Merge pull request #310181 from dlepow/vnext

[APIM] VNet external mode - freshness/feedback

Author: AnnaMHuff

articles/api-management/api-management-using-with-vnet.md

@@ -1,59 +1,61 @@
 ---
-title: Deploy Azure API Management Instance to External VNet
+title: Deploy Azure API Management Instance to External Virtual Network
 description: Learn how to deploy (inject) your Azure API instance to a virtual network in external mode and access API backends through it.
 services: api-management
 author: dlepow
 
 ms.service: azure-api-management
 ms.topic: how-to
-ms.date: 10/1/2025
+ms.date: 01/08/2026
 ms.author: danlep
 ---
 # Deploy your Azure API Management instance to a virtual network - external mode
 
 [!INCLUDE [premium-dev.md](../../includes/api-management-availability-premium-dev.md)]
 
-Azure API Management can be deployed (injected) inside an Azure virtual network (VNet) to access backend services within the network. For VNet connectivity options, requirements, and considerations, see:
+You can deploy Azure API Management inside an Azure virtual network to access backend services within the network. For virtual network connectivity options, requirements, and considerations, see:
 
 * [Using a virtual network with Azure API Management](virtual-network-concepts.md)
 * [Network resource requirements for API Management injection into a virtual network](virtual-network-injection-resources.md)
 
-This article explains how to set up VNet connectivity for your API Management instance in the *external* mode, where the developer portal, API gateway, and other API Management endpoints are accessible from the public internet, and backend services are located in the network.
+This article explains how to set up virtual network connectivity for your API Management Developer tier or Premium tier instance in the *external* mode. In this mode, the developer portal, API gateway, and other API Management endpoints are accessible from the public internet, and backend services can be located in the network.
 
-:::image type="content" source="media/api-management-using-with-vnet/api-management-vnet-external.png" alt-text="Connect to external VNet":::
+:::image type="content" source="media/api-management-using-with-vnet/api-management-vnet-external.png" alt-text="Diagram showing API Management in an external virtual network.":::
 
-For configurations specific to the *internal* mode, where the endpoints are accessible only within the VNet, see [Deploy your Azure API Management instance to a virtual network - internal mode](./api-management-using-with-internal-vnet.md).
+For configurations specific to the *internal* mode, where the endpoints are accessible only within the virtual network, see [Deploy your Azure API Management instance to a virtual network - internal mode](./api-management-using-with-internal-vnet.md).
 
 [!INCLUDE [updated-for-az](~/reusable-content/ce-skilling/azure/includes/updated-for-az.md)]
 
 [!INCLUDE [api-management-service-update-behavior](../../includes/api-management-service-update-behavior.md)]
 
 [!INCLUDE [api-management-virtual-network-prerequisites](../../includes/api-management-virtual-network-prerequisites.md)]
 
-## Enable VNet connection
+## Enable virtual network connection
 
-### Enable VNet connectivity using the Azure portal
+### Enable virtual network connectivity by using the Azure portal
 
 1. Go to the [Azure portal](https://portal.azure.com) to find your API management instance. Search for and select **API Management services**.
-1. Choose your API Management instance.
-1. Select **Network**.
+1. Select your API Management instance.
+1. In the sidebar menu, under **Deployment + infrastructure**, select **Network**.
 1. Select the **External** access type.
-    :::image type="content" source="media/api-management-using-with-vnet/api-management-menu-vnet.png" alt-text="Select VNet in Azure portal.":::
+    :::image type="content" source="media/api-management-using-with-vnet/api-management-menu-vnet.png" alt-text="Screenshot of network settings in the Azure portal.":::
 
 1. In the list of locations (regions) where your API Management service is provisioned:
     1. Choose a **Location**.
-    1. Select **Virtual network**, **Subnet**, and (optionally) **IP address**.
-    * The VNet list is populated with Resource Manager VNets available in your Azure subscriptions, set up in the region you're configuring.
+    1. Select **Virtual network**, **Subnet**, and (optionally) **Public IP address**.
+    * The virtual network list is populated with virtual networks available in your Azure subscriptions, set up in the region you're configuring.
 
-        :::image type="content" source="media/api-management-using-with-vnet/api-management-using-vnet-select.png" alt-text="VNet settings in the portal.":::
+        :::image type="content" source="media/api-management-using-with-vnet/api-management-using-vnet-select.png" alt-text="Screenshot showing virtual network configuration in the portal.":::
 
-1. Select **Apply**. The **Network** page of your API Management instance is updated with your new VNet and subnet choices.
+1. Select **Apply**. The **Network** page of your API Management instance is updated with your new virtual network and subnet choices.
 
-1. Continue configuring VNet settings for the remaining locations of your API Management instance.
+1. Select **Verify** to confirm that the prerequisites are met and the API Management service can successfully update.
+
+1. Continue configuring virtual network settings for the remaining locations of your API Management instance.
 
 1. In the top navigation bar, select **Save**.
 
-### Enable connectivity using a Resource Manager template
+### Enable connectivity by using a Resource Manager template
 
 * Azure Resource Manager [template](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.apimanagement/api-management-create-with-external-vnet-publicip) (API version 2021-08-01)
 
@@ -63,26 +65,26 @@ For configurations specific to the *internal* mode, where the endpoints are acce
 
 ## Connect to a web service hosted within a virtual network
 
-Once you've connected your API Management service to the VNet, you can access backend services within it just as you do public services. When creating or editing an API, type the local IP address or the host name (if a DNS server is configured for the VNet) of your web service into the **Web service URL** field.
+After you connect your API Management service to the virtual network, you can access backend services within the virtual network just as you do public services. When creating or editing an API, type the local IP address or the host name (if a DNS server is configured for the virtual network) of your web service into the **Web service URL** field.
 
-:::image type="content" source="media/api-management-using-with-vnet/api-management-using-vnet-add-api.png" alt-text="Add API from VNet":::
+:::image type="content" source="media/api-management-using-with-vnet/api-management-using-vnet-add-api.png" alt-text="Screenshot showing how to add API from virtual network in the portal.":::
 
 ## Custom DNS server setup
 
-In external VNet mode, Azure manages the DNS by default. You can optionally configure a custom DNS server.
+In external virtual network mode, Azure manages the DNS by default. You can optionally configure a custom DNS server.
 
-The API Management service depends on several Azure services. When API Management is hosted in a VNet with a custom DNS server, it needs to resolve the hostnames of those Azure services.
+The API Management service depends on several Azure services. When API Management is hosted in a virtual network with a custom DNS server, it needs to resolve the hostnames of those Azure services.
 
 * For guidance on custom DNS setup, including forwarding for Azure-provided hostnames, see [Name resolution for resources in Azure virtual networks](../virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances.md#name-resolution-that-uses-your-own-dns-server).  
 * Outbound network access on port `53` is required for communication with DNS servers. For more settings, see [Virtual network configuration reference](virtual-network-reference.md).
 
 > [!IMPORTANT]
-> If you plan to use a custom DNS server(s) for the VNet, set it up **before** deploying an API Management service into it. Otherwise, you'll need to update the API Management service each time you change the DNS Server(s) by running the [Apply Network Configuration Operation](/rest/api/apimanagement/current-ga/api-management-service/apply-network-configuration-updates).
+> If you plan to use custom DNS servers for the virtual network, set them up **before** deploying an API Management service into the virtual network. Otherwise, you need to update the API Management service each time you change the DNS servers by running the [Apply Network Configuration Operation](/rest/api/apimanagement/current-ga/api-management-service/apply-network-configuration-updates). You can also apply a network configuration on the **Network/Network status** blade in the Azure portal.
 
 ## Routing
 
-* A load-balanced public IP address (VIP) is reserved to provide access to the API Management endpoints and resources outside the VNet.
-  * The public VIP can be found on the **Overview/Essentials** blade in the Azure portal.
+* A load-balanced public IP address (VIP) is reserved to provide access to the API Management endpoints and resources outside the virtual network.
+  * You can find the public VIP on the **Overview/Essentials** blade in the Azure portal.
 
 For more information and considerations, see [IP addresses of Azure API Management](api-management-howto-ip-addresses.md#ip-addresses-of-api-management-in-a-virtual-network).
 

articles/api-management/media/api-management-using-with-vnet/api-management-menu-vnet.png

@@ -8,7 +8,7 @@ ms.author: danlep
 
 ## Configure NSG rules
 
-Configure custom network rules in the API Management subnet to filter traffic to and from your API Management instance. We recommend the following *minimum* NSG rules to ensure proper operation and access to your instance. Review your environment carefully to determine more rules that might be needed. 
+Configure custom network security rules in the API Management subnet to filter traffic to and from your API Management instance. We recommend the following *minimum* NSG rules to ensure proper operation and access to your instance. Review your environment carefully to determine more rules that might be needed. 
 
 > [!IMPORTANT] 
 > Depending on your use of caching and other features, you may need to configure additional NSG rules beyond the minimum rules in the following table. For detailed settings, see [Virtual network configuration reference](../articles/api-management/virtual-network-reference.md#required-ports). 

articles/api-management/media/api-management-using-with-vnet/api-management-using-vnet-select.png

@@ -24,7 +24,7 @@ ms.custom: sfi-image-nochange
 ### Verify network status  
 
 * After deploying API Management into the subnet, use the portal to check the connectivity of your instance to dependencies, such as Azure Storage. 
-* In the portal, in the left-hand menu, under **Deployment and infrastructure**, select **Network** > **Network status**.
+* In the portal, in the sidebar menu, under **Deployment + infrastructure**, select **Network** > **Network status**.
 
   :::image type="content" source="../articles/api-management/media/api-management-using-with-vnet/verify-network-connectivity-status.png" alt-text="Screenshot of verify network connectivity status in the portal." lightbox="../articles/api-management/media/api-management-using-with-vnet/verify-network-connectivity-status.png":::