Control APIM outbound internet traffic by routing it through a Network Virtual Appliance (NVA) — Azure Firewall — in a hub/spoke network topology.
⚙️ Supported infrastructures: appgw-apim, appgw-apim-pe
👟 Expected Run All runtime (excl. infrastructure prerequisite): ~15 minutes
⚠️ Cost notice: This sample deploys Azure Firewall (Standard SKU), which costs approximately $1.25–$1.50 per hour in addition to the underlying infrastructure cost. Remove the sample resources by deleting the resource group or re-deploying the infrastructure to reset the subnet when you are done.
- Understand how APIM outbound internet traffic can be forced through a Network Virtual Appliance (NVA).
- Deploy Azure Firewall as the NVA in a dedicated hub virtual network.
- Configure user-defined routes (UDRs) on the APIM subnet to route internet-bound traffic to the NVA.
- Define Azure Firewall application rules that selectively allow or deny outbound connections to specific internet hosts.
- Verify allowed and blocked internet traffic through APIM API calls.
Enterprise organisations typically deploy a centralised Network Virtual Appliance in a hub virtual network and require all internet-bound traffic to traverse it for security inspection, logging, and policy enforcement. APIM, when deployed in a spoke VNet, must route its outbound calls to internet-hosted backends through this NVA.
This sample demonstrates the hub/spoke pattern with:
- A hub VNet (
10.1.0.0/16) hosting Azure Firewall as the NVA. - A spoke VNet (the existing infrastructure VNet,
10.0.0.0/16) hosting APIM. - VNet peering connecting hub and spoke bidirectionally.
- A route table on the APIM subnet that redirects all internet traffic (
0.0.0.0/0) to Azure Firewall, while keeping VNet-local traffic on its direct path. - Azure Firewall application rules that permit HTTPS access to
api.weather.govand deny everything else.
Three APIM APIs demonstrate the routing behaviour:
| API | Backend | Expected result |
|---|---|---|
egress-weather |
https://api.weather.gov (HTTPS) |
✅ 200 — allowed by firewall |
egress-blocked-http |
http://api.weather.gov (HTTP/port 80) |
❌ 5xx — HTTP blocked by firewall |
egress-blocked-host |
https://api.accuweather.com (HTTPS) |
❌ 5xx — host not in allow list |
The sample deploys the following resources into the infrastructure resource group:
- Hub VNet (
10.1.0.0/16) with anAzureFirewallSubnet(10.1.0.0/26). - Azure Firewall (Standard SKU) with a Firewall Policy containing:
- Application rules: allow HTTPS to
api.weather.gov. - Network rules: allow APIM management-plane traffic to Azure Monitor, Storage, SQL, Azure Key Vault, and Microsoft Entra ID.
- Application rules: allow HTTPS to
- VNet peerings between the hub and the infrastructure spoke VNet.
- Route table attached to the APIM subnet (
snet-apim):- Route
0.0.0.0/0→ Azure Firewall private IP (internet traffic through NVA). - Route
10.0.0.0/16→ Virtual Network (VNet-local traffic bypasses the NVA).
- Route
- Three APIM APIs that proxy requests to internet backends to verify the firewall rules.
- Decide which of the Infrastructure Architectures you wish to use.
- If the infrastructure does not yet exist, navigate to the desired infrastructure folder and follow its README.md.
- If the infrastructure does exist, adjust the
user-defined parametersin the Initialize notebook variables cell below.
- Adjust
apim_nsg_nameif your infrastructure was deployed with strict NSGs (nsg-apim-strict).
Supported VNet SKUs only: APIM must be deployed with a VNet-capable SKU. For
appgw-apim-pe(Private Link, default), useSTANDARDV2orPREMIUMV2. Forappgw-apim, useDEVELOPERorPREMIUM(VNet injection) orSTANDARDV2orPREMIUMV2(VNet integration). Basic, Standard, and BasicV2 are not supported.
Use the infrastructure's clean-up.ipynb notebook to remove all resources including Azure Firewall, the hub VNet, and the route table.