Entra App Proxy w/APIM

Question

Entra App Proxy w/APIM

Eddie Vincent 245

Hi,

Looking at the page here suggests you can integrate Application proxy (Entra) and APIM (Q&A suggests it is possible with APIM at the front end) https://learn.microsoft.com/en-us/answers/questions/1347567/azure-api-management-connect-to-an-azure-app-proxy

The ask from me is whether there is any technical guidance on how this can be achieved? additionally what if Azure Application Gateway is used with APIM also? any technical guidance or best practice setup from anyone who has had success with this would be great as I am finding very little documentation to support this.

Thanks!

Pashikanti Kumar 1,725 Reputation points Microsoft External Staff Moderator

2025-11-26T17:23:16.9433333+00:00
Hi Eddie Vincent

Thanks for reaching out on Microsoft Q&A.

Yes, you can integrate Microsoft Entra Application Proxy with Azure API Management (APIM), and you can also combine APIM with Azure Application Gateway for secure and flexible API exposure.

Technical Guidance

Deploy APIM in Internal VNET mode (private).

Create an Application Gateway, add APIM as a backend pool.

Configure routing rules and health probes in App Gateway for API paths to APIM.

Optionally, use a public front end with SSL/TLS termination and path-based routing in Application Gateway.

Provide a custom domain and DNS mapping for the public Application Gateway endpoint that forwards traffic to APIM

You can publish internal APIs using Entra App Proxy and expose them through APIM at the front end, often combined with Application Gateway for security and scalability. Technical integration involves configuring backend endpoints in APIM to use the App Proxy-published URLs, with proper authentication forwarding and routing. For the most secure and flexible architecture, combine Application Gateway (WAF) as the entry point, with APIM behind it, and App Proxy as the backend publisher for internal APIs.

Use API Management in a virtual network with Application Gateway

Use API Management in a virtual network with Azure Application Gateway - Azure API Management | Microsoft Learn
Eddie Vincent 245 Reputation points

2025-11-27T09:19:39.9566667+00:00

@Pashikanti Kumar @Pravallika KV thankyou for the detailed response that makes a lot more sense now regarding the flow of traffic.

So I assume then if you have App gateway and WAF at the front end forwarding to APIM you would then simply set the App Proxy (Entra) external URL a backend service in APIM in this case?

And then flow to site to your on premise Applications (that part is clear to me).

Thanks!
Pravallika KV 2,845 Reputation points Microsoft External Staff Moderator

2025-11-27T09:30:44.37+00:00

Yes, correct. You would configure the Entra Application Proxy external URL as the backend service in APIM. This way, when a request comes through the App Gateway + WAF at the front end, it gets routed to APIM, which then forwards the request to the Application Proxy's published URL.

The Application Proxy will handle the connection to your on-premises applications, ensuring the traffic flow is secure and properly managed.

This setup allows you to expose internal APIs securely through APIM, while the Application Gateway provides the first layer of security with WAF.
Pravallika KV 2,845 Reputation points Microsoft External Staff Moderator

2025-11-28T03:45:35.7233333+00:00

Eddie Vincent, following up to see if the above provided response was helpful. Kindly upvote if the response was helpful. If you have any further queries, please do let me know.

Answer accepted by question author

0 additional answers

Your answer

Pashikanti Kumar 1,725 Reputation points Microsoft External Staff Moderator

2025-11-26T17:23:16.9433333+00:00

Hi Eddie Vincent

Thanks for reaching out on Microsoft Q&A.

Yes, you can integrate Microsoft Entra Application Proxy with Azure API Management (APIM), and you can also combine APIM with Azure Application Gateway for secure and flexible API exposure.

Technical Guidance

Deploy APIM in Internal VNET mode (private).

Create an Application Gateway, add APIM as a backend pool.

Configure routing rules and health probes in App Gateway for API paths to APIM.

Optionally, use a public front end with SSL/TLS termination and path-based routing in Application Gateway.

Provide a custom domain and DNS mapping for the public Application Gateway endpoint that forwards traffic to APIM

You can publish internal APIs using Entra App Proxy and expose them through APIM at the front end, often combined with Application Gateway for security and scalability. Technical integration involves configuring backend endpoints in APIM to use the App Proxy-published URLs, with proper authentication forwarding and routing. For the most secure and flexible architecture, combine Application Gateway (WAF) as the entry point, with APIM behind it, and App Proxy as the backend publisher for internal APIs.

Use API Management in a virtual network with Application Gateway

Use API Management in a virtual network with Azure Application Gateway - Azure API Management | Microsoft Learn
Eddie Vincent 245 Reputation points

2025-11-27T09:19:39.9566667+00:00

@Pashikanti Kumar @Pravallika KV thankyou for the detailed response that makes a lot more sense now regarding the flow of traffic.

So I assume then if you have App gateway and WAF at the front end forwarding to APIM you would then simply set the App Proxy (Entra) external URL a backend service in APIM in this case?

And then flow to site to your on premise Applications (that part is clear to me).

Thanks!
Pravallika KV 2,845 Reputation points Microsoft External Staff Moderator

2025-11-27T09:30:44.37+00:00

Yes, correct. You would configure the Entra Application Proxy external URL as the backend service in APIM. This way, when a request comes through the App Gateway + WAF at the front end, it gets routed to APIM, which then forwards the request to the Application Proxy's published URL.

The Application Proxy will handle the connection to your on-premises applications, ensuring the traffic flow is secure and properly managed.

This setup allows you to expose internal APIs securely through APIM, while the Application Gateway provides the first layer of security with WAF.
Pravallika KV 2,845 Reputation points Microsoft External Staff Moderator

2025-11-28T03:45:35.7233333+00:00

Eddie Vincent, following up to see if the above provided response was helpful. Kindly upvote if the response was helpful. If you have any further queries, please do let me know.

Answer 1

Hi @Eddie Vincent ,

Thanks for reaching out to Microsoft Q&A.

Yes, you can integrate Microsoft Entra Application Proxy with Azure APIM, and you can also combine APIM with Azure Application Gateway for secure and flexible API exposure.

Steps:

Deploy APIM in Internal VNET mode.
Deploy Application Gateway and add APIM to the backend pool.
Configure routing rules, health probes, and optional SSL/TLS termination or path-based routing in the Application Gateway.
Configure custom domains and DNS so the public App Gateway endpoint forwards traffic to APIM.

In APIM, configure the backend service using the Entra App Proxy external URL for your internal API.

Using this approach, internal APIs published through Entra App Proxy can be securely consumed via APIM, with the Application Gateway (WAF) providing the first security layer. This pattern is commonly used to protect internal services while enabling controlled external access.

>So I assume then if you have App gateway and WAF at the front end forwarding to APIM you would then simply set the App Proxy (Entra) external URL a backend service in APIM in this case?

Yes, correct. You would configure the Entra Application Proxy external URL as the backend service in APIM. This way, when a request comes through the App Gateway + WAF at the front end, it gets routed to APIM, which then forwards the request to the Application Proxy's published URL.

The Application Proxy will handle the connection to your on-premises applications, ensuring the traffic flow is secure and properly managed.

This setup allows you to expose internal APIs securely through APIM, while the Application Gateway provides the first layer of security with WAF.

Use API Management in a virtual network with Azure Application Gateway - Azure API Management | Microsoft Learn

Hope it helps!

Please do not forget to click "Accept the answer” and Yes, this can be beneficial to other community members.

User's image

If you have any other questions, let me know in the "comments" and I would be happy to help you.

Share via

Entra App Proxy w/APIM

0 additional answers

Your answer