Merge pull request #314596 from dlepow/dlepow-1775858604645

prmerger-automator[bot] · web-flow · commit 625f30498c81 · 2026-04-14T22:23:22.000Z
[APIM] Cred mgr in VNet
diff --git a/articles/api-management/credentials-configure-common-providers.md b/articles/api-management/credentials-configure-common-providers.md
@@ -34,7 +34,9 @@ To configure any of the supported providers in API Management, first configure a
 
 * Depending on the provider and your scenario, you might need to retrieve other settings, like authorization endpoint URLs or scopes.
 
-* The provider's authorization endpoints must be reachable over the internet from your API Management instance. If your API Management instance is secured in a virtual network, configure network or firewall rules to allow access to the provider's endpoints.
+* The provider's authorization endpoints must be reachable over the internet from your API Management instance. If your API Management instance is secured in a virtual network, configure network or firewall rules to allow access to the provider's endpoints. 
+
+    Additionally, requests for tokens need to go out of the customer's network to the credential manager endpoint, which remains in a Microsoft network. To reach the credential manager endpoint, allow outbound access from the virtual network to the **AzureConnections** service tag on port 443.
 
 ## Microsoft Entra provider
 
diff --git a/articles/api-management/credentials-overview.md b/articles/api-management/credentials-overview.md
@@ -4,7 +4,7 @@ description: Learn about using credential manager in Azure API Management to cre
 author: dlepow
 ms.service: azure-api-management
 ms.topic: concept-article
-ms.date: 09/25/2025
+ms.date: 04/10/2026
 ms.author: danlep
 ms.custom: references_regions
 ---
@@ -129,9 +129,9 @@ At runtime, API Management can't fetch new tokens, and an error occurs.
 
 * If the connection is of type *client credentials*, the client secret needs to be updated on the connection level.
 
-### Is this feature supported using API Management running inside a VNet?
+### Is this feature supported using API Management running inside a virtual network?
 
-Yes, as long as outbound connectivity on port 443 is enabled to the **AzureConnectors** service tag. For more information, see [Virtual network configuration reference](virtual-network-reference.md#required-ports).
+Requests for tokens need to go out of the customer's network to the credential manager endpoint, which remains in a Microsoft network. If the API Management instance is running inside a virtual network, credential manager is supported as long as outbound connectivity on port 443 is enabled to the **AzureConnectors** service tag. For more information, see [Virtual network configuration reference](virtual-network-reference.md#required-ports).
 
 ### What happens when a credential provider is deleted?
 
diff --git a/articles/api-management/virtual-network-reference.md b/articles/api-management/virtual-network-reference.md
@@ -6,7 +6,7 @@ author: dlepow
 
 ms.service: azure-api-management
 ms.topic: reference
-ms.date: 06/17/2025
+ms.date: 04/10/2026
 ms.author: danlep
 ms.custom: references_regions
 ---
@@ -45,7 +45,7 @@ When an API Management service instance is hosted in a VNet, the ports in the fo
 | Outbound | VirtualNetwork | * | Internet | 80                  |  TCP | Allow  | **Validation and management of Microsoft-managed and customer-managed certificates**      | External & Internal  |
 | Outbound | VirtualNetwork | * | Storage | 443                  |  TCP                | Allow             | **Dependency on Azure Storage**                             | External & Internal  |
 | Outbound | VirtualNetwork |  * | AzureActiveDirectory | 443                             | TCP                | Allow | [Microsoft Entra ID, Microsoft Graph,](api-management-howto-aad.md) and Azure Key Vault dependency (optional)              | External & Internal  |
-| Outbound | VirtualNetwork | * | AzureConnectors | 443                  |  TCP                | Allow | [managed connections](credentials-overview.md) dependency (optional)              | External & Internal  |
+| Outbound | VirtualNetwork | * | AzureConnectors | 443                  |  TCP                | Allow | [API Management credential manager endpoint](credentials-overview.md) dependency (optional)              | External & Internal  |
 | Outbound | VirtualNetwork | * | Sql | 1433                     |  TCP                | Allow          | **Access to Azure SQL endpoints**                           | External & Internal  |
 | Outbound | VirtualNetwork | * | AzureKeyVault | 443                     |  TCP                | Allow                | **Access to Azure Key Vault**                         | External & Internal  |
 | Outbound | VirtualNetwork | * | EventHub | 5671, 5672, 443          |  TCP                | Allow            | Dependency for [Log to Azure Event Hubs policy](api-management-howto-log-event-hubs.md) and [Azure Monitor](api-management-howto-use-azure-monitor.md) (optional) | External & Internal  |
