API Management virtual network object - azure-api-management

I am learning how to create an APIM instance using Powershell using the steps give here. https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-integrate-internal-vnet-appgateway
Here at one point they talk about creating a API Management virtual network object.
What exactly is API Management virtual network object ?

AFAIK,
Within the Network, to access backend services - Azure APIM Instance should be deployed in an Azure Virtual Network.
So, you would be creating the Virtual Network, subnets in that created VNet, NSGs, NSG rules for the Application Gateway, etc.
When you attach the above details (VNet, SubNet Data) in an object to the APIM Instance/Service, it can be known as APIM Virtual Network Object.

Related

APIM and AKS integration

I am trying to integrate APIM(External) to the VNet where AKS is running. right now, I have created /29 CIDR subnet where AKS subnet is there and assigned to the APIM but APIM keep complaining that port 3443 is blocked. I have specifically added the rule to allow 3443 as mentioned in the troubleshooting steps https://learn.microsoft.com/en-us/azure/api-management/api-management-using-with-vnet#-common-network-configuration-issues to NSG assigned to the subnet, but still it throws the error? can someone help me how to troubleshoot further?
NSG Rule for subnet -> Inbound
> priority- 102, Name - Port_3443, port - 3443, protocol - TCP, Source -
> ApiManagement, Destination - VirtualNetwork, Action - Allow
Update:
I have removed NSG from the subnet where APIM is, still its showing the same issue
From the document, you need to deploy the APIM instance in a dedicated subnet that does not contains other resources.
When deploying an Azure API Management instance to a Resource Manager
VNET, the service must be in a dedicated subnet that contains no other
resources except for Azure API Management instances. If an attempt is
made to deploy an Azure API Management instance to a Resource Manager
VNET subnet that contains other resources, the deployment will fail.
You could deploy an AKS in a different subnet in that VNet that APIM instance exists. If there is no NSG assigned, it means wide open to or from that VNet.
You can get more references at https://blog.baeke.info/2019/06/10/azure-api-management-and-azure-kubernetes-service/

Azure APIM VNET (Premium) usecases

After evaluating APIM different tiers, Standard tier seems to be the most suitable one for the workload I am dealing with. I prefer to have a VNet (which is only supported in the Premium version) to isolate and create a proper boundary. But the premium tier is very expensive.
In my setup, my APIM will interact with LogicApps, functions, and microservices deployed on docker in Azure. All these services sit in one VNet where external access is blocked. If I am not connecting to any on-prem service, do I need the VNet for my APIM? Most of the articles talk about premium version and VNet are connecting APIM with on-prem services.
Do we only need to have VNet for my APIM when we are connecting to on-prem services? What are the usecases when one must have APIM in a VNet? Any example would be really appreciated.
UPDATED:
there are a couple of objectives, only access APIs through APIM and use the express route to access on-prem APIs.
The only reason to put APIM into VNET is to make it able making a call to a service in that VNET or make it possible for a client to make a call to APIM, in both cases keeping traffic inside VNET. So it's really about why you want to keep your backend service or clients in VNET.
And isolating your backend APIs from everything but APIM is another scenario. Using VNET here is the strongest guarantee, but comes at a price. Another option is to have authorization (client certificates would work) between APIM and backend, but keep backend publicly available.

How to access Azure API Managment deployed in Vnet without using application Gateway? (For clients that exist outside the Vnet)

I have an API management instance that is integrated with a Vnet - the ability to access the API management instance is possible to internal consumers.
I would like certain public clients to also access this API management instance - the way described in the Azure documentation is to make use of Application Gateway:
see: https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-integrate-internal-vnet-appgateway
Is anyone aware of an alternate approach not implementing Application Gateway?
Use Function App with Vnet Integration:
https://learn.microsoft.com/en-us/azure/azure-functions/functions-create-vnet
The function app exposes public endpoint and has ability to make internal call to Vnet.

How to access Developer Portal when Azure API Management is Internal?

How to access APIM developer portal from internet when APIM is kept internal?
I checked some Microsoft document but did not get it how to do it.
You can Integrate API Management in an internal VNET with Application Gateway.
Combining API Management provisioned in an internal VNET with the Application Gateway frontend enables the following scenarios:
Use the same API Management resource for consumption by both internal
consumers and external consumers.
Use a single API Management resource and have a subset of APIs
defined in API Management available for external consumers.
Provide a turn-key way to switch access to API Management from the
public Internet on and off.
Follow this link for more information : https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-integrate-internal-vnet-appgateway

Google cloud dataflow/functions using shared VPC

Currently I'm working on a project in GCP that uses several service projects attached to a single host project using multiple subnets for mapping different environments (classic environments development, stage and production), and I'm trying to run dataflow pipelines and cloud functions that need to connect to databases hosted on VMs in a different service project. So far I have set the service account running dataflow and cloud function with Network User role for the subnet that belongs to specific environment and in case of dataflow I'm specifying the subnetwork for the pipeline on the host project, but dataflow pipelines and cloud functions are not even able to resolve database VMs host names or connect directly using internal IP address. Does anybody know how to setup similar environment?
You can use a shared VPC, which will let your accessory projects connect to the VPC of the main project.
https://cloud.google.com/vpc/docs/shared-vpc
From there you can use VPC connectors to allow your cloud functions to access internal resources. You can see this option when configuring the cloud function and hitting "more".