Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
2,462 questions
Routing Internet Traffic from Azure Front Door to Azure Firewall(Hub vnet) to APIM External Vnet(Spoke vnet)(Function App is Integrated in APIM). APIM is not connecting via Firewall to Frontend Application(Frontdoor)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 75%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
tamizh
1
Reputation point
Hello,
i am working to build a concept by Hub-Spoke architecture. I am using Azure Front Door as a global service to route incoming requests.
A hub and spoke are deployed and they are configure with each other by VPN Gateway to transport traffic between them(by Gateway Transit=enabled).
Azure Firewall is deployed in Hub and will get the request from Azure Front door and forward the traffic to APIM External Vnet in Spoke.
Backend Application(Function App) is integrated with APIM
Frontend Application(Webapp) using Custom Dns Integrated with Firewall IP. Added as Backend with custom Host in Frontdoor
So Now, Frontend Application Reactjs is running in Frontdoor URL but main question and issue is below:
My question,
- Frontend Reactjs Application should connect with Backend Application(Function App) Which was integrated with Azure APIM . Frontend Reactjs Application is not connecting with Backend Application(i.e APIM) via Azure Firewall Am getting Error like (failed)net::ERR_CONNECTION_TIMED_OUT.
- APIM Subnet NSG- If i provide Source as Internet for 80,443 to Destination as VNet - Working but it should work via Azure Firewall.
- APIM Subnet Routh Table - Firewall Route and exception
]1
Note: i have Tried with External Nirtual Network of APIM , Tried With Frontdoor Service Tag in NSG Also No Luck!
-> Flow Internet Connection Should be like:
Azure Frontdoor ->Azure Firewall ->APIM ->Private Endpoint for Function App(Ingress)
I hope I will get some solutions or suggestions.
Azure API Management
Azure Front Door
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
860 questions
Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
782 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,778 questions
{count} votes
-
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator2022-12-29T11:08:24.483+00:00 Hi @tamizh ,
Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you would like to achieve a network path such that- Internet -> Azure Frontdoor ->Azure Firewall ->APIM ->Private Endpoint for Function App (Ingress)
The logical way to check if this would work is to isolate the set up from bottom to top (or right to left).
- May I ask if your site is working if you directly access it with APIM's endPoint IP?
- Let us know if APIM's endPoint IP is a public IP or a private IP that is integrated into VNet? (this is important)
- You can create a hostfile entry for the domain and try to access the APIM's IP.
If the above works, then we can proceed with checking the DNAT rules on Firewall and adding the Firewall behind an AFD.
Please let us know about the above asks.
Cheers,
Kapil -
tamizh 1 Reputation point
2022-12-29T12:10:54.473+00:00 Hi @KapilAnanth-MSFT ,
Thanks For your Reply kapil.
Before Answering to your qn, Below is actual scenario:
- My Frontend Application is running in Azure App Service , i have configured the Custom DNS with Firewall Public IP. Custom Domain of FE Configured in Frontdoor as Backend.
- Frontend Application is should connected with Backend Application (Azure APIM - External Vnet) via Azure Firewall - This part is not working Getting (failed)net::ERR_CONNECTION_TIMED_OUT.
- When i hit the Frontdoor URL, I can able to access only the Login Page of Application,After Login homepage of Application not showing because Backend is not getting connection properly .Error is (failed)net::ERR_CONNECTION_TIMED_OUT
- Architecture
As Per your question,
- May I ask if your site is working if you directly access it with APIM's endPoint IP? No
- Let us know if APIM's endPoint IP is a public IP or a private IP that is integrated into VNet? (this is important) - External Vnet only i have integrated in APIM so only public IP available. FYI, I have tried internal vnet of APIM getting same error.
- You can create a hostfile entry for the domain and try to access the APIM's IP - Already i have created the record in DNS with Firewall Public IP for frontend application. Same step need to do for APIM Public IP is that required?
Now give ur thoughts or solutions
- My Frontend Application is running in Azure App Service , i have configured the Custom DNS with Firewall Public IP. Custom Domain of FE Configured in Frontdoor as Backend.
-
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator
2022-12-29T13:59:50.267+00:00 Hi @tamizh ,
I take it that you have two applications, one is considered FrontEnd and the other is BackEnd.
We are troubleshooting the BackEnd.Wrt,
Frontend Application is should connected with Backend Application (Azure APIM - External Vnet) via Azure Firewall - This part is not working Getting (failed)net::ERR_CONNECTION_TIMED_OUT.- Did you validate the access to BackEnd before deploying?
- Can this backend be accessed only by your FrondEnd (API calls)? Or this backEnd can be accessed by anyone in Internet by entering the IP of APIM?
- If this can be accessed by anyone from Internet, can you bypass the Azure Firewall and directly access the APIM
- From Internet? (If access is possible)
- From your FrontEnd?
The idea here is to bypass the Azure Firewall and see if this works. If it doesn't work, then the culprit is APIM and not Azure Firewall.
Also, I see you have mapped your custom domain to Firewall IP.
So, to bypass Azure Firewall, I wanted you to create a hostfile mapping the IP to APIM.- If backend can be accessed via Internet, make a hostfile entry and access the APIM - make sure this works as expected before introducing Azure Firewall infront of it
- If backend is only accessible via FrontEnd, then configure the FrontEnd to access the APIM (either by local DNS edit or via APIM IP) and confirm this works without Azure Firewall or AFD in picture.
Cheers,
Kapil -
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator
2022-12-29T14:04:26.033+00:00 Hi @tamizh ,
Also, since the APIM is external facing, it is not a good idea to use Azure Firewall in front of it.
Azure Firewall is designed to protect private NetworksYou can either use Azure App gateway or directly add the APIM behind the Azure Front Door.
In case 1,
You have AppGateway WAF
This can be used to provide any network restrictions and securityIn case 2,
You have AFD WAF
This has more advanced features as compared to AppGw WAFAnyways, feel free to go through my previous comment and let me know if bypassing Azure Firewall helps.
Cheers,
Kapil -
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator
2023-01-11T17:22:58.7833333+00:00 Hi @tamizh
Could you please provide an update on this post?
Kindly let us know if the below helps or you need further assistance on this issue.
Thanks,
Kapil
Sign in to comment
Sign in to answer