I have an API management instance that is integrated with a Vnet - the ability to access the API management instance is possible to internal consumers.
I would like certain public clients to also access this API management instance - the way described in the Azure documentation is to make use of Application Gateway:
see: https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-integrate-internal-vnet-appgateway
Is anyone aware of an alternate approach not implementing Application Gateway?
Use Function App with Vnet Integration:
https://learn.microsoft.com/en-us/azure/azure-functions/functions-create-vnet
The function app exposes public endpoint and has ability to make internal call to Vnet.
Related
How to call the secured API management linked APIs configured in azure portal when developing locally using SWA CLI? All I observed in the SWA configuration is meant for functions as APIs not the APIM.
https://learn.microsoft.com/en-us/azure/static-web-apps/apis-api-management
When adding API Management APIs to an azure static web app, an automatic proxy product is created on APIM securing access to the API for this app via /api prefix on the static web app domain. I did not see any mentions of how this works for local development to pass the user claims from SWA emulator to the API via that proxy?
I was trying to do this recently and I don't think it's possible. My solution was to add a proxy to my dev server (in my case vite) to proxy all requests to the /api route to the Api Management URL, setting the necessary subscription key header.
I am learning how to create an APIM instance using Powershell using the steps give here. https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-integrate-internal-vnet-appgateway
Here at one point they talk about creating a API Management virtual network object.
What exactly is API Management virtual network object ?
AFAIK,
Within the Network, to access backend services - Azure APIM Instance should be deployed in an Azure Virtual Network.
So, you would be creating the Virtual Network, subnets in that created VNet, NSGs, NSG rules for the Application Gateway, etc.
When you attach the above details (VNet, SubNet Data) in an object to the APIM Instance/Service, it can be known as APIM Virtual Network Object.
After evaluating APIM different tiers, Standard tier seems to be the most suitable one for the workload I am dealing with. I prefer to have a VNet (which is only supported in the Premium version) to isolate and create a proper boundary. But the premium tier is very expensive.
In my setup, my APIM will interact with LogicApps, functions, and microservices deployed on docker in Azure. All these services sit in one VNet where external access is blocked. If I am not connecting to any on-prem service, do I need the VNet for my APIM? Most of the articles talk about premium version and VNet are connecting APIM with on-prem services.
Do we only need to have VNet for my APIM when we are connecting to on-prem services? What are the usecases when one must have APIM in a VNet? Any example would be really appreciated.
UPDATED:
there are a couple of objectives, only access APIs through APIM and use the express route to access on-prem APIs.
The only reason to put APIM into VNET is to make it able making a call to a service in that VNET or make it possible for a client to make a call to APIM, in both cases keeping traffic inside VNET. So it's really about why you want to keep your backend service or clients in VNET.
And isolating your backend APIs from everything but APIM is another scenario. Using VNET here is the strongest guarantee, but comes at a price. Another option is to have authorization (client certificates would work) between APIM and backend, but keep backend publicly available.
How to access APIM developer portal from internet when APIM is kept internal?
I checked some Microsoft document but did not get it how to do it.
You can Integrate API Management in an internal VNET with Application Gateway.
Combining API Management provisioned in an internal VNET with the Application Gateway frontend enables the following scenarios:
Use the same API Management resource for consumption by both internal
consumers and external consumers.
Use a single API Management resource and have a subset of APIs
defined in API Management available for external consumers.
Provide a turn-key way to switch access to API Management from the
public Internet on and off.
Follow this link for more information : https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-integrate-internal-vnet-appgateway
I have an ASP.NET Core REST API Service hosted on an Azure Web App. I own its source code and I can change it if required.
I am planning to publish REST API Service with Azure API Management.
I am adding Azure AD authentication to the Azure API Management front. So, the API management front is secured. All the steps are is described here.
All good so far. Here is the question (or challange?) :
Considering that my backend REST API Service is hosted on Azure and publicly accessible, how do I protect it against the request calls other than the API Management Calls?
How the backend service knows the identity and AAD group claims of the incoming call and access to its claims?
A link to a code sample or online documentation would be a great help.
Update
While there are some overlaps with the follwoing question:
How to prevent direct access to API hosted in Azure app service
... part of this question is still outstanding:
How the backend service knows the identity and AAD group claims of the incoming call and access to its claims?
You can enable static IP restriction on your WebApp to only allow incoming traffic from the VIP of your APIM Service facing ( keep in mind in some specific scenarios , the VIP may change and will be required to update the whitelist again).
Clients ==> AAD==> VIP APIM Service <==> (VIP APIM allowed) Web App
https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions