Why is the hostname not set/missing in the API Management Portal?
I checked the API settings and policies, but I cannot find anything regarding the hostname.
This API is configured with a selfhosted gateway.
I found the reason.
Usually, I configured the selfhost-gateway and the managed gateway:
If I remove the managed gateway, I have to specify the hostname in the Developer Portal with the hostname of the selfhosted-gateway.
Related
We have following setup in Azure configured using this guide (https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/apis/protect-apis)
App Gateway with Public IP calling ===> Azure APIM Service configured in Internal mode (development tier)
Details:
Both App Gateway and APIM are in same VNet but in separate subnets.
App Gateway has only public IP with Firewall disabled (for testing purpose).
APIM is configured in Internal mode.
Three listeners, one for API, one for developer portal and one for API management endpoint) are configured in App Gateway using custom domains and SSL certificates.
There is VM deployed and configure in same VNet.
APP Gateway Domains are: (Internet Accessible)
dev.apiportal.xxxx.com ==> API Portal
dev.api.xxxx.com ==> API
Gateway
dev.apimanagement.xxxx.com ==> API Management
APIM Service is using default domains: (Not accessible on internet. APIM is configured in Internal mode)
dev-apim.developer.azure-api.net ==> API Portal
dev-apim.azure-api.net ==> API Gateway
dev-apim.management.azure-api.net ==> API Management
There probes defined on App GW for these endpoint mentioned above are healthy and in green status
Problem Statement:
API portal is accessible from VM mentioned in #5 above using default links. I am able to login using user added in portal. VM's host file has been modified with IP address and default host name of APIM service. Portal works fine when accessed from VM.
When I try to access portal from internet using custom domain (configured on listeners mentioned in #4 above of App GW) portal loads fine.
When I try to login using same user (mentioned in #1) doesn't work and error I get is "Please provide a valid email and password". This error appears after almost 15-20 seconds after clicking sign in button.
When I tried to check error in browser developer tools found that even though portal is accessed using internet facing URL one request for management Api is pointed to internal URL of Api management. .
Wanted to understand if we need to have custom domains for APIM service as well in order to get this setup working? Any pointer to fix this error?
• Thank you #Pankaj Kapare for your question and the subsequent resolution that you have provided in the comments section. I am posting the same comment of yours elaborately and some additional probable resolution as an answer.
Setting the APIM service’s URls with the custom domain that is mentioned in the application gateway while still the APIM service operational in internal mode helped login to the APIM developer portal successfully, i.e., setting the same custom domain that are defined in application gateway in the APIM’s endpoints.
• You can also resolve this DNS mapping issue by creating a CNAME record for the custom domain configured in application gateway and mentioning an alias to the default domain URL in the APIM service. Thus, by creating a CNAME DNS record for the default domain in the APIM service, you can redirect the requests for the application gateway’s custom domain URL to the default domain URL in the APIM service.
But for this also, you would need to create a private DNS zone in Azure and create the above said in it which will restrict the internet access to the APIM URLs and redirect the requests internally.
I have a configuration in Azure with a Virtual Network and 2 subnets.
In 1 subnet I have an App Service Environment v3 + App Service Plan + Logic App Standard. I have a workflow with an HTTP Trigger.
In the other subnet, I have an API Management instance, and I need to expose my Http triggered workflow as an API in APIM.
The DNS of the Virtual Network is hosted internally (on-premises) and not managed by Azure. There is no conditional forwarding setup for the moment.
Because of this, the URL of the workflow is something like ..appserviceenvironment.net/.
The DNS name cannot be resolved and I want to know what is the solution I can put in place to make it work? Do I need to create a private DNS zone for the ".appserviceenvironment.net" and add manually the private IP of the app service environment?
• I would suggest you to please refer to the github link below for more information and step by step details regarding the connectivity to a virtual network in an internal mode using the Azure API management: -
https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/api-management/api-management-using-with-internal-vnet.md
It states that API gateway, developer portal, direct management and Git are the only endpoints that are accessible from the virtual network that is configured in the internal mode for API Management instance. Also, the service endpoints will remain inaccessible until you configure DNS for your virtual networks.
Also, using API Management in internal mode will expose your cloud-based APIs and on-premises APIs through a common gateway in hybrid cloud scenarios. And to configure the common gateway, you will have to provision a private DNS zone and link it into your virtual network through a hostname which is configured on the service endpoints, one of which when using the private DNS zone is the API gateway with which you want to have a workflow with an HTTP trigger.
Please go through the link below for configuring the routing details related to API Management Instance in the virtual network: -
https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/api-management/api-management-using-with-internal-vnet.md#routing
I am following up this doc series to set up an internal API management instance integrated with APP Gateway in azure. I followed everything to the detail:
Created a new resource group
Setup a Vnet with 3 subnets
And setup a private dns zone and link the vnet
And then created self-signed certificates to be used with the dns created in private dns zone
Created API management instance and added custom domains
Created a App Gateway with public IP and setup routing rules and backends and setup health probes with path /status-0123456789abcdef for APIM
But now I am getting this backend health error as below:
Can someone tell me what I am doing wrong?
Are there any security groups to be configured? I am using an internl mode for the APIM, and when I even try to test the default API (which is echo test) it gives the below error:
Why this is not working? If you need any more information, I will let you know (update the question). Can someone please help me?
I have a similar situation which was driving me insane. I must have changed everything I possibly could. The answer, was to create a custom health probe and at the very bottom of the HTTP settings it was an option to use the custom probe.
Since the Gateway URL is not registered on the public DNS, the test console available on the Azure portal will not work for Internal VNET deployed service. Instead, use the test console provided on the Developer portal.
You can find more details here.
I'm using a Virtual Machine with a nodejs server listening in port 3000. I want to expose that server using Api Management. I tried to create a security group and just allow inbound traffic from my Api Management but it doesn't work.
I'm using Security Groups and service tags for specifying my Api Management service but the endpoint gives me a 500 error.
If i use the public ip of my Api Management service it actually works but i need to make service tags work.
I expect service tags to actually bind my api management to the security group policy, but i'm getting a 500.
I think there is a misunderstood of ApiManagement service tag.
You can check the IPs in the ApiManagement service in official JSON: https://www.microsoft.com/en-us/download/details.aspx?id=56519
ApiManagement service tag describes source IPs of ApiManagement Control Plane service. So, when you manage configurations on ApiManagement of portal, the Azure Resource Manager will connect to your Api Management on port 3443 to apply a configuration with the source IP from ApiManagement service tag list.
That is for traffic between Internet <-> ApiManagement, so you can restrict management endpoint only to Azure / your datacenter.
In your case, between ApiManagement <-> Backend, you must use Public IP for External configuration and Private IP for internal configuration to restrict the traffic for your nodejs backend.
Few links on this topic:
How can I secure the connection between the API Management gateway and my back-end services?
IP addresses of Azure API Management
Using Azure API Management service with an internal virtual network
I wanted to manage API's published in the Azure API management to be included in the traffic manager for high availability. But when I choose external endpoint option and included API management API hostname it is showing invalid host name.
https://xxxxx.azure-api.net like this domain name have placed
If you have two DNS names that can be used as a active/active or active/passive for your API endpoints, you can add them to a Traffic Manager profile and set the routing method you want to use. As indicated in an earlier answer, use only the DNS name and not the protocol identifier (http/https) when you add an endpoint to a Traffic manager profile
Traffic manager only wants the DNS name (FQDN) for external endpoints not the protocol. So drop the http: or https: from your API management address and it will accept that as an external endpoint.
Or is your problem not with adding the endpoint, but with the health endpoint monitoring? That can happen as the endpoint for the API Management gateway will return a 404 by default as it does not have a publicly exposed default page.