HomeAbout Me

Integrate Azure API Management (Internal Mode) with Azure Application Gateway

By Sri Gunnala
Published in Microsoft Azure
November 15, 2022
2 min read
Integrate Azure API Management (Internal Mode) with Azure Application Gateway

You can inject Azure API Management into a virtual network and configure it to be in internal mode, which makes it accessible only within a virtual network. If this virtual network is connected to an on-prem via express route or VPN, it can even reach on-premise APIs.

Application Gateway is another Azure PaaS resource that acts as a Layer 7 load balancer and it comes with Web Application Firewall capabilities.

Integrating these two will give an excellent outcome for many business cases. In this blog, we will see what is the business use case for this and will see how to integrate these two with a step-by-step process.



STEP 1: Configure API Management Internal Mode

As a first step, we need to configure API Management in Internal mode. I already made a youtube video on ‘A step-by-step guide to configuring API Management Internal Mode’. Follow the below video and set up Azure API Management Internal Model.

When the set-up is done, configure two APIs in APIM. These two APIs will be accessible only with Virtual Network.

USE CASE:

Say,

  • we are looking to expose a subset of these APIs to external consumers
  • we are looking to have a single API Management instance for internal and external consumers and make it act as a single front end for both on-premises and cloud APIs.
  • we need both internal and external consumers to go over the same WAF.

The application gateway does precisely this. By deploying the Application Gateway in front of API Management, we can have both internal and external consumers go through the same front end. All APIs are managed only from within your virtual network. Internal consumers can access all internal and external APIs. Traffic never goes out to the internet.

STEP 2: Configure Application Gateway

  1. Create an Application Gateway
    1. in the same VNET as APIM but in a new subnet.
      Azure Application Gateway Configuration
      Azure Application Gateway Configuration
    2. Configure both front ends. One for the public and the other for the Private.
      For private IP address choose an address space from the app gateway subnet.
      Azure Application Gateway Configuration - Frontend IP
      Azure Application Gateway Configuration - Frontend IP
    3. Configure the Backend pool with APIM domain
      Azure Application Gateway Configuration - Backend Pool
      Azure Application Gateway Configuration - Backend Pool
    4. Click on add and configure the rule to connect the front end to the backend pool. For now, we will create an External Rule only.
      Azure Application Gateway Configuration - Rules
      Azure Application Gateway Configuration - Rules
    5. Configure Listener and Backend targets
      Azure Application Gateway Configuration - Backend Target
      Azure Application Gateway Configuration - Backend Target
      Azure Application Gateway Configuration - Rules
      Azure Application Gateway Configuration - Rules
    6. Configure HttpSetting. Please note that ‘Use well known CA certificate’ is wrong. we will correct this later
      Azure Application Gateway Configuration - Http Setting
      Azure Application Gateway Configuration - Http Setting

  1. After creating the application gateway, if you look in the overview section, it complains saying the instance is unhealthy. Because we configured HttpSetting incorrectly. Let’s correct it. We need to choose the signing certification of APIM.
    Azure Application Gateway Configuration - Http Setting
    Azure Application Gateway Configuration - Http Setting

  1. After configuring HttpSetting correctly, backend health should look good.
    Azure Application Gateway Configuration - backend health
    Azure Application Gateway Configuration - backend health

  1. if you use the public IP address to reach your external API over the internet it should work
    Azure Application Gateway Configuration - Access External API
    Azure Application Gateway Configuration - Access External API

  1. Configure Listener for Internal API. Go to Application Gateway —> Listeners and click on Add listener.
    Azure Application Gateway Configuration - Listener
    Azure Application Gateway Configuration - Listener

  1. Create a rule to map the listener to the backend pool. Go to Rules and click on Add Routing Rule
    Azure Application Gateway Configuration - routing rule
    Azure Application Gateway Configuration - routing rule
    Use the same backend and httpseting as an external listener
    Azure Application Gateway Configuration - Backend targets
    Azure Application Gateway Configuration - Backend targets

  1. Now both internal and external rules have been configured.
    Azure Application Gateway Configuration - Rules
    Azure Application Gateway Configuration - Rules

  1. If you browse with Application Gateway private IP address, from VNET, it should reach the Internal APIs and this API is NOT accessible over the internet.
    Azure Application Gateway Configuration - Internal API access
    Azure Application Gateway Configuration - Internal API access

Tags

#Azure#AzureAPIManagement#AzureApplicationGateway
Previous Article
Integrate Azure API Management into Internal VNET | Azure API Management Internal Mode
Sri Gunnala

Sri Gunnala

Learner | Reader | Blogger | Azure Enthusiast

Topics

Front End
Microsoft Azure
Microsoft .NET

Newsletter

Sri Gunnala - Make sure to subscribe to newsletter and be the first to know the news.

Related Posts

Azure APIM Caching Policy | Cache-lookup Policy | HTTP GET | Non-Cache HTTP POST
September 21, 2024
2 min

Legal Stuff

Privacy NoticeCookie PolicyTerms Of Use

Social Media