Integrate Azure API Management (Internal Mode) with Azure Application Gateway

You can inject Azure API Management into a virtual network and configure it to be in internal mode, which makes it accessible only within a virtual network. If this virtual network is connected to an on-prem via express route or VPN, it can even reach on-premise APIs.

Application Gateway is another Azure PaaS resource that acts as a Layer 7 load balancer and it comes with Web Application Firewall capabilities.

Integrating these two will give an excellent outcome for many business cases. In this blog, we will see what is the business use case for this and will see how to integrate these two with a step-by-step process.

STEP 1: Configure API Management Internal Mode

As a first step, we need to configure API Management in Internal mode. I already made a youtube video on ‘A step-by-step guide to configuring API Management Internal Mode’. Follow the below video and set up Azure API Management Internal Model.

When the set-up is done, configure two APIs in APIM. These two APIs will be accessible only with Virtual Network.

USE CASE:

Say,

• we are looking to expose a subset of these APIs to external consumers
• we are looking to have a single API Management instance for internal and external consumers and make it act as a single front end for both on-premises and cloud APIs.
• we need both internal and external consumers to go over the same WAF.

The application gateway does precisely this. By deploying the Application Gateway in front of API Management, we can have both internal and external consumers go through the same front end. All APIs are managed only from within your virtual network. Internal consumers can access all internal and external APIs. Traffic never goes out to the internet.

STEP 2: Configure Application Gateway

1. Create an Application Gateway
   1. in the same VNET as APIM but in a new subnet.

      

   2. Configure both front ends. One for the public and the other for the Private.
      For private IP address choose an address space from the app gateway subnet.

      

   3. Configure the Backend pool with APIM domain

      

   4. Click on add and configure the rule to connect the front end to the backend pool. For now, we will create an External Rule only.

      

   5. Configure Listener and Backend targets

      

      

   6. Configure HttpSetting. Please note that ‘Use well known CA certificate’ is wrong. we will correct this later

      

2. After creating the application gateway, if you look in the overview section, it complains saying the instance is unhealthy. Because we configured HttpSetting incorrectly. Let’s correct it. We need to choose the signing certification of APIM.

   

3. After configuring HttpSetting correctly, backend health should look good.

   

4. if you use the public IP address to reach your external API over the internet it should work

   

5. Configure Listener for Internal API. Go to Application Gateway —> Listeners and click on Add listener.

   

6. Create a rule to map the listener to the backend pool. Go to Rules and click on Add Routing Rule

   

   Use the same backend and httpseting as an external listener

   

7. Now both internal and external rules have been configured.

   

8. If you browse with Application Gateway private IP address, from VNET, it should reach the Internal APIs and this API is NOT accessible over the internet.