Integrating Application Gateway (WAF) and API Management (Internal)
Customer wants to front load an API Management service with a Web Application Firewall (WAF). Application Gateway WAF SKU provides a Web Application Firewall which protects them against top 10 OWASP vulnerabilities. The APIM sits behind Application Gateway and only accessible via the Application Gateway.
Application Gateway is a Reverse-Proxy service which only routes based on IP Address only. APIM works only on Hostname basis. The challenge is to make Application Gateway forward calls to APIM Internal Load Balancer having the Hostname header which APIM expects.
1. Create an API Management instance using the steps in the document below.
Import and publish your first API
2. Create a VNET with a preferred name e.g. pm317-vnet.
3. Create 2 Subnet inside the VNET, 1 will serve as APIM dedicated Subnet and the other will be used later as the Application Gateway Dedicated Subnet e.g. apim-subnet & appgw-subnet.
4. After creating the VNET and its Subnet. Go back to the APIM Blade.
5. Move the API Management service to Virtual Network in Internal mode inside VNet:pm317-vnet/apim-subnet as documented below. https://docs.microsoft.com/en-us/azure/api-management/api-management-using-with-internal-vnet
Take note of the Virtual IP (VIP) addresses, e.g. public 18.104.22.168, private 10.1.1.5
6. You will need to configure custom domain name for your APIM service, follow the guide here to do so https://docs.microsoft.com/en-us/azure/api-management/configure-custom-domain
(Optional): You can follow the guide here to access these API Management service endpoints, which requires you create a virtual machine in a subnet connected to the virtual network in which API Management is deployed https://docs.microsoft.com/en-us/azure/api-management/api-management-using-with-internal-vnet
Configuration of the Application Gateway
Create an Application Gateway using the steps in the document below.
NOTE: The APIM has two configurations. Portal and Proxy. I am sharing the configuration of both. Check with the customer to suit his needs.
While configuring virtual network > Select pm317-vnet > It will auto populate the appgw-subnet
Add new if you don’t have an existing Public IP address.
Add a backend pool
Give it a name and set the Target type to IP address or FQDN and the corresponding Target to the APIM’s private IP address then click on Add.
Now we need to create routing rules that links our frontend and backend. So, click on Add a routing rule.
Populate the information as seen below, specify a Rule Name, specify a Listener Name, select Public in Frontend IP, select HTTPS protocol, upload a valid .pfx certificate that contains a public key issued for your custom domain, give it a name, input the password associated with the certificate, select Multi site for listener type and input your custom proxy host name.
Do not click on Add yet because you need to configure Backend targets as well for this rule.
Click on Backend targets, target type is set to Backend pool, click on the backend target dropdown, and select the backend we configured earlier. For the HTTP settings, we need to Add new.
- Backend targets
- HTTP Settings
Now click on the Add button. You should see something like the below. Then you can click on the Add button again.
Now we need to repeat the Configuration procedure above to add another routing rule because we are configuring for both proxy and portal endpoint.
- Backend targets
- HTTP Settings
Then proceed and create.
After the Application Gateway creation is complete.
Go on the Application Gateway resource, under setting, click Health Probes and add 2 health probes for proxy and portal.
Probe Settings Proxy
Probe Settings Portal
Then associate the corresponding probes to the configured http settings.
Once that is completed, go ahead, and confirm the backend (APIM) health.
The next step is to configure the front end for communication. Retrieve the details of the Application Gateway and its associated IP/DNS name using the PublicIP Address element then use it to create an A or CNAME record which points the APIM proxy host name & portal host name (e.g. api.theoots.com & portal.theoots.com respectively in the examples above) to this IP/DNS name.
- PublicIP (DNS name )
- CNAME mapping on the DNS Records
At this point, both your APIM and APP GW are ready to communicate. Now we need to test and see that it works. I will be using Postman.
Populate the request url of a typical API in your APIM including the required headers and SEND
There you have it! Status: 200 OK