I have a simple Service Fabric Mesh application with two microservices. When I deploy it I get public IP and I can access services.
What I would like is to wrap that Mesh application with Azure API management and restrict access to Mesh application. In other words, I would like to be able to use microservices only through API and disable direct access to them.
One idea is to put Mesh application and API into Virtual Network and add Application Gateway that will be visible public.
But I do not know how to put Mesh application into VNet.
AFAIK, you can't.
According to the docs, the ingress is designed to forward traffic from one network to another.
The current gateway only accept "open network(internet)" as source network(ingress).
In the future, it will accept calls from networks owned by you or within the cluster, where you can host your application gateway and forward the calls to the gateway, but is not something available at moment.