top of page

Design and publish internal Azure APIs to external users

Updated: Jun 5

Azure API Management is a hybrid, multi-cloud management platform for APIs across all environments. This article provides an overview of common scenarios and key components of API Management.


APIs enable digital experiences, simplify application integration, underpin new digital products, and make data and services reusable and universally accessible. With the proliferation and increasing dependency on APIs, organizations need to manage them as first-class assets throughout their lifecycle.

Azure API Management helps customers meet these challenges

  • Abstract backend architecture diversity and complexity from API consumers

  • Securely expose services hosted on and outside of Azure as APIs

  • Protect, accelerate, and observe APIs

  • Enable API discovery and consumption by internal and external users

Common scenarios include

Unlocking legacy assets

APIs are used to abstract and modernize legacy backends and make them accessible from new cloud services and modern applications. APIs allow innovation without the risk, cost, and delays of migration.

API-centric app integration

APIs are easily consumable, standards-based, and self-describing mechanisms for exposing and accessing data, applications, and processes. They simplify and reduce the cost of app integration.

Multi-channel user experiences

APIs are frequently used to enable user experiences such as web, mobile, wearable, or Internet of Things applications. Reuse APIs to accelerate development and ROI.

B2B integration

APIs exposed to partners and customers lower the barrier to integrating business processes and exchanging data between business entities. APIs eliminate the overhead inherent in point-to-point integration. Especially with self-service discovery and onboarding enabled, APIs are the primary tools for scaling B2B integration.

Solution Background

In this scenario, an organization has hosted multiple APIs using Application Service Environments(ILB ASE) and would like to consolidate these APIs internally using Azure API Management (APIM) deployed inside a Virtual Network. The internal API Management instance could also be exposed to external users to allow for the utilization of the full potential of the APIs. This external exposure could be achieved using an Application Gateways forwarding requests to the internal API Management service, which in turn consumes the APIs deployed in the ASE.


Azure API Management


The data flows as follows:

1. Developers check in code to a GitHub repository connected to the CI/CD pipeline Agent installed on an Azure VM

2. The agent pushes the build to the API application hosted on ILB ASE

3. API Management consumes the above APIs via HOST Headers specified in the API Management policy

4. API Management uses the App Service Environment's DNS name for all the APIs

5. Application Gateway exposes API Management's developer and API portal

6. Azure Private DNS is used to route the traffic internally between ASE, API Management, and Application Gateway

7. External Users use the exposed Dev Portal to consume the APIs via Application Gateway's public IP


  • Azure Virtual Network enables Azure resources to securely communicate with each other, as well as the internet and on-premises networks.

  • Azure Private DNS allows domain names to be resolved in a virtual network without needing to add a custom DNS solution.

  • Azure API Management helps organizations publish APIs to external, partner, and internal developers to use their data and services.

  • Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications.

  • Internal Load Balancer App Service Environment is an Azure App Service feature that provides a fully isolated and dedicated environment for securely running App Service apps at a large scale.

  • Azure DevOps is a service for managing your development lifecycle and includes features for planning and project management, code management, build, and release.

  • Application Insights is an extensible Application Performance Management (APM) service for web developers on multiple platforms.

  • Azure Cosmos DB is Microsoft's globally distributed, multi-model database service.



  • The web APIs are hosted over a secured HTTPS protocol and will use a TLS Certificate.

  • The Application Gateway is also configured over port 443 for secured and reliable outbound calls.

  • The API Management service is configured to use custom domains using TLS certificates.

  • Review the suggested network configuration for App Service Environments

  • There needs to be an explicit mention of port 3443 allowing API Management to manage via the Azure portal or PowerShell.

  • Leverage policies within APIM to add a HOST header for the API hosted on ASE. This ensures that the ASE's load balancer will properly forward the request.

  • The API Management accepts ASE's DNS entry for all the apps hosted under App Service Environments. Add an APIM policy to explicitly set the HOST Header to allow the ASE load balancer to differentiate between Apps under the App Service Environment.

  • Consider Integrating with Azure Application Insights, which also surfaces metrics through Azure Monitor for monitoring.

  • If using CI/CD pipelines for deploying Internal APIs, consider building your own Hosted Agent on a VM inside the Virtual Network.


Azure API Management service could be deployed as a multi-region deployment for higher availability and to reduce latencies. This feature is only available in Premium Mode. The API Management service in this specific scenario consumes APIs from App Service Environments. One could also use APIM for APIs hosted on the internal on-premises infrastructure.

App Service Environments could make use of Traffic Manager profiles to distribute the traffic hosted on App Service Environments for larger scale and availability.


API Management instances could be scaled out depending upon a number of factors like the number and rate of concurrent connections, the kind and number of configured policies, request and response sizes, and back-end latencies on the APIs. Scaling out instance options are available in Basic, Standard, and Premium Tiers but are bound by an upper scale limit in tiers below premium. The instances are referred to as Units and can be scaled up to a max of two units in the Basic tier, four units in the Standard tier and any number of units in the Premium tier. Auto Scaling options are also available to enable scale-out based on rules.

App Service Environments are designed for scale with limits based on the pricing tier, and the apps hosted under the App Service Environments can be configured to scale out (number of instances) or scale up (instance size) depending upon the requirements of the application.

Azure Application Gateway auto-scaling is available as a part of the Zone redundant SKU in all global Azure regions.


Since the above example scenario is hosted completely on an internal network, API Management and ASE are already deployed on secured infrastructure (Azure VNet). Application Gateways can be integrated with Microsoft Defender for Cloud to provide a seamless way to prevent, detect, and respond to threats to the environment.


This example scenario though talks more about configuration, the APIs hosted on the App Service Environments should be resilient enough to handle errors in the requests, which eventually is managed by the API Management service and Application Gateway. Consider Retry and Circuit breaker patterns in the API design.

180 views0 comments


bottom of page