I am pretty new to Azure API Management so hopefully I am just missing the obvious and there is an easy solution.
I work in a regulated environment where strict validation and code separation is enforced.
For that reason an API that I wrote is implemented on four separate app services each representing a specific environment sandbox, dev,qa, and production
I am trying to set all these up in API Management using custom domains, but it just doesn't seem to work.
Here is where I am at.
API Management has been deployed to its own subnet in a vnet.
I created an internal client certificate, and uploaded it to a vault. This certificate had multiple subject name alternatives to represent each environment.
Ex. api.contoso.com
api-sand.contoso.com
api-dev.contoso.com
Etc
I then created custom domains using this certificate in APIM ...each set as a "gateway" type domain
I then created an Api based on api-dev.contoso.com and a suffix "external" based on the dev app service. This will host the dev operations that can be exposed to the internet through app gateway
I then created a second api, again using the api-dev.contoso.com custom domain, and specified a suffix of "internal", to host all the internal operations from this api.
I ran into trouble when I tried to create a third API. This one was supposed to target the sandbox version of the api, but when i started filling out the new api panel, I found that the base url was grayed out and set to api-dev.contoso.com.....there was no way to change it to api-sand.contoso.com
What am I missing?? ...APIM let's you create these custom domains, but it seems to only let you use one...that doesn't seem right....there must be a different approach I need to use.
One option I thought of, but haven't tried yet is to have one custom domain, and implement the environments using different suffixes. For example api-nonprod.contoso.com/sand/external would link to my sandbox app service, and api-nonprod.contoso.com/dev/external would link to the development app service.
I'd still rather do it through custom domain names if it is possible.
Related
I want to limit the access to one of my app services to Azure API Mangement. In order to be independent from a single IP I created the following setting using service-tag-based restriction:
However if I test my API using the Developer Portal I still receive 403 messages.
If I now add a restriction-rule to allow the IP address of the API Management it will work.
The documentation claims that service tags are adding the IP ranges for the provided Azure services to the restrictions. This is exactly what I want to achieve but it does not seem to work.
After I contacted the MS support I know can tell an answer to this.
On central message in the answer was
Unfortunately, there is no tag for all of the API Management outbound IP addresses.
The support highlighted that the documentation for service tags points out that
This enables customers to perform management operations on the APIs, Operations, Policies, NamedValues configured on the API Management service.
What this means is that the service tag is only for backend operations. Problem with this is that it doesn't help you at all. I already noticed that after I switched on the service tag rule I could not update an API using the direct OpenAPI endpoint via the portal which is the documented way. This is because the explorative request against the OpenAPI would be performed using the local browser as a XHR-request. This means I would have to add my local IP to the restriction list every time.
The supports suggests to put everything inside a VNET and configure the access using this technique. I had this solution in place and then considered it as too clumpsy. I guess I have to do it now.
This is more of a general question about. I have a website running as an Azure App Service. I configured a custom domain so that you are able to call it by my-site-name.com.
As the request of customers kept growing and each customer has specific demands, I was wondering if it is possible to have a subdomain for each customer. For example, client1.my-site-name.com and client2.my-site-name.com.
Is it possible to do all of this within a single App Service or do I need to set up an Azure App Service for each subdomain?
The reason behind my question is, that it would be quite expensive to have an App Service for each individual customer.
You should also consider just adding a wildcard custom domain entry. This is an older blog post, but it outlines Azure WebApp support for Wildcards:
https://azure.microsoft.com/en-us/blog/azure-websites-and-wildcard-domains/
This would mean that *.my-site-name.com traffic goes to your single Web App. Then it is up to the logic of your webapp to determine which client it is by inspecting the hostname of the request (client1.my-site.name.com) and taking the appropriate action to customize the response to that client.
Using a wildcard eliminates the need to add a specific custom subdomain mapping for each client.
It should be possible. Within your app service, if you go to the settings for that service, there is a Custom domains option, select it.
Within there you can then map your subdomains to this service, and it allows you to do it multiple times. You just need to validate and set it up with the A record or CNAME and own the domain. Additionally, you should be able to add SSL Bindings for each.
Here are some documentation on it, I don't believe this documentation handles your exact use case but it does touch on the custom domain portion and should provide additional support.
https://learn.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-domain
https://blogs.msdn.microsoft.com/waws/2014/10/01/mapping-a-custom-subdomain-to-an-azure-website/
Let me know if you need more
This seems more like a domain management issue than an azure specific issue. You have already decided to have different sub domains to each customer. That, by definition, means each sub domain needs individual server space. That in turn would mean, an app service for each customer.
So, the answer is what you already have. Have an app service (essentially web server) for each customer via sub domain.
In your position, I would consider some alternatives.
Rebuild your app to work with some form of login system, so clients login and get themselves a separate view.
Alternatively, go with sub folders instead of custom domains. something like, domain.com/client1, domain.com/client2 and so on.
I have a Node.js app that serves http requests. Users can signup, create an account and when they do, I generate a subdomain for them to use. eg username.example.com. This is fairly straight forward to do and can be served over ssl using a single certificate.
I would like to give the option for the user to use their own domain. From Node.js this isn't too difficult either. I can check the hostname and look up the account details from there.
I'm struggling to work out how to generate ssl's for these custom domains though.
Right now, my app runs on Heroku, but I also have a staging build on Google's App Engine, so I don't deal with the web server directly. In fact, I don't even know what it is, it could be Nginx or Apache.
To keep the conversation focused, let's stay I want to stick to app engine. When a user adds their own domain, I store it in the database. How would I auto generate an SSL for this?
I thought of general steps for this, but there is one showstopper which I'm not sure it is possible to workaround. The steps will be:
Map the user's domain to your application and configure the DNS records. You can do that with the gcloud commands: steps and general description outlined in this Mapping Custom Domains docs page (notice that you can switch between Console and GCloud in the boxes). There is also a possibility of doing that within the Cloud Console, however as you've mentioned you're interested in the programmatic approach. If you prefer to configure the custom domain from the API, the same functionality exists in App Engine Admin API with its REST resource for domain mappings.
Possible showstopper (source: Mapping Custom Domains) :
Verify that you are the owner of your domain through Webmaster Central
After that, App Engine provisions a managed certificate and then handles renewing/revoking it. Securing Custom Domains with SSL is still in beta, but it offers the functionality that you need.
We've implemented a setup as follows:
App Service Environment having different app services exposing different APIs. This instance is configured as an internal instance, so no public access.
We've configured an internal (private) DNS zone. This zone is used to create internal URLs for the API's.
API Management instance which is exposed to the outside. Here the API's need to be registered using the Swagger files exposed by the APIs themselves.
Everything is contained within the same VNet.
Now what we see is two things:
From a VM inside the VNet, I can browse the URL of the API without any issue and download the Swagger file.
When we try to register the API within API management, it throws an error stating the file could not be downloaded. When we register manually and then try to call the API, we get a DNS resolve error.
So it seems as if the API Management instance is not able to resolve our custom DNS zone as setup in Azure. I could not find any information that tells me whether this scenario is supported or not. Any pointers that might help find the problem are very welcome indeed.
Update when we register the API via uploading a file and then try to call one of the API methods, the following error appears:
The remote name could not be resolved
This same address resolved just fine from a VM within the exact same VNet.
I have the same issue, when I look for online, the below solution looks promising. It is self-explanatory, DNS forwarded need to enable between vnets. More information is here
https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances.md#name-resolution-that-uses-your-own-dns-server
I have a site that I want users from 5 different countries to use. However, I want each country to reach the site on language specific url's like www.deutchname.com and ww.englishname.com. The site will then server the language based on the domain name. Is this possible or do I set up several sites with the same databse? I'm running my site on an Azure web role.
When you create an application in Windows Azure, Azure provides a friendly subdomain on the cloudapp.net domain. However, in most cases you would like to access your website via custom comain, say, www.mysite.com. That ability is supported by both Azure Cloud Services as well as Azure Websites.
Custom domains are invisible to the end user i.e. a visitor of www.yoursite.com will never see the true host (say, yoursite.cloudapp.net).
The approach of having single deployment handling multiple domains or multiple deployments (each supporting single domain) talking to one database depends on architecture of your system architecture. Each solution has its pros and cons. Both solutions can be built in Azure Cloud service.
We are using the first approach i.e. single deployment handling multiple domains (and languages), and it works perfectly fine. There are some challenges but related to the system architecture (e.g. features visible on one domain and hidden on the others etc.) rather than Azure itself.
There is Configuring a custom domain name for a Windows Azure cloud service or storage account article which describes the process of setting up custom domain (via CNAME or Alias record (which is preferred) or via A record) for Azure Cloud service as well as verification process.