Integrating Application Gateway (WAF) and API Management (Internal)

Customer wants to front load an API Management service with a Web Application Firewall (WAF). Application Gateway WAF SKU provides a Web Application Firewall which protects them against top 10 OWASP vulnerabilities. The APIM sits behind Application Gateway and only accessible via the Application Gateway.

Application Gateway is a Reverse-Proxy service which only routes based on IP Address only. APIM works only on Hostname basis. The challenge is to make Application Gateway forward calls to APIM Internal Load Balancer having the Hostname header which APIM expects.

Steps

1. Create an API Management instance using the steps in the document below.

https://docs.microsoft.com/en-us/azure/api-management/get-started-create-service-instance

Import and publish your first API

https://docs.microsoft.com/en-us/azure/api-management/api-management-get-started#a-namecreate-service-instance-acreate-an-api-management-instance

2. Create a VNET with a preferred name e.g. pm317-vnet.

https://docs.microsoft.com/en-us/azure/virtual-network/quick-create-portal#create-a-virtual-network

VNET Creation

3. Create 2 Subnet inside the VNET, 1 will serve as APIM dedicated Subnet and the other will be used later as the Application Gateway Dedicated Subnet e.g. apim-subnet & appgw-subnet.

Subnet Creation

4. After creating the VNET and its Subnet. Go back to the APIM Blade.

5. Move the API Management service to Virtual Network in Internal mode inside VNet:pm317-vnet/apim-subnet as documented below. https://docs.microsoft.com/en-us/azure/api-management/api-management-using-with-internal-vnet

APIM in Internal VNET

Take note of the Virtual IP (VIP) addresses, e.g. public 51.137.90.105, private 10.1.1.5

VIP Addresses of APIM

6. You will need to configure custom domain name for your APIM service, follow the guide here to do so https://docs.microsoft.com/en-us/azure/api-management/configure-custom-domain

(Optional): You can follow the guide here to access these API Management service endpoints, which requires you create a virtual machine in a subnet connected to the virtual network in which API Management is deployed https://docs.microsoft.com/en-us/azure/api-management/api-management-using-with-internal-vnet

Configuration of the Application Gateway

Create an Application Gateway using the steps in the document below.

https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-web-application-firewall-portal#create-an-application-gateway-with-web-application-firewall

NOTE: The APIM has two configurations. Portal and Proxy. I am sharing the configuration of both. Check with the customer to suit his needs.

Basics:

While configuring virtual network > Select pm317-vnet > It will auto populate the appgw-subnet

Basics — AppGW

Frontends:

Add new if you don’t have an existing Public IP address.

Frontends — AppGw

Backends:

Add a backend pool

Backends — AppGw

Give it a name and set the Target type to IP address or FQDN and the corresponding Target to the APIM’s private IP address then click on Add.

Configurations:

Now we need to create routing rules that links our frontend and backend. So, click on Add a routing rule.

Configurations — AppGw

Populate the information as seen below, specify a Rule Name, specify a Listener Name, select Public in Frontend IP, select HTTPS protocol, upload a valid .pfx certificate that contains a public key issued for your custom domain, give it a name, input the password associated with the certificate, select Multi site for listener type and input your custom proxy host name.

  • Listener
Listener — Configuration

Do not click on Add yet because you need to configure Backend targets as well for this rule.

Click on Backend targets, target type is set to Backend pool, click on the backend target dropdown, and select the backend we configured earlier. For the HTTP settings, we need to Add new.

  • Backend targets
Backend targets — Configurations
  • HTTP Settings
Http settings — Backend targets

Now click on the Add button. You should see something like the below. Then you can click on the Add button again.

Now we need to repeat the Configuration procedure above to add another routing rule because we are configuring for both proxy and portal endpoint.

  • Listener
  • Backend targets
  • HTTP Settings

Then proceed and create.

After the Application Gateway creation is complete.

Go on the Application Gateway resource, under setting, click Health Probes and add 2 health probes for proxy and portal.

Probe Settings Proxy

Probe Proxy

Probe Settings Portal

Probe Portal.

Then associate the corresponding probes to the configured http settings.

Once that is completed, go ahead, and confirm the backend (APIM) health.

The next step is to configure the front end for communication. Retrieve the details of the Application Gateway and its associated IP/DNS name using the PublicIP Address element then use it to create an A or CNAME record which points the APIM proxy host name & portal host name (e.g. api.theoots.com & portal.theoots.com respectively in the examples above) to this IP/DNS name.

  • PublicIP (DNS name )
  • CNAME mapping on the DNS Records

At this point, both your APIM and APP GW are ready to communicate. Now we need to test and see that it works. I will be using Postman.

Populate the request url of a typical API in your APIM including the required headers and SEND

There you have it! Status: 200 OK

Enterprise Cloud Solutions Architect / Dev Ops Enthusiast.