Skip to content

adrianwright/apim-multi-subscription-private-link

BranchesTags

Repository files navigation

Azure APIM Cross-Subscription Infrastructure

This repository contains Azure Bicep templates for deploying a cross-subscription API Management infrastructure with Private Link capabilities.

Architecture

  • SUB1 (APIM Subscription): APIM StandardV2 + Backend2 + Client + Private Link
  • SUB2 (Backend Subscription): Backend1 VM with nginx
  • Cross-subscription VNet peering between subscriptions
  • APIM StandardV2 with External VNet integration + Private Link endpoint
  • Private connectivity via Private DNS zones and Private Link

Files

  • apim-infrastructure.bicep - Main APIM infrastructure template (SUB1)
  • backend1.bicep - Backend1 VM infrastructure template (SUB2)

Deployment

Step 1: Deploy Backend1 (SUB2)

az deployment group create \
  --resource-group rg-backend1-sub2 \
  --template-file backend1.bicep \
  --parameters sshPublicKey="$(cat ~/.ssh/id_rsa.pub)"

Step 2: Deploy APIM Infrastructure (SUB1)

# Get Backend1 private IP
BACKEND1_IP=$(az vm show --resource-group rg-backend1-sub2 --name vm-backend1 --show-details --query privateIps --output tsv)

# Deploy APIM infrastructure
az deployment group create \
  --resource-group rg-apim-sub1 \
  --template-file apim-infrastructure.bicep \
  --parameters sshPublicKey="$(cat ~/.ssh/id_rsa.pub)" backend1PrivateIp="$BACKEND1_IP"

Features

  • Cross-subscription VNet peering for backend connectivity
  • APIM StandardV2 with External VNet integration
  • Private Link endpoint for private API access
  • Private DNS zones for name resolution
  • Proper NSG rules and route tables for APIM control plane
  • Service endpoints for Azure services (Storage, SQL, EventHub, KeyVault)
  • Automated backend policies for API routing

Security

  • Private Link endpoint with DNS integration
  • Network Security Groups with least-privilege access
  • Service endpoints for required Azure services
  • Route tables ensuring APIM control plane connectivity
  • Cross-subscription peering with minimal required permissions

Testing

Access APIs via Private Link:

# From client VM (private connectivity)
curl https://apim-lab-int-sv2-xxxxx.privatelink.azure-api.net/backend1/
curl https://apim-lab-int-sv2-xxxxx.privatelink.azure-api.net/backend2/

az group delete --name rg-backend1-sub1 --yes --no-wait

Delete SUB2 resources

az account set --subscription "sub2-id"
az group delete --name rg-apim-sub2 --yes --no-wait


## Cost Considerations

- **Standard_v2 APIM**: ~$800-1000/month (consider Developer tier for testing)
- **VMs**: ~$30-50/month each with Standard_B1s
- **Standard Public IPs**: ~$4/month each
- **VNet Peering**: Minimal data transfer costs

For testing, consider switching APIM to Developer tier in the Bicep template.

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages