11 Jul

Setup Azure Internal API Manager with Application Gateway without Custom Domains

Summary

Recently I was tasked to setup an internal Azure API Manager and expose it via a WAF Application Gateway. While there were plenty of articles on line about this topic, none of them specifically addressed how to do when you did not want to use a custom domain or purchased SSL certificates. This post walks through setting it all up in Azure using only the domains Azure issues in resource creation

Resources

These are the resources in Azure we are going to be creating

  • App Service/App Service Plan (for hosting the API for API Manager)
  • Network Security Group
  • API Manager
  • Application Gateway
  • Public IP Address (2)
  • Virtual Machine (the jump box to interact with the API Manager)
  • Virtual Network
    • Application Gateway Subnet
    • APIM Subnet
    • VM Jumpbox Subnet
    • App Service Subnet

Create the Network Security Group

  1. Navigate to Network Security Group
  2. Create a new Resource Group. This group will be used for the rest of the resources we create
    • rg-contoso-api-dev-eastus
  3. Enter Name
    • nsg-contoso-api-dev-eastus
  4. Click Create
  5. Configure the inbound and outbound rules

Inbound Rules

Outbound Rules

NOTE: some of these rules may not apply to your given project and circumstances.

Creating the VNET

  1. Navigate to Virtual Networks
  2. Select the Resource Group create from above
    • rg-contoso-api-dev-eastus
  3. Enter Name for the VNET
    • vnet-contoso-dev-eastus
  4. Select Region
    • East US
  5. Click the IP Addresses tab
    • Delete the default subnet
    • Add the following subnets
      • snet-contoso-gw-dev-eastus (10.0.1.0/24)
      • snet-contoso-pvt-vm-dev-eastus (10.0.2.0/24)
      • snet-contoso-pvt-apim-dev-eastus (10.0.3.0/24)
      • snet-contoso-pvt-asp-dev-eastus (10.0.4.0/24)
  6. Click Review + Create

Creating the Virtual Machine

  1. Navigate to Windows Server 2016
  2. Select the Resource Group create from above
    • rg-contoso-api-dev-eastus
  3. Enter Virtual machine name
    • vm-contoso-api-jumpbox-dev-eastus
  4. Select Region
    • East US
  5. Select the size of the VM you want
    • Standard_B1ms
  6. Create a Username and Password
  7. Under Inbound port rules
    • Select Allow selected ports
    • Select RDP (3389) from the list

    Inbound port rules

  8. Click on the Disks Tab
    • For OS disk type select
      • Standard HDD
  9. Click on the Network Tab
    • Select the VNET (vnet-contoso-dev-eastus) from above
    • Select Subnet
      • snet-contoso-pvt-vm-dev-eastus
    • Create a new Public IP for the Virtual Machine
      • pubip-contoso-api-jumpbox-dev-eastus
      • Keep the rest of the defaults
    • Under NIC network security group
      • Click Advanced
      • Select Create New
      • vm-contoso-api-jumpbox-dev-eastus-nsg (this will be auto populated)

      Jumpbox NSG

  10. Keep the rest of the default settings
  11. Click Review + Create

NOTE: When the VM is create a new

Lets Configure the Subnets

Navigate to the new VNET resource (vnet-contoso-dev-eastus) and select Subnets

Configure snet-contoso-pvt-apim-dev-eastus

Subnets

  1. Select Subnet snet-contoso-pvt-apim-dev-eastus
  2. Under Network Security Group
    • Select nsg-contoso-api-dev-eastus
  3. Under Subnet delegation
    • Select Microsoft.ApiManagement/service

    Subnet Delegation

  4. Click Save

Configure snet-contoso-pvt-asp-dev-eastus

  1. Select Subnet snet-contoso-pvt-asp-dev-eastus
  2. Under Subnet delegation
    • Select Microsoft.Web/serverFarms

    Inbound port rules

  3. Click Save

Creating the API Manager

  1. Navigate to API Management
  2. Enter Name
    • api.contoso
  3. Select the Resource Group create from above
    • rg-contoso-api-dev-eastus
  4. Select Location (Region)
    • East US
  5. Pricing Tier
    • Select Development/Premium
  6. Click Create
  7. Once created lets join it to the VNET (vnet-contoso-dev-eastus)
    • Navigate to the new APIM resource
    • Locate Virtual Network

      Virtual Network

    • Select Internal
    • Select the Virtual Network created above
    • Select Subnet snet-contoso-pvt-apim-dev-eastus
    • Click Apply

Creating the App Service Plan

  1. Navigate to App Service Plan
  2. Select the Resource Group create from above
    • rg-contoso-api-dev-eastus
  3. Enter the name
    • asp.contoso.api-dev-eastus
  4. Select the OS you require for your API
  5. Select the Region
    • East US
  6. Select your required pricing tier
  7. Click Review + Create
  8. Deploy your API to an App Service under the newly created ASP above
    • Add the App service to the VNET (vnet-contoso-dev-eastus)
    • Select subnet snet-contoso-pvt-asp-dev-eastus

Setting up the JumpBox

  1. Navigate to the API Manager resource created above
    • Select Overview
      • Copy the Virtual IP private IP. You will needs this below
  2. Navigate to the Virtual Machine resource created above
  3. Select Connect under Settings
    VM Connect
  4. Select RDP and click Download RDP File
  5. Login to VM with the UserName and Password you created while setting up the VM above
  6. In windows explorer

    • Open folder C:\Windows\System32\drivers\etc\
    • Open the hosts file with notepad.exe
    • Add the following to the bottom of the file
    <APIM private IP> api.contoso.azure-api.net
    <APIM private IP> api.contoso.portal.azure-api.net
    <APIM private IP> api.contoso.developer.azure-api.net
    <APIM private IP> api.contoso.management.azure-api.net
    <APIM private IP> api.contoso.scm.azure-api.net
    
  7. Testing the connection

Setting up Application Gateway

  1. Navigate to Application Gateway
  2. Select the Resource Group create from above
    • rg-contoso-api-dev-eastus
  3. Enter the gateway name
    • agw-contoso-api-dev-eastus
  4. Enter region
    • East US
  5. Select Tier based on your needs. If possible choose V2 types
  6. Under Configure Virtual Network
    • Select the VNET created above (vnet-contoso-dev-eastus)
    • Select the subnet
      • snet-contoso-gw-dev-eastus
  7. Click Frontends
    1. Select Public for address type
      Public IP Address Type
    2. Create a new public IP address
    • ip-contoso-gw-dev-eastus
  8. Click Backends
    1. Select Add a backend pool
      1. Enter name
        1. backend-asp-api-dev-eastus
      2. Add Target
        1. Target type: IP Address or FQDN
        2. Target: api.contoso.azure-api.net
  9. Click Configuration
    1. Select Add a routing rule
    • Enter Name
      • rule-https-backend-asp-api-dev-eastus
    • Under the Listeners Tab
      • Enter Listener Name
        • https-listener
      • Enter Frontend IP
        • Select the IP created from the earlier step
      • Protocol
        • Select HTTPS
      • Http Settings
        1. Lets get the certificate we need. For this we can use a self-signed certificate to secure the incoming requests
        • Open a Powershell Command prompt

          New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname api.contoso.com $pwd = ConvertTo-SecureString -String Password$ -Force -AsPlainText Export-PfxCertificate -cert cert:\localMachine\my\<COPY FROM OUTPUT ABOVE> -FilePath c:\api-contoso-gw-cert.pfx -Password $pwd
        1. Upload the created certificate
        2. Enter a cert name
        • self-cert-contoso-api-gw
          1. Enter the password used from Powershell
          2. Click Add
      • Under the Backend targets
        • Select Target type Backend pool
        • Select the backend pool created above
        • Select Add new for Http setting
          • Enter HTTP setting name
          • apim-contoso-https-dev-eastus
          • Backend protocol
          • HTTPS
          • Use well known CA certificate
          • NO
          • Getting the .cer to upload
          1. Remote into the Jumpbox
          2. Open the browser and navigate to
          • https://api.contoso.portal.azure-api.net/
          • Click on the secure connection icon in the browser. Select Certificate
            Certificate
          • Click details tab and Copy to File
            Certificate Details

            • In the export wizard. The exported file format should be Base-64-encoded X.509 (.VER)
              file
            • Enter a file name
              • api-contoso-dev-eastus.cer
            • Copy this file from the Jumpbox the where you are creating the Application Gateway above
              • Override with new host name
              • YES
              • Host name override
              • Override with specific domain name
              • api.contoso.azure-api.net
              • Click Add
                Add HTTP Setting
        • Click Add
        1. Click Review + Create
        2. Configuring the Custom health probe
        • Goto the Application Resource created above (agw-contoso-api-dev-eastus)
      • Select Health probes
        Health probes
      • A custom probe should have been created but it needs some tweaking to get it to validate against API Manager
      • Host
        • api-contoso.azure-api.net
      • Pick host name from backend HTTP settings
        • No
      • Path
        • /status-0123456789abcdef
        • This is APIM static health check endpoint on any instance
      • Use probe matching conditions
        • Yes
      • Http status code match
        • 200-399
          Health probe settings
        1. Verify Application Gateway and Backend pool can connect
        • Select Backend health
          Backend Health
      • If all checks out and everything is configured correctly should get a healthy status
        Healthy Status

Testing An API Call

To test everything is connected run the following cURL command


curl --location --request GET 'https://<APPLICATION GATEWAY PUBLIC IP>/echo/resource?param1=sample' \ --header 'Ocp-Apim-Subscription-Key: <YOUR APIM SUBSCRIPTION KEY>'

Final Thoughts

Hopefully this has helped get everything configured and up and running.

Resources

https://docs.microsoft.com/en-us/azure/api-management/api-management-using-with-internal-vnet

https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-integrate-internal-vnet-appgateway

https://techcommunity.microsoft.com/t5/azure-paas-developer-blog/integrating-api-management-with-app-gateway-v2/ba-p/1241650

https://docs.microsoft.com/en-us/azure/application-gateway/certificates-for-backend-authentication#export-trusted-root-certificate-for-v2-sku

https://azure.microsoft.com/en-us/updates/azure-application-gateway-standardv2-wafv2-skus-generally-available/

http://thewindowsupdate.com/2020/03/20/integrating-api-management-with-app-gateway/

https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-mutual-certificates#feedback

https://fabriciosanchez-en.azurewebsites.net/protecting-apis-with-api-management-and-application-gateway/