Microsoft
MicrosoftHi Mohsenhs , I wouldn’t get too hung up on whether a service is classed as an integration service or shared-service. I see these as just useful ‘tags’ to group azure services into a common heading. Ultimately, put them where works best for you. Logic-apps and APIM are unlikely to share similar network design requirements, but yet they are both classed as ‘integration services’.
Ultimately anything is valid, just deploy in a way that works for you. There are actually several CAF reference architectures that show the AppGW in the hub (cloud adoption framework hub-and-spoke network topology) and as above, APIM in the hub makes an awful lot of sense for many organisations.
Ultimately, my main concern wasn’t cost, although that is valid as there are other costs in addition to data transfer (each deployed instance has a cost). But my main thought was around management and admin overhead. If your net-sec team are responsible for all WAFs and all Ingress/egress then deploying in a hub does fit well with this centralised operating model.
if the Operating model is de-centralised, and each app team is responsible for their own networking & security, then spoke deployments could work too.
Other services like APIM are more complicated. First, it’s expensive. Second, APIM can very easily be shared across an entire business (not always of course) because it scales very well and because of the costs. Plus the benefits it provides when developers make use of the Developer Portal mean it works well as a shared service. APIM likely has much wider use beyond a single project or application. in which case, would a spoke be the best place for it? While it’s convenient for Microsoft to refer to the Hub as for ‘shared-services’, the definition of what a shared-service actually is, should really up to each organisation to determine.
So bottom line, any deployment is likely fine. Just gather the requirements, document any constraints and limitations and justify the decision.
