Azure VM hosted APIs should be accessible to azure APIM only - azure

I have my APIs hosted on a azure windows virtual machine. I want that these APIs should be privately consumed by API management. If I make VM and APIM in same VNET and configure APIM as internal then my APIs exposed by APIM will not be accessed by public web app and If I make my APIM external then my developer portal will be publically accessible, which I dont want.
Is there any policy or outbound/inbound rule that can be configured so that APIs from VM, and APIM developer portal is not publically accessible?

From the document, if you select internal option in the virtual network of API Management services,
the API Management gateway and developer portal are accessible only
from within the virtual network via an internal load balancer. The
gateway can access resources within the virtual network.
In this case, you can deploy your APIM into a vNet following the common network configurations---dns and NSG rules. The API hosted VM should be able to resolve the develop portal with a private IP address.

Related

Azure Container App: Only allow access over Api Management

I want to restrict access to my Azure Container App with an Api Management in Azure.
I successfully linked the Api Management with the Container App and I have activated a Subscription with an Api Key that will prevent public access over the Api Management Service Url. The problem, however, is that the Container App can still be accessed over the public Url of the Container App.
There is still the option to set the Ingress Traffic in the Container App to Limited to Container Apps Environment but then the Api Management will not have access to the Container App as well.
What is the correct way to properly secure the Container App behind an Api Management Service?
For Azure Container Instances, you don't have the option to configure IP restrictions similar to Azure App Services. Instead you will have to first create a virtual network and configure a Network Security Group to Deny all traffic from the internet and allow only from APIM, and then deploy your Azure Container Instance to this virtual network.
See here for deploying an azure container instance to a virtual network : https://learn.microsoft.com/en-us/azure/container-instances/container-instances-vnet
For configuring network security groups in your virtual network see : https://learn.microsoft.com/en-us/azure/virtual-network/manage-network-security-group#work-with-security-rules
You app service is still accessible over the public internet because you haven't configured Access Restrictions in your App Service's Network.
What you need to do is go to your App service. Then select Networking from the left menu and Turn on Access Restrictions for inbound traffic.
Create an access restriction rule to deny from the internet.
Next create a second acccess rule to allow access from the APIM. Ensure the priority on this one is higher.
Read the Microsoft Docs on how to set app service IP restrictions here : https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions
Assuming your API management service has a static IP (not a consumption plan), you would need to use you own VNET:
Networking architecture in Azure Container Apps
Then using NSG, you could add an inbound rule to only allow traffic from the APIM service IP on HTTPS (TCP 443).
Azure container apps do now seem to have the ability to restrict inbound ip addresses
https://azure.microsoft.com/en-gb/updates/public-preview-inbound-ip-restrictions-support-in-azure-container-apps/
We have are looking at a similar architecture with a similar dilemma. Everything we have is secured with Azure b2c but if I want to make an internal container/microservice accessible to Azure Api Management I think I'd have to drop b2c (api management has no UI to log into b2c) and make it publicly accessible via the Ingress. If the inbound ip addresses are restricted to api management maybe that is ok. It does worry me that ip addresses can be spoofed although you'd hope Microsoft have thought of that.
Another alternative which I've not investigated but which does work for Azure functions is managed identities. This might not work at all with container apps though
https://www.svenmalvik.com/azure-apim-function-msi/
First, I think that it is good to explain networking architecture in Azure Container Apps.
Azure Container Apps run in the context of an environment, which is supported by a virtual network (VNET). When you create an environment, you can provide a custom VNET, otherwise a VNET is automatically generated for you.
There are two ways to deploy Container Apps environments:
External - Container Apps environments deployed as external resources are available for public requests. External environments are deployed with a virtual IP on an external, public facing IP address.
Internal - When set to internal, the environment has no public endpoint. Internal environments are deployed with a virtual IP (VIP) mapped to an internal IP address. The internal endpoint is an Azure internal load balancer (ILB) and IP addresses are issued from the custom VNET's list of private IP addresses.
I attach the image from Azure portal to show above two options:
Now going further, if you want your container app to restrict all outside access, create an internal Container Apps environment.
Now when it comes to deployment of the Container Apps to the Container Apps Environment, accessibility level you selected for the environment will impact the available ingress options for your container app deployments.
If you are deploying to an external environment, you have two options for configuring ingress traffic to your container app:
Limited to Container Apps Environment - to allow only traffic from other container apps deployed within the shared Container Apps environment.
Accepting traffic from anywhere - to allow the application to be accessible from the public internet.
If you are deploying to an internal environment, you also have two options for configuring ingress traffic to your container app:
Limited to Container Apps Environment - to allow only traffic from other container apps deployed within the shared Container Apps environment.
Limited to vNET (Virtual Network) - to allow traffic from the VNET to make container app to be accessible from other Azure resources or applications within the virtual network or connected to the virtual network through Peering or some type of VPN connectivity
Now in you case, what you are looking for is the architecture where you enable access to Azure Container Apps only through the Azure API Management. In this case you have to deploy Azure Container Apps Environment with Internal mode and set ingress traffic to Limited to VNet (Virtual Network).
I assume that Azure API Management can be accessible from the Internet. In this case you have to deploy Azure API Management inside an Azure Virtual Network. There are two possible modes: internal, and external. In you scenario, you can use external mode. More details can be found here. When API Management instance in the external mode, the developer portal, API gateway, and other API Management endpoints are accessible from the public internet, and backend services are located in the Azure Virtual Network.
Here I also attach the solution architecture to show how all these components are connected together. I also have Azure Front Door here but API Management is deployed with external mode. Please remember that you will also need private DNS Zone for your Azure Container Apps Environment domain, to make it possible to refer to specific APIs from the Azure API Management using URLs, example:
https://ca-tmf-mip-vc-api--v-01.blacklacier-cf61414b.westeurope.azurecontainerapps.io
Helpful links:
Repo with Bicep files to deploy Azure Container App with internal mode
Azure Container Apps Virtual Network Integration

Azure Logic App Standard DNS names resolution

I have a configuration in Azure with a Virtual Network and 2 subnets.
In 1 subnet I have an App Service Environment v3 + App Service Plan + Logic App Standard. I have a workflow with an HTTP Trigger.
In the other subnet, I have an API Management instance, and I need to expose my Http triggered workflow as an API in APIM.
The DNS of the Virtual Network is hosted internally (on-premises) and not managed by Azure. There is no conditional forwarding setup for the moment.
Because of this, the URL of the workflow is something like ..appserviceenvironment.net/.
The DNS name cannot be resolved and I want to know what is the solution I can put in place to make it work? Do I need to create a private DNS zone for the ".appserviceenvironment.net" and add manually the private IP of the app service environment?
• I would suggest you to please refer to the github link below for more information and step by step details regarding the connectivity to a virtual network in an internal mode using the Azure API management: -
https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/api-management/api-management-using-with-internal-vnet.md
It states that API gateway, developer portal, direct management and Git are the only endpoints that are accessible from the virtual network that is configured in the internal mode for API Management instance. Also, the service endpoints will remain inaccessible until you configure DNS for your virtual networks.
Also, using API Management in internal mode will expose your cloud-based APIs and on-premises APIs through a common gateway in hybrid cloud scenarios. And to configure the common gateway, you will have to provision a private DNS zone and link it into your virtual network through a hostname which is configured on the service endpoints, one of which when using the private DNS zone is the API gateway with which you want to have a workflow with an HTTP trigger.
Please go through the link below for configuring the routing details related to API Management Instance in the virtual network: -
https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/api-management/api-management-using-with-internal-vnet.md#routing

Azure APIM Internal Vnet integration. Not able to deploy/create APIs & [Failed to connect to management endpoint]

I have Azure APIM setup and deployed few apis into the apim instance using the azure devops pipelines. Later we wanted to Integrate the APIM with the Vnet, so assigned the apim instance to a Vnet, with dedicated subnet and also assigned NSG rules with recommended ports open as per the MSFT documentation. Also attached certificates and defined some custom domain names as well. But end of the day, I was not able to see and APIs nor create/deploy the to the instance again. Not exactly sure what the issue is?
This is one of the error I see everytime I get to the instance page.
**Failed to connect to management endpoint at apim-xxx-xxx-dev-xxx.management.azure-api.net:3443 for a service deployed in a virtual network. Make sure to follow guidance at https://aka.ms/apim-vnet-common-issues.**
Not sure whether this is the issue or something else....
Any help or information is highly appreciated.
In the internal VNet integration, the API Management gateway and developer portal are accessible only from within the virtual network via an internal load balancer. See the documentation here. In this type of deployment, you will have to use a VPN or express route connection to the Azure VNet.
As #wali mentioned in his answer, with the internal VNet integration, all APIM service endpoints can only be accessed from within the VNet.
If you want to expose backend APIs in a VNet to external users via APIM, you can consider using the external VNet integration.
If you want both the external and internal users to access the APIs via APIM, you can use the internal VNet integration with an Application Gateway, like what is mentioned in this document.

Azure How can I call internal API Management service by private IP inside VNET

I created VNET in Azure. I put in one subset internal API Management which call Azure Function outside of the VNET and in another one Virtual machine. When I tried to call API Management I got a 503 exception. And if I try to ping private IP from the VM it doest work.
The other solution was to create Azure private link but in this case, I got the info by the link but did not be able to ping or call by private IP(got 400)
My solution was to run the web app instead of the AF in the VM because VM can be easily called by private IP in VNET.
How can I call API Management and other azure services(Azure private link) by private API?
From the official document,
API Management service does not listen to requests coming from IP
addresses. It only responds to requests to the hostname configured on
its service endpoints. These endpoints include gateway, the Azure
portal and the Developer portal, direct management endpoint, and Git.
You only could access API management service via hostname instead of private IP in an internal mode API Management. For this mode, you have to manage your own routing. If you use a custom DNS server in a virtual network, you can also create A DNS records and access these endpoints from anywhere in your virtual network.

Azure WebJob vNet integration

I can't get vNet integration between an Azure App Service / WebJob and it's connected Storage Account to work correctly. I have added both the App Service and the storage account to the same vNet and enabled service endpoint binding for Microsoft.Storage. From what I can see in the docs, this is what is needed to get the communication to work between the services. Unfortunately, I get this error in the WebJob log when I try to run it:
"Unhandled Exception: Microsoft.WindowsAzure.Storage.StorageException:
The remote server returned an error: (403) Forbidden. --->
System.Net.WebException: The remote server returned an error: (403)
Forbidden."
If I disable the firewall on the storage account everything works just fine.
All the services are placed in the same resource group and region (West Europe).
I have tried both the "normal" (with gateway) and the new (Preview) vNet integration version on the App Service and both are failing the same way.
I am not using ASE (App Service Environment).
I have also added the following exceptions on the storage firewall:
Storage firewall exceptions
First, when you allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account.
In this case, you may think Microsoft.Networking service will be allowed in firewall rule. But basically, VNet Integration does not mean App Service is inside a VNet. VNet Integration gives your web app access to resources in your virtual network but doesn't grant private access to your web app from the virtual network. We usually used to securely access the resource in a VNet.
If you want to put your App Service in a VNet, you need to deploy it in App Service Environment, then it's already in a VNet.
Alternatively, you could whitelist the outbound web app service IP address in the firewall rule of the storage account.
Hope this helps, feel free to let me know if you have any concerns.
I've struggled myself on this topic.
First off, if you're restricting access to storage using the firewall you need to add your VNET to the storage firewall. Use your delegate subnet when adding your VNET.
When you add the private link between your storage and your VNET, Azure creates a private DNS zone but your app doesn't automatically use it, even when integrated to the VNET.
You can find more here https://learn.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet
But specifically this passage applies:
After your app integrates with your VNet, it uses the same DNS server that your VNet is configured with. By default, your app won't work with Azure DNS private zones. To work with Azure DNS private zones, you need to add the following app settings:
WEBSITE_DNS_SERVER with value 168.63.129.16
WEBSITE_VNET_ROUTE_ALL with value 1
These settings send all of your outbound calls from your app into your VNet and enable your app to access an Azure DNS private zone. With these settings, your app can use Azure DNS by querying the DNS private zone at the worker level.
You can test the DNS resolution your app is using by opening the debug console and using the NameResolver command
NameResolver mystorageaccount.blob.core.windows.net or
NameResolver mystorageaccount.queue.core.windows.net
should return your private address. If not you have a DNS issue.

Resources