APIM Custom Domain child resource

[ems75]

Is your feature request related to a problem? Please describe.
As of right now, it's not possible to create an Azure APIM resource with custom domain retrieving the certificate from Azure Key Vault because bicep uses the same resource Microsoft.ApiManagement/service to create the system-managed identity and to configure the custom domain. Key Vault has the certificate used in the HostNameConfiguration section of Microsoft.ApiManagement/service resource (custom domain configuration), but KV RBAC policies require the APIM MSI which has not been created yet.
User-Assigned is out of scope as it does not work when you have KV Firewall enabled.

Describe the solution you'd like
The solution desired is the ability to have a child resource to configure APIM custom domain as Terraform has (https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_custom_domain)

[brwilkinson]

@ems75 which mode for APIM are you using?
https://learn.microsoft.com/en-us/azure/api-management/virtual-network-concepts?tabs=stv2

• external
• internal
• inbound private endpoint

If internal, are you using a NAT Gateway? Did you consider adding a Firewall rule in the Keyvault for the NAT Gateway Public IP address/es? This would then allow you to use a User Assigned Identity?

[ems75]

@brwilkinson

APIM accesses KeyVault for Custom Domain from its Control Plane, which is outside of the customers' VNET. It does not matter if APIM service is in a VNET or not. So, NAT Gateway will not make any difference.

The solution would be enabling the "Allow Trusted Microsoft Services to bypass this firewall" option in the Key Vault firewall. But for that, you cannot use a user-assigned identity, only system-assigned.

But we got this sorted out with another bicep file doing the redeploy.
The first file does not have any of the custom domain properties, but the second file does.
The first one deploys successfully, then we can use the system-assigned identity in the second one.
Thanks!

[brwilkinson]

If you are using zone redundant APIM gateways in VNET, then you BYO Public IP addresses for the APIM Service load balancer.

• These are the likely Egress points in that case.
  • I will test it out and then update the thread to confirm if this works for the Firewall rules.

[brwilkinson]

thanks @ems75 I will mark as closed.