Add APIM Developer SKU deployment template with VNet injection for network-secured agent setup

## Summary

Requesting the addition of an APIM deployment template (deploy-apim.bicep) to the network-secured agent setup (template 16) that creates an Azure API Management Developer SKU with internal VNet injection in a separate VNet, with bidirectional peering to the existing Agent VNet.

## Problem

The current template (16-private-network-standard-agent-apim-setup-preview) supports passing in an existing APIM resource ID via the apiManagementResourceId parameter, but does not provide a template to create the APIM instance itself. Users who need APIM with VNet injection must manually provision it, which is complex and error-prone.

## Proposed Solution

Add a deploy-apim.bicep template that creates:

- A separate VNet (10.0.0.0/16 by default) with an NSG containing required APIM management rules
- An APIM Developer SKU instance with internal VNet injection
- Bidirectional VNet peering between the APIM VNet and the Agent VNet
- A supporting module (agent-to-apim-peering.bicep) for cross-scope peering

### Deployment Flow

1. Deploy the agent environment first using main.bicep
2. Deploy APIM using deploy-apim.bicep
3. Retrieve the APIM resource ID from deployment outputs
4. Redeploy main.bicep with the apiManagementResourceId parameter to create the APIM private endpoint and DNS zone

### Parameters for deploy-apim.bicep

| Parameter | Description | Default |
|-----------|-------------|---------|
| location | Azure region | Resource group location |
| apimName | Name prefix for the APIM instance | apim-agent |
| publisherEmail | Publisher email (required by APIM) | admin@contoso.com |
| publisherName | Publisher organization name | Contoso |
| apimVnetName | Name of the APIM VNet | apim-vnet |
| apimVnetAddressPrefix | Address space for the APIM VNet | 10.0.0.0/16 |
| apimSubnetName | Name of the APIM subnet | apim-subnet |
| apimSubnetAddressPrefix | Address prefix for the APIM subnet | 10.0.0.0/24 |
| agentVnetResourceGroup | Resource group of the existing Agent VNet | Same as deployment RG |
| agentVnetName | Name of the existing Agent VNet to peer with | agent-vnet-test |

## Additional Context

A working implementation was tested and validated against eastus2 deployment. See closed PR #605 for reference implementation.


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add APIM Developer SKU deployment template with VNet injection for network-secured agent setup #606

Summary

Problem

Proposed Solution

Deployment Flow

Parameters for deploy-apim.bicep

Additional Context

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Parameter	Description	Default
location	Azure region	Resource group location
apimName	Name prefix for the APIM instance	apim-agent
publisherEmail	Publisher email (required by APIM)	admin@contoso.com
publisherName	Publisher organization name	Contoso
apimVnetName	Name of the APIM VNet	apim-vnet
apimVnetAddressPrefix	Address space for the APIM VNet	10.0.0.0/16
apimSubnetName	Name of the APIM subnet	apim-subnet
apimSubnetAddressPrefix	Address prefix for the APIM subnet	10.0.0.0/24
agentVnetResourceGroup	Resource group of the existing Agent VNet	Same as deployment RG
agentVnetName	Name of the existing Agent VNet to peer with	agent-vnet-test

Add APIM Developer SKU deployment template with VNet injection for network-secured agent setup #606

Description

Summary

Problem

Proposed Solution

Deployment Flow

Parameters for deploy-apim.bicep

Additional Context

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions