We've implemented a setup as follows:
App Service Environment having different app services exposing different APIs. This instance is configured as an internal instance, so no public access.
We've configured an internal (private) DNS zone. This zone is used to create internal URLs for the API's.
API Management instance which is exposed to the outside. Here the API's need to be registered using the Swagger files exposed by the APIs themselves.
Everything is contained within the same VNet.
Now what we see is two things:
From a VM inside the VNet, I can browse the URL of the API without any issue and download the Swagger file.
When we try to register the API within API management, it throws an error stating the file could not be downloaded. When we register manually and then try to call the API, we get a DNS resolve error.
So it seems as if the API Management instance is not able to resolve our custom DNS zone as setup in Azure. I could not find any information that tells me whether this scenario is supported or not. Any pointers that might help find the problem are very welcome indeed.
Update when we register the API via uploading a file and then try to call one of the API methods, the following error appears:
The remote name could not be resolved
This same address resolved just fine from a VM within the exact same VNet.
I have the same issue, when I look for online, the below solution looks promising. It is self-explanatory, DNS forwarded need to enable between vnets. More information is here
https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances.md#name-resolution-that-uses-your-own-dns-server
Related
I want to limit the access to one of my app services to Azure API Mangement. In order to be independent from a single IP I created the following setting using service-tag-based restriction:
However if I test my API using the Developer Portal I still receive 403 messages.
If I now add a restriction-rule to allow the IP address of the API Management it will work.
The documentation claims that service tags are adding the IP ranges for the provided Azure services to the restrictions. This is exactly what I want to achieve but it does not seem to work.
After I contacted the MS support I know can tell an answer to this.
On central message in the answer was
Unfortunately, there is no tag for all of the API Management outbound IP addresses.
The support highlighted that the documentation for service tags points out that
This enables customers to perform management operations on the APIs, Operations, Policies, NamedValues configured on the API Management service.
What this means is that the service tag is only for backend operations. Problem with this is that it doesn't help you at all. I already noticed that after I switched on the service tag rule I could not update an API using the direct OpenAPI endpoint via the portal which is the documented way. This is because the explorative request against the OpenAPI would be performed using the local browser as a XHR-request. This means I would have to add my local IP to the restriction list every time.
The supports suggests to put everything inside a VNET and configure the access using this technique. I had this solution in place and then considered it as too clumpsy. I guess I have to do it now.
I am pretty new to Azure API Management so hopefully I am just missing the obvious and there is an easy solution.
I work in a regulated environment where strict validation and code separation is enforced.
For that reason an API that I wrote is implemented on four separate app services each representing a specific environment sandbox, dev,qa, and production
I am trying to set all these up in API Management using custom domains, but it just doesn't seem to work.
Here is where I am at.
API Management has been deployed to its own subnet in a vnet.
I created an internal client certificate, and uploaded it to a vault. This certificate had multiple subject name alternatives to represent each environment.
Ex. api.contoso.com
api-sand.contoso.com
api-dev.contoso.com
Etc
I then created custom domains using this certificate in APIM ...each set as a "gateway" type domain
I then created an Api based on api-dev.contoso.com and a suffix "external" based on the dev app service. This will host the dev operations that can be exposed to the internet through app gateway
I then created a second api, again using the api-dev.contoso.com custom domain, and specified a suffix of "internal", to host all the internal operations from this api.
I ran into trouble when I tried to create a third API. This one was supposed to target the sandbox version of the api, but when i started filling out the new api panel, I found that the base url was grayed out and set to api-dev.contoso.com.....there was no way to change it to api-sand.contoso.com
What am I missing?? ...APIM let's you create these custom domains, but it seems to only let you use one...that doesn't seem right....there must be a different approach I need to use.
One option I thought of, but haven't tried yet is to have one custom domain, and implement the environments using different suffixes. For example api-nonprod.contoso.com/sand/external would link to my sandbox app service, and api-nonprod.contoso.com/dev/external would link to the development app service.
I'd still rather do it through custom domain names if it is possible.
I am getting error while accessing the Azure App Service, can you help in resolving the issue ?
What setting to be applied to resolve the issue ?
Thanks in advance.
This error comes either
When the public access is not allowed on Azure App Service, if you have open public API.
The IP of your application with which you are calling the app service is not whitelisted.
If you have any gateway in between then that may also be blocking your calls.
Solutions to try:
Try removing the access restrictions from Networking page of your web app.
Try giving the access to all by adding 0.0.0.0/0. Later you can add restrictions based on your requirements.
The sequence of the restrictions matters, so please check that once. If you have any blocked call before any allowed call, then it may impact.
You can also have restrictions based on http-headers like X-Forwarded-For. Please check that once. This can happen from code as well, based on how you handle the errors. Link
If your API is behind the Gateway, then you can check this: Application Gateway integration with service endpoints
Are you the developer of this website?
If you are, please navigate to Networking page of your web app, check the Access Restrictions.
If you are not the developer, just contact your administrator and allow your ip to access this website.
For more information, see Azure App Service access restrictions.
I want to expose the Internal APIs through Azure API Management however the gateway is unable to access resources within the virtual network.
Below is my VNet configuration
Below is my API Management Network settings
I have created a Azure VM as shown below
and deployed the Spring Boot application as shown below
Tried configuring the APIs in the API Management however the gateway is unable to access the above internal URL
How do I fix this?
Update:
If I save the API definition and upload on APIM it works without any issues.
When you create an API in APIM from portal, if you put the OpenAPI (swagger) spec URI in the field shown in the screen, it has to be publicly accessible (not necessarily the API itself, but the spec). It's because you are browsing the Azure portal from internet and portal UI form simply tries to access the file from your client side browser before uploading. I agree that it could be nicer if APIM could access it from the server side, but unfortunately that's not the case at this moment. Consider it as a simple feature which either allows to to upload file from your machine or from a URL publicly accessible.
EDIT*: Looks like VNET is not into picture in management plane.
In this case, you can just download the swagger file itself and use the "Select a file" option.
I have developed an application which is hosted on an iPaas provider. This application has to make a REST API call to a service which is running inside an AWS EC2 instance.
Please note that the application is not pushed to AWS. In order to do so, I've to provide access to the cloud provider so that the REST call can be made successfully to the API residing in AWS. That means, in order to make a successful REST call, my application (hosted on some cloud) has to get permission from AWS (where a service is hosted and to which the application is making REST request). But AWS doesn't provide the option to enter the URL. How can we make this possible?
You should look up the documentation of your Cloud Provider.
They for sure must have provided you with the public IP of the machine made available to you.
Another way of solving your problem could be by using the ping command. If you trying to ping the URL of your cloud provider, it will show you the IP address.
But here one issue you may encounter is, depending on your cloud providers size there could be more than one machines which may be providing the service
and it may happen that the IP provided by ping command and the IP of the machine where your app is pushed may be different and your purpose may not be fulfilled.
Here you may try to use the network masks (which you use while providing the access to any IP in AWS security groups)
Try providing access to a supernet.
Or you can also explore the usage of some standard tools like "tracert", "traceroute", "nslookup"