Secure architecture that takes all traffic off the public Internet once Azure Front Door is traversed. Traffic behind Front Door is subsequently inaccessible to the public. This is due to Front Door's use of Private Link to Azure API Management.
Diagram created with the Azure Draw.io MCP Server.
- Provide a secure pathway to API Management via Private Link from Front Door
- Maintain private networking by integrating API Management with a VNet to communicate with Azure Container Apps. (This can also be achieved via Private Link there)
- Empower users to use Azure Container Apps, if desired
- Enable observability by sending telemetry to Azure Monitor
Adjust the user-defined parameters in this lab's Jupyter Notebook's Initialize notebook variables section.
The notebook also includes a SYSTEM CONFIGURATION flag named use_strict_nsg. It defaults to False.
We provide NSG deployment as an option for teams that want to experiment with subnet-level controls, but we intentionally keep it disabled by default. The goal of these samples is to stay approachable and focused on APIM scenarios rather than drifting into full Azure Landing Zone-style network governance complexity.
NSG behavior:
nsg-default: Generic fallback NSG for subnets that do not have a service-specific NSG. It stays intentionally generic.use_strict_nsg = False: Service subnets get permissive service-aware NSGs:nsg-apimandnsg-aca. These preserve Azure platform requirements and avoid unnecessary ingress restrictions.use_strict_nsg = True: Service subnets get strict NSGs:nsg-apim-strictandnsg-aca-strict. These keep required platform rules but restrict ingress so traffic follows Front Door -> APIM -> ACA.
👟 Expected Run All runtime: ~13 minutes
- Execute this lab's Jupyter Notebook step-by-step or via Run All.