Share via

APIM zone redundant changes

Eddie Vincent 245 Reputation points
2025-10-22T11:28:15.6666667+00:00

Scenario: Upgrading an older version of APIM (pre 2024) to add zone redundancy/resiliency.

  • Platform version stv2.1.
  • Premium SKU.
  • VNet injected APIM version.
  • Standard public IP address (pre-zone redundancy feature).
  • Internal VNet option: https://learn.microsoft.com/en-us/azure/api-management/api-management-using-with-internal-vnet
  • Deploying via code (not Azure portal) preferred.
  • APIM is within a supported region for this setup.
  • Wanting to change the public IP address to zone redundant and the "locations" section within APIM itself - units and availability zones section as can be seen below.

User's image

With the above points in mind I am looking for the best way of doing this, especially when taking into account the decoupled nature of the Public IP address and APIM instance (since the below is now apparently possible also).

User's image

Questions include:

  1. Is an APIM instance with the managed "no public IP" option (May 2024) only available for newly built APIM instances and not pre-existing?
  2. If no then how would you upgrade to a managed option from pre-existing APIM?
  3. If yes what are the concerns about future proofing the environment, were the non-managed/decoupled option ever to become EOL.

Appreciate any constructive responses, thanks!

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
Answer accepted by question author
  1. Pravallika KV 2,845 Reputation points Microsoft External Staff Moderator
    2025-10-22T13:42:40.98+00:00

    Hi Eddie Vincent,

    Thanks for reaching out to Microsoft Q&A,

    1. Pre-2024 APIM instances cannot directly switch to the fully managed “no public IP” option; it’s only available for new deployments.
    2. Zone redundancy requires adding multiple units and specifying availability zones in the locations section.
    3. Existing public IPs can be decoupled, but upgrading to a managed zone-redundant IP usually requires creating a new IP.
    4. Future-proofing favors using decoupled or managed IPs to simplify scaling and ensure resiliency.
    5. Migration to a new managed APIM instance is recommended for full AZ and managed IP benefits.
    6. Deployment via ARM/Bicep/terraform allows code-driven updates of units, zones, and public IP assignments.

    Hope it helps!

    Please do not forget to click "Accept the answer” and Yes, this can be beneficial to other community members.

    User's image

    If you have any other questions, let me know in the "comments" and I would be happy to help you.

    1 person found this answer helpful.
    0 comments

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pravallika KV 2,845 Reputation points Microsoft External Staff Moderator
    2025-11-06T03:04:32.7533333+00:00

    Hi Eddie Vincent,

    You’re right. Since this is a VNET injected APIM instance that was migrated from stv1 to stv2, this behavior is consistent with stale internal load balancer references from the old subnet configuration.

    Moving the APIM instance back to its original subnet or a subnet with the same address range and NSG rules allows Azure to re-establish and clean up the underlying managed networking components that were created during the stv1 deployment.

    And you don’t have to rebuild the APIM instance. Re-attaching it to the original or equivalent subnet is typically enough to resolve this issue and clear the phantom load balancer or IP association.

    Once Azure completes the network re-application, you can verify the configuration and, if needed, move it back to your target subnet afterward.

    1 person found this answer helpful.
  2. Eddie Vincent 245 Reputation points
    2025-11-04T16:05:02.6133333+00:00

    @Pravallika KV

    One more question for you, are you aware why when I try and disassociate the public IP address from APIM it tells me to disassociate first from a loadbalancer which (as far as I can see) does not exist in my Azure tenant.

    User's image

    On clicking the link for this phantom load balancer I am provided with an error of "The access token is from the wrong issuer" despite also being an Owner in RBAC for this subscription.

    Is this something legacy from the older version of APIM/Public IP, or baked in? any thoughts would be appreciated.

  3. Eddie Vincent 245 Reputation points
    2025-11-05T17:09:44.61+00:00

    @Pravallika KV

    In this case it is not a public facing APIM instance rather injected into a Vnet/Vnet integrated.

    I would add though that historically it had been moved out of its original subnet to facilitate an upgrade from version 1 standard to version 2 standard APIM instance.

    But looking at the link here: https://learn.microsoft.com/en-us/previous-versions/azure/api-management/migrate-stv1-to-stv2-vnet?wt.mc_id=knwlserapi_inproduct_azportal&tabs=portal#migrate-a-vnet-injected-api-management-instance-hosted-on-the-stv1-platform-to-stv2

    User's image

    There is a suggestion that adding back to the original subnet (or close equivalent I would presume) maybe an option- any thoughts?

    User's image

    Unfortunately as per your previous comment "Delete the APIM instance using that IP." if you mean completely flattening and rebuilding from scratch this isn't an option as it is a shared service - if I've misunderstood your point however let me know, Thanks!

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.