I want to restrict access to my Azure Container App with an Api Management in Azure.
I successfully linked the Api Management with the Container App and I have activated a Subscription with an Api Key that will prevent public access over the Api Management Service Url. The problem, however, is that the Container App can still be accessed over the public Url of the Container App.
There is still the option to set the Ingress Traffic in the Container App to Limited to Container Apps Environment but then the Api Management will not have access to the Container App as well.
What is the correct way to properly secure the Container App behind an Api Management Service?
For Azure Container Instances, you don't have the option to configure IP restrictions similar to Azure App Services. Instead you will have to first create a virtual network and configure a Network Security Group to Deny all traffic from the internet and allow only from APIM, and then deploy your Azure Container Instance to this virtual network.
See here for deploying an azure container instance to a virtual network : https://learn.microsoft.com/en-us/azure/container-instances/container-instances-vnet
For configuring network security groups in your virtual network see : https://learn.microsoft.com/en-us/azure/virtual-network/manage-network-security-group#work-with-security-rules
You app service is still accessible over the public internet because you haven't configured Access Restrictions in your App Service's Network.
What you need to do is go to your App service. Then select Networking from the left menu and Turn on Access Restrictions for inbound traffic.
Create an access restriction rule to deny from the internet.
Next create a second acccess rule to allow access from the APIM. Ensure the priority on this one is higher.
Read the Microsoft Docs on how to set app service IP restrictions here : https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions
Assuming your API management service has a static IP (not a consumption plan), you would need to use you own VNET:
Networking architecture in Azure Container Apps
Then using NSG, you could add an inbound rule to only allow traffic from the APIM service IP on HTTPS (TCP 443).
Azure container apps do now seem to have the ability to restrict inbound ip addresses
https://azure.microsoft.com/en-gb/updates/public-preview-inbound-ip-restrictions-support-in-azure-container-apps/
We have are looking at a similar architecture with a similar dilemma. Everything we have is secured with Azure b2c but if I want to make an internal container/microservice accessible to Azure Api Management I think I'd have to drop b2c (api management has no UI to log into b2c) and make it publicly accessible via the Ingress. If the inbound ip addresses are restricted to api management maybe that is ok. It does worry me that ip addresses can be spoofed although you'd hope Microsoft have thought of that.
Another alternative which I've not investigated but which does work for Azure functions is managed identities. This might not work at all with container apps though
https://www.svenmalvik.com/azure-apim-function-msi/
First, I think that it is good to explain networking architecture in Azure Container Apps.
Azure Container Apps run in the context of an environment, which is supported by a virtual network (VNET). When you create an environment, you can provide a custom VNET, otherwise a VNET is automatically generated for you.
There are two ways to deploy Container Apps environments:
External - Container Apps environments deployed as external resources are available for public requests. External environments are deployed with a virtual IP on an external, public facing IP address.
Internal - When set to internal, the environment has no public endpoint. Internal environments are deployed with a virtual IP (VIP) mapped to an internal IP address. The internal endpoint is an Azure internal load balancer (ILB) and IP addresses are issued from the custom VNET's list of private IP addresses.
I attach the image from Azure portal to show above two options:
Now going further, if you want your container app to restrict all outside access, create an internal Container Apps environment.
Now when it comes to deployment of the Container Apps to the Container Apps Environment, accessibility level you selected for the environment will impact the available ingress options for your container app deployments.
If you are deploying to an external environment, you have two options for configuring ingress traffic to your container app:
Limited to Container Apps Environment - to allow only traffic from other container apps deployed within the shared Container Apps environment.
Accepting traffic from anywhere - to allow the application to be accessible from the public internet.
If you are deploying to an internal environment, you also have two options for configuring ingress traffic to your container app:
Limited to Container Apps Environment - to allow only traffic from other container apps deployed within the shared Container Apps environment.
Limited to vNET (Virtual Network) - to allow traffic from the VNET to make container app to be accessible from other Azure resources or applications within the virtual network or connected to the virtual network through Peering or some type of VPN connectivity
Now in you case, what you are looking for is the architecture where you enable access to Azure Container Apps only through the Azure API Management. In this case you have to deploy Azure Container Apps Environment with Internal mode and set ingress traffic to Limited to VNet (Virtual Network).
I assume that Azure API Management can be accessible from the Internet. In this case you have to deploy Azure API Management inside an Azure Virtual Network. There are two possible modes: internal, and external. In you scenario, you can use external mode. More details can be found here. When API Management instance in the external mode, the developer portal, API gateway, and other API Management endpoints are accessible from the public internet, and backend services are located in the Azure Virtual Network.
Here I also attach the solution architecture to show how all these components are connected together. I also have Azure Front Door here but API Management is deployed with external mode. Please remember that you will also need private DNS Zone for your Azure Container Apps Environment domain, to make it possible to refer to specific APIs from the Azure API Management using URLs, example:
https://ca-tmf-mip-vc-api--v-01.blacklacier-cf61414b.westeurope.azurecontainerapps.io
Helpful links:
Repo with Bicep files to deploy Azure Container App with internal mode
Azure Container Apps Virtual Network Integration
Related
To clarify what I'm not asking about, there's alot of documentation about using endpoints to expose apps in a App Service Plan to a vnet, which is useful for private communication between vnet hosted VMs or other resources outside the app service plan.
What I'm asking about is specifically communication between two apps inside the same app service plan. So if we had PlanA, and AppB and AppC both deployed to that plan, then if PlanA scales to two instances, each instance would have both AppB and AppC inside it. Very similar to an IIS farm hosting multiple applications.
If I want to disable public access for AppC, but still allow AppB to call AppC(imagine if AppC is a API service and AppB is a front end web app), is that possible? How would you resolve that call if the AppC doesn't have a public IP? Would the domain appC.azurewebsites.net resolve to a privateIP that AppB can access?
The fact that two app services run in one app service plan means only that these app services can share the same set of computing resources (CPU, memory, etc.) and it does provide any network isolation or private IP addresses within an app service plan.
If you want to keep the existing setup and restrict access to AppC, you can whitelist IP addresses of AppB as follows:
Go to the AppB in Azure Portal, click Properties and copy the list of Outbound IP addresses.
Go to the AppC, click Networking -> Access Restrictions and deny access to everything apart from the outbound IP addresses you copied in step 1.
The domain appC.azurewebsites.net will still have a public IP address but Azure will only allow accessing it from the IP addresses you configured and return 403 error to any other client.
However, if you want to have a truly private endpoint and more granular control over routing configuration, then consider integrating your app services with Azure virtual network as described here. Virtual networks are not limited to VMs, they can be used for app services too.
I have a configuration in Azure with a Virtual Network and 2 subnets.
In 1 subnet I have an App Service Environment v3 + App Service Plan + Logic App Standard. I have a workflow with an HTTP Trigger.
In the other subnet, I have an API Management instance, and I need to expose my Http triggered workflow as an API in APIM.
The DNS of the Virtual Network is hosted internally (on-premises) and not managed by Azure. There is no conditional forwarding setup for the moment.
Because of this, the URL of the workflow is something like ..appserviceenvironment.net/.
The DNS name cannot be resolved and I want to know what is the solution I can put in place to make it work? Do I need to create a private DNS zone for the ".appserviceenvironment.net" and add manually the private IP of the app service environment?
• I would suggest you to please refer to the github link below for more information and step by step details regarding the connectivity to a virtual network in an internal mode using the Azure API management: -
https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/api-management/api-management-using-with-internal-vnet.md
It states that API gateway, developer portal, direct management and Git are the only endpoints that are accessible from the virtual network that is configured in the internal mode for API Management instance. Also, the service endpoints will remain inaccessible until you configure DNS for your virtual networks.
Also, using API Management in internal mode will expose your cloud-based APIs and on-premises APIs through a common gateway in hybrid cloud scenarios. And to configure the common gateway, you will have to provision a private DNS zone and link it into your virtual network through a hostname which is configured on the service endpoints, one of which when using the private DNS zone is the API gateway with which you want to have a workflow with an HTTP trigger.
Please go through the link below for configuring the routing details related to API Management Instance in the virtual network: -
https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/api-management/api-management-using-with-internal-vnet.md#routing
vnet is connected to my Web App through which I can communicate with other services and applications. When I specify the internal IP of another application to my application, everything works fine. But now the task has come from the management to remake it to use the internal DNS server and internal DNS names. In Azure vnet, in the DNS servers settings, I specified the IP of my DNS servers. I added 168.63.129.16 - now work. If you connect Windows VM to the network everything works fine. Perhaps something needs to be added to the Dockerfile or Linux Container Web App settings so that integration with vnet and DNS works.
If your web application is integrated with the virtual network, your application would be able to communicate with the applications in the virtual network
After integrating your web application with the virtual network, you need to perform sync network action
Go to Azure portal --> Go to your App Service plan where the web app is hosted --> Under Networking, select Virtual Network Integration --> select Sync Network
Once the sync action is complete, you would be able to communicate with your internal application using the DNS name from your web application
Reference: Name resolution for resources in Azure virtual networks | Microsoft Docs
I have my APIs hosted on a azure windows virtual machine. I want that these APIs should be privately consumed by API management. If I make VM and APIM in same VNET and configure APIM as internal then my APIs exposed by APIM will not be accessed by public web app and If I make my APIM external then my developer portal will be publically accessible, which I dont want.
Is there any policy or outbound/inbound rule that can be configured so that APIs from VM, and APIM developer portal is not publically accessible?
From the document, if you select internal option in the virtual network of API Management services,
the API Management gateway and developer portal are accessible only
from within the virtual network via an internal load balancer. The
gateway can access resources within the virtual network.
In this case, you can deploy your APIM into a vNet following the common network configurations---dns and NSG rules. The API hosted VM should be able to resolve the develop portal with a private IP address.
I have azure app service which runs .net core web api. This api access several external API s to get data and those external services has to whitelist the outbound ip addresses of my app service.
Azure app service has several outbound ip addresses and it can be change when upgrade/downgrade app service or when make internal changes like changing app service plan or resource group.
Is there any solution in azure to setup this app service behind a forward proxy ?, so i can share the IP of the forward proxy to external parties.
I think the best way would be to add all App services under a virtual network and create a Virtual Network Gateway to all outbound connections.
This would potentially need below azure services to be created:
- Virtual network
- Subnet
- Virtual Network gateway
- Routing tables (to route traffic via Gateway)
A better way would be sharing a domain name rather than IP address. Here's how to configure it directly in the Azure Portal:
https://learn.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-domain
You can also add an API Management in front of your web app and use it as API gateway and also apply policies on it.
https://learn.microsoft.com/en-us/azure/api-management/configure-custom-domain