Azure AppGW in front of APIM without vnet-CodePudding

I'm in process of setting up an Azure APIM architecture. One of the requirements is to be able to handle both internal and external api's.

To do so there is a nice architecture (and lots of documentation) where APIM is in a VNET and an APPGW is in front to route or block external/internal traffic to APIM :

(https://i.stack.imgur.com/BlpIk.png)

However this setup is only possible with premium APIM, aka the rather expensive edition. For cost optimisation we would prefer to use the Standard edition if possible.

So my question : is it possible to implement the above architecture (APPGW in front of APIM) where APIM is not in a vnet. This to meet requirements to secure APIM and to expose internal/external api's.

I would think it is possible, the APPGW would have the public APIM ip in its backendpool to make the connection. however now that connection goes over the internet, which is insecure or will azure do some internal network routing for this ?

or more general : what's a best practice architecture when APIM is not VNET integrated ?

Could not find any detailed documentation that covers this topic.

thanks

CodePudding user response：

You could have some network restriction but your APIM would still be exposed over the internet and azure will not take extra mesure to protect the traffic between your App Gateway, APIM and backends.

Some services can route their traffic through Microsoft Global Network but unfortunately APIM is not one of them.

Please make sure you are using HTTPS between you services and set some whitelisting in place.

CodePudding user response：

The only benefit you would get of putting a public apim behind application gateway is the layer 7 load balancing (which you may not need), but you will not benefit from any of the security features of the application gateway. On the apim side, you may block any traffic that does not come from the traffic manager public ip using the ip-filter policy but the request still be arriving to your apim service and be blocked there instead of being blocked on the application gateway side which can be integrated with WAF to add extra security layer. So, the idea here is that your APIM service is till publicly accessible from anywhere in the world!