single WAF entry with fully private traffic routing. Any insights would be greatly appreciated!
2 Answers
Absolutely! For best practice, you'd want your hub firewall and WAF inline, so having the traffic flow like AFD -> FW -> APIM is ideal. It'll enhance your security while maintaining the necessary routing.
I can help clear this up! If you deploy your APIM in Internal mode, you can grab the private IP address from the internal load balancer created during deployment. Then, set up a NAT rule through your firewall to point to that address, allowing you to position an Azure Front Door in front, pointing to the public IP.
It's frustrating that the APIM scaling options aren’t more user-friendly. Internal mode should be available widely since many businesses need it, forcing a premium SKU for pre-prod setups is a real hassle. Good luck!
That makes total sense, thank you! This should help in routing all inbound traffic for inspection.