This article describes how to implement a an APIM service on external mode. This approach is useful when we want our API s to be network capable and we can chose how to expose them on the web or connect them with on premises networks.

In the above approach the API endpoints are accessible from the internet so adding azure firewall can secure all communications. If you want an isolated APIM instance you should use internal mode described here.

To successfully deploy on vnet on external mode there are some prerequisites to be met.

1)V-Net

2) NSG

V-Net

Your Vnet must be of minimum range /25 how ever it is recommend to allow a lot more space. For that one the Vnet is implemented on the defaults so /24. ~There also a number of endpoints to be enabled as shown below:

NSG

NSG needs to be configured as well prior to the service its self. A number of ports need to be configured so that the service can successfully acquire the required tokens to enable the subsequent underlying services.

We those two in place we can build the APIM service successfully. If everything is in place the network status of the APIM service should look like the one below:

The official documentation of the APIM network capability is here. However the above points will help overcome the tricky points.