we have an api management instance and we setup 2 custom domains, one public and one private:
some api have to be reacheble only internally with api-internal.domain.com. It works but i see that if i configure both custom domains, api-internal.domain.com is configured only on private dns zone, that api are reacheble also from api.domain.com .
Is the beavhior correct? I want to setup on apim in some way api-internal.domain.com to be reacheble only internally. I'm reading the doc microsoft and i can with policy but the api are always reacheble from public domain, they will be blocked but i want to avoid it
Thanks
CodePudding user response:
That is by design, as long as the service is not deployed a VNET (internal mode), the default and custom domains will always have public Azure DNS records pointing to the public IP address.
The solution here is to deploy your service to an VNET (internal mode) and expose the public Apis to the internet using an application gateway that is configured to use path-based routing with your public domain to be configured to point to the application gateway public IP address. regarding your internal Apis you can configure your private domain to be pointing to the internal IP address (private load balancer) of the APIM service.
See the below resources
https://learn.microsoft.com/en-us/azure/application-gateway/create-url-route-portal