Summary
Requesting the addition of an APIM deployment template (deploy-apim.bicep) to the network-secured agent setup (template 16) that creates an Azure API Management Developer SKU with internal VNet injection in a separate VNet, with bidirectional peering to the existing Agent VNet.
Problem
The current template (16-private-network-standard-agent-apim-setup-preview) supports passing in an existing APIM resource ID via the apiManagementResourceId parameter, but does not provide a template to create the APIM instance itself. Users who need APIM with VNet injection must manually provision it, which is complex and error-prone.
Proposed Solution
Add a deploy-apim.bicep template that creates:
- A separate VNet (10.0.0.0/16 by default) with an NSG containing required APIM management rules
- An APIM Developer SKU instance with internal VNet injection
- Bidirectional VNet peering between the APIM VNet and the Agent VNet
- A supporting module (agent-to-apim-peering.bicep) for cross-scope peering
Deployment Flow
- Deploy the agent environment first using main.bicep
- Deploy APIM using deploy-apim.bicep
- Retrieve the APIM resource ID from deployment outputs
- Redeploy main.bicep with the apiManagementResourceId parameter to create the APIM private endpoint and DNS zone
Parameters for deploy-apim.bicep
| Parameter |
Description |
Default |
| location |
Azure region |
Resource group location |
| apimName |
Name prefix for the APIM instance |
apim-agent |
| publisherEmail |
Publisher email (required by APIM) |
admin@contoso.com |
| publisherName |
Publisher organization name |
Contoso |
| apimVnetName |
Name of the APIM VNet |
apim-vnet |
| apimVnetAddressPrefix |
Address space for the APIM VNet |
10.0.0.0/16 |
| apimSubnetName |
Name of the APIM subnet |
apim-subnet |
| apimSubnetAddressPrefix |
Address prefix for the APIM subnet |
10.0.0.0/24 |
| agentVnetResourceGroup |
Resource group of the existing Agent VNet |
Same as deployment RG |
| agentVnetName |
Name of the existing Agent VNet to peer with |
agent-vnet-test |
Additional Context
A working implementation was tested and validated against eastus2 deployment. See closed PR #605 for reference implementation.
Summary
Requesting the addition of an APIM deployment template (deploy-apim.bicep) to the network-secured agent setup (template 16) that creates an Azure API Management Developer SKU with internal VNet injection in a separate VNet, with bidirectional peering to the existing Agent VNet.
Problem
The current template (16-private-network-standard-agent-apim-setup-preview) supports passing in an existing APIM resource ID via the apiManagementResourceId parameter, but does not provide a template to create the APIM instance itself. Users who need APIM with VNet injection must manually provision it, which is complex and error-prone.
Proposed Solution
Add a deploy-apim.bicep template that creates:
Deployment Flow
Parameters for deploy-apim.bicep
Additional Context
A working implementation was tested and validated against eastus2 deployment. See closed PR #605 for reference implementation.