We have APIM deployed under the Developer Tier with Internal VNet integration. This will only be used for internal APIs across our Azure services and an ExpressRoute connected data centre.

We have followed the guide for configuring APIM within the VNet including the NSG. APIM is in a healthy state however we have a connectivity challenge. The solution accelerator denotes a management jump box but other articles allude to connectivity subject to routes, NSGs, firewall config and DNS being in place. We have that in place, we're already able to connect to web services served in Azure from any on premises or Azure service that needs to negotiate our firewall.

However APIM appears to have a little more complexity. Please excuse the quickly crafted crude diagram. Despite inbound rule additions for the APIM subnet NSG, connectivity to the Developer Portal isn't possible from any device that has to traverse the firewall. Whereas App Services in similarly configured subnets are accessible over port 443.

An AVD VM in the hub VNet which uses system routes and bypasses the firewall connects without issue.

We were wondering if anyone else has noted this issue and if there is a resolution without incorporating a jump box in that VNet or in a peered VNet?