What's the best architectural decision to access internal API on Azure?

Hi Najam ul Saqib,It looks like do you have some question to understand That Cloud Diagram, so let me go to your question:

• Using the VPN to the subnet when you need to manually query the database or call an internal API. Itsn't a bad approach however I suggest to compare the amount of developers using this connection and the benefits of VPN gateway to be sure if reditable on cost terms besides the other benefitst such us security. (https://video2.skills-academy.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways#why-use-vpn-gateway)
• About if there is a better way to connect to your environment keeping your environment secure, Your diagram show that more of the PaaS service is using private endpoints`and the communication is insolated on the vnet . That I can suggest it's to verify your NSG rules and created rules that only permit the communication to the specific ports for database and API calls. (https://video2.skills-academy.com/en-us/azure/virtual-network/manage-network-security-group?tabs=network-security-group-portal)

One additional suggestion that I can share if this VPN it's only for development purpose and it's a minimal quantity of developer It's possible to use an Azure VM and bastion to connect to your cloud environment and from that point start to query Database and call APIs. (https://video2.skills-academy.com/en-us/azure/bastion/tutorial-create-host-portal / https://video2.skills-academy.com/en-us/azure/virtual-machines/windows/quick-create-portal)

If the information helped address your question, please Accept the answer.

Luis