| title | Deploy Azure API Management Instance to External Virtual Network |
|---|---|
| description | Learn how to deploy (inject) your Azure API instance to a virtual network in external mode and access API backends through it. |
| services | api-management |
| author | dlepow |
| ms.service | azure-api-management |
| ms.topic | how-to |
| ms.date | 01/08/2026 |
| ms.author | danlep |
[!INCLUDE premium-dev.md]
You can deploy Azure API Management inside an Azure virtual network to access backend services within the network. For virtual network connectivity options, requirements, and considerations, see:
- Using a virtual network with Azure API Management
- Network resource requirements for API Management injection into a virtual network
This article explains how to set up virtual network connectivity for your API Management Developer tier or Premium tier instance in the external mode. In this mode, the developer portal, API gateway, and other API Management endpoints are accessible from the public internet, and backend services can be located in the network.
:::image type="content" source="media/api-management-using-with-vnet/api-management-vnet-external.png" alt-text="Diagram showing API Management in an external virtual network.":::
For configurations specific to the internal mode, where the endpoints are accessible only within the virtual network, see Deploy your Azure API Management instance to a virtual network - internal mode.
[!INCLUDE updated-for-az]
[!INCLUDE api-management-service-update-behavior]
[!INCLUDE api-management-virtual-network-prerequisites]
-
Go to the Azure portal to find your API management instance. Search for and select API Management services.
-
Select your API Management instance.
-
In the sidebar menu, under Deployment + infrastructure, select Network.
-
Select the External access type. :::image type="content" source="media/api-management-using-with-vnet/api-management-menu-vnet.png" alt-text="Screenshot of network settings in the Azure portal.":::
-
In the list of locations (regions) where your API Management service is provisioned:
- Choose a Location.
- Select Virtual network, Subnet, and (optionally) Public IP address.
-
The virtual network list is populated with virtual networks available in your Azure subscriptions, set up in the region you're configuring.
:::image type="content" source="media/api-management-using-with-vnet/api-management-using-vnet-select.png" alt-text="Screenshot showing virtual network configuration in the portal.":::
-
Select Apply. The Network page of your API Management instance is updated with your new virtual network and subnet choices.
-
Select Verify to confirm that the prerequisites are met and the API Management service can successfully update.
-
Continue configuring virtual network settings for the remaining locations of your API Management instance.
-
In the top navigation bar, select Save.
-
Azure Resource Manager template (API version 2021-08-01)
:::image type="content" source="~/reusable-content/ce-skilling/azure/media/template-deployments/deploy-to-azure-button.svg" alt-text="Button to deploy the Resource Manager template to Azure." border="false" link="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.apimanagement%2Fapi-management-create-with-external-vnet-publicip%2Fazuredeploy.json":::
[!INCLUDE api-management-recommended-nsg-rules]
After you connect your API Management service to the virtual network, you can access backend services within the virtual network just as you do public services. When creating or editing an API, type the local IP address or the host name (if a DNS server is configured for the virtual network) of your web service into the Web service URL field.
:::image type="content" source="media/api-management-using-with-vnet/api-management-using-vnet-add-api.png" alt-text="Screenshot showing how to add API from virtual network in the portal.":::
In external virtual network mode, Azure manages the DNS by default. You can optionally configure a custom DNS server.
The API Management service depends on several Azure services. When API Management is hosted in a virtual network with a custom DNS server, it needs to resolve the hostnames of those Azure services.
- For guidance on custom DNS setup, including forwarding for Azure-provided hostnames, see Name resolution for resources in Azure virtual networks.
- Outbound network access on port
53is required for communication with DNS servers. For more settings, see Virtual network configuration reference.
Important
If you plan to use custom DNS servers for the virtual network, set them up before deploying an API Management service into the virtual network. Otherwise, you need to update the API Management service each time you change the DNS servers by running the Apply Network Configuration Operation. You can also apply a network configuration on the Network/Network status blade in the Azure portal.
- A load-balanced public IP address (VIP) is reserved to provide access to the API Management endpoints and resources outside the virtual network.
- You can find the public VIP on the Overview/Essentials blade in the Azure portal.
For more information and considerations, see IP addresses of Azure API Management.
[!INCLUDE api-management-virtual-network-vip-dip]
[!INCLUDE api-management-virtual-network-forced-tunneling]
This section has moved. See Virtual network configuration reference.
[!INCLUDE api-management-virtual-network-troubleshooting]
Learn more about: