Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,951 questions
Hello @Nikolai - I'll review and update you here.
Azure API Management - Vnet External mode - Gateway URL & Portal not reachable from internet, required FW openings?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 27%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN%3C/text%3E%3C/svg%3E)
Nikolai
11
Reputation points
I'm setting up API Management in Vnet, external mode.
For internal mode you can setup Application Gateway to expose selected internal API's to external users. and the documentation goes in much more depth on how to do this compared to external mode. There are also plenty of guides on the internet using internal mode.
So how does this work with External mode? Right now the Gateway URL and Developer portal is getting blocked in the firewall (hub-spoke architecture)
The URL is inaccessible from both Internet and from within the network, as the gateway URL in external mode is on the publicly faced LB.
If I route the traffic outside the FW (route-table) it works fine with NSG using required inbound rules (Internet-tag) and default outbound.
So to my question: Am I supposed to allow outbound traffic from the vnet to Internet in FW/route-table as well so the gateway & portal is reachable by anyone?
Is that the whole point of using external mode?
In this thread a Microsoft representative says it's the Public IP of APIM that should be whitelisted in the FW, which also is nowhere to be found in the documentation
Thanks in advance, any info on this is appreciated
1 answer
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 87%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMU%3C/text%3E%3C/svg%3E)
Mike Urnun 9,786 Reputation points Microsoft Employee2020-09-03T15:47:54.517+00:00 -
Nikolai 11 Reputation points
2020-09-06T12:18:40.507+00:00 Hello, thanks. Do add to this:
Setting a route in a route table from the subnet with 0.0.0.0/0 -> Internet solves the issue obviously, but surely that can't be the recommended approach considering security? You can also add a 10.0.0.0/8 -> Firewall so all internal traffic goes there, while the rest goes to the internet with the route above.
I just really doubt that would get approved by the security team.
A second approach would be to set up Application Gateway, but the documentation only mentions this in Internal vnet mode. Every question I see asked on forums is also about internal vnet. All guides I find are about internal vnet.
So in a scenario where the Developer Portal should be accessible on the internet I'm failing to see the need for External mode when Internal can do exactly the same thing, where the App Gateway provides more security?
-
Mike Urnun 9,786 Reputation points Microsoft Employee
2020-09-17T19:21:51.917+00:00 Hi @Nikolai - Sorry for the delay in response. If you have general security concerns and a need for best practices for security requirements, could you review the following whitepaper on the topic? https://github.com/Microsoft/HighSecurityAPIM
I'll post a more elaborative answer to your query soon :)
Sign in to comment -