Friday, April 21, 2023

Azure Application Gateway With API Manager Internal mode: Set Up Part 1

 


This is one of the famous design patterns we are going to set up. We will put API Manager inside a virtual network so that we can secure our internal APIs. Since it is going to be inside the virtual network, we can have all the connectivity inside de Virtual network and On-Premise with the help of Express Route. In the API world, we also need to expose our APIs outside of the network so that our external vendor can connect with these APIs. To achieve that we will be putting Application Gateway in front of API Manager and will expose only those APIs which are required. 


Architecture Diagram:



Based on the above architecture diagram, we will create an API inside the VM, and this API will be treated as an internal API. We will put API Manager and Application Gateway inside the virtual network. This is going to be a lengthy process so make sure you have enough time to complete the setup.


If you are working in the office and trying to set up, then grab a coffee.

If you are working from home and setting this up for learning, then grab a few beers 😉

From step 1 to step 5 you can create resources parallelly then you need to wait for another process to complete. Let’s get started…


Step 1: Create an APIM instance with Developer SKU



Step 2: Create a Virtual Machine for our backend

·       Create a VM, this will be treated as backend internal services for the APIM. When we create this VM it will give us some other resources like interface, public IP, VM, Virtual Network, etc. We will use the same virtual network for APIM. Let’s complete this task parallelly while our APIM is getting ready


·       On the network tab I am updating the virtual network name and creating 3 subnets,

o   apim-vet                       :           virtual network name

o   backend-subnet            :           subnet name

o   apim-subnet                  :           subnet name

o   app-gw-subnet             :           subnet name

·       We need 2 separate empty subnet one for API Manager and another for Application Gateway, which is required.         






 

·       Click review and create and click create.

Step 3: Create an API inside the VM:

Let’s create a dummy API inside backendvm and test it. Same API we will call from API Manager so that we can test our API manager in internal mode and later same API will be called from the application gateway to test end to end

      ·       Install IIS server

·       Put a json file inside “C:\inetpub\wwwroot\test”

You can choose any method to create an API

·       I have installed the Postman inside the VM.

·       I have given a test as mentioned below our API is working as expected

·       We will create a proxy of this API in API manager.



Step 4: Create a network security group for API Manager:

 We now create a security group for the API Manager, we will attach this security group to “apim-subnet”. We will then put some inbound and outbound rules so that API Manager can talk to internal API and can be reachable on specific ports.


      
·       Go to Subnets and associate” apim-vnet” and “apim-subnet” to it as mentioned below.



·       Add Inbound Rules

·       Add any internet connection to reach ports 443 and 80 inside the virtual network



·       Add API Management.AustraliaEast (location for the API Manager) to reach to virtual network on port 3443


·       Add one below outbound rule


These above 4 steps you can do while creating an API Management instance. Now wait if your API Manager is not yet ready.

Once your API Manager instance is ready it should be like the below. This should currently have connectivity from the internet.


Step 5: Put this API Manager in the virtual network:

·       Go to Network and choose Internal Virtual network and select “apim-vnet” and “apim-subnet” as mentioned below.


·       Click apply and save it. It will again take some time to complete.

    ·       Once completed then you can see the private IP of the API Manager as above

Step 6: Create RootCA and SSL self-signed certificate

Execute the below commands one by one. We are creating RootCA certificate and then creating SSL certificate. Our SSL certificate is a wildcard certificate which is why we have given its name *.demo.com and RootCA certificate with the name fabrikam.com

·       openssl req -x509 -newkey rsa:4096 -keyout fabrikam.key -out fabrikam.crt -days 365 -nodes

·       openssl pkcs12 -export -in fabrikam.crt -inkey fabrikam.key -out fabrikam.pfx

·       openssl req -newkey rsa:4096 -out demo.csr -keyout demo.key -nodes

·       openssl x509 -req -in demo.csr -CA fabrikam.crt -CAkey fabrikam.key -CAcreateserial -out demo.crt -days 365

·       openssl pkcs12 -export -in demo.crt -inkey demo.key -out demo.pfx

·       if the password is asked while creating the cert, I have given “password”


      You will 2 certificates one is for Root CA and another SSL certificate is signed by Root CA





     The complete step looks like this below:




C:\Work\study\APIM\demo>openssl req -x509 -newkey rsa:4096 -keyout fabrikam.key -out fabrikam.crt -days 365 -nodes

....+..+.......+...+..+..........+...........+....+.....+......+....+.....+......+.+...........+....+......+.....+....+.....+....+++++++++++++++++++++*..................+..+.......+..+....+..+.............+++++

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:NZ

State or Province Name (full name) [Some-State]:Wellington

Locality Name (eg, city) []:Wellington

Organization Name (eg, company) [Internet Widgits Pty Ltd]:student

Organizational Unit Name (eg, section) []:student

Common Name (e.g. server FQDN or YOUR name) []:fabrikam.com

Email Address []:

 

C:\Work\study\APIM\demo>openssl pkcs12 -export -in fabrikam.crt -inkey fabrikam.key -out fabrikam.pfx

Enter Export Password:

Verifying - Enter Export Password:

 

C:\Work\study\APIM\demo>openssl req -newkey rsa:4096 -out demo.csr -keyout demo.key -nodes

..+.+...+..+++++++++++++++++

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:NZ

State or Province Name (full name) [Some-State]:Wellington

Locality Name (eg, city) []:Wellington

Organization Name (eg, company) [Internet Widgits Pty Ltd]:student

Organizational Unit Name (eg, section) []:student

Common Name (e.g. server FQDN or YOUR name) []:*.demo.com

Email Address []:

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:password

An optional company name []:

 

C:\Work\study\APIM\demo>openssl x509 -req -in demo.csr -CA fabrikam.crt -CAkey fabrikam.key -CAcreateserial -out demo.crt -days 365

Certificate request self-signature ok

subject=C = NZ, ST = Wellington, L = Wellington, O = student, OU = student, CN = *.demo.com

 

C:\Work\study\APIM\demo>openssl pkcs12 -export -in demo.crt -inkey demo.key -out demo.pfx

Enter Export Password:

Verifying - Enter Export Password:



    


·       Change the extension of .crt to .cer for the RootCA certificate

·       Below files are created


Step 7: Private DNS ZONE

Create a private DNS with the “demo.com” name. This part is very important in terms of its name because we have created certificates for the same demo.com name. API Manager inside VNET can’t be reachable with private IP so we must create a portal and gateway private DNS so that we can connect to it.


·       Let’s create one for the API gateway and another for the developer portal. We will access them with this FQDN.

o   api.demo.com – API gateway

o   devportal.demo.com – Developer portal


·       Below is one for the developer portal



·       Click on the Virtual Network Link to link apim-vnet with this private DNS Zone

·       Give any name you like, I have given apim-vnet-link



·       Finally, it should look like the below screenshot




Step 8: Update Custom Domain in API Manager

The default custom domain comes with it. We must add 2 custom domains one for the API gateway and another for the developer portal. This domain name must be the same as what we created in the private DNS zone and cert for that from an open SSL script


·       Create one for the Gateway and give “api.demo.com” and upload the certificate in .pfx format. Password is password (you can choose your own)



·       Create one for the Developer Portal and give “devportal.demo.com” and upload the certificate in .pfx format. Password is password

·       Final custom domain, click save again it will take some time



·       Click on the save button, this will take again some time

·       If all is good, then you can see your developer portal and Gateway URL will be changed to the new custom domain


Step 9: Create an API in API Manager and point its backend to the backend VM’s API

·       Click on the API menu and add an API “Internal API”

·       Backend is private IP with API URL

o   http://10.0.0.4/api

·       Add base URL suffix

o   Product.json



·       Add an operation with the below details


·       Click save. Since it is an internal URL and we have given private IP as a backend. Let’s test this from Backend VM.


Step 10: Testing:

·       Login to VM

·       Open “https://devportal.demo.com” URL in the VM browser, you will see that you can reach the developer portal

·       Test the API that we have created (however this API is running in the same VM only, but the request is coming via API Manager)



·       This gives a successful result.

·       This concludes that API Manager is working in internal mode successfully

 

Our next step is to add Application Gateway before the API manager so that we can also reach from the Internet.  Let’s complete that in part 2 here.

No comments:

Post a Comment