Reputation: 480
How to protect a web API in an APIM instance in an external mode VNet and access the web API through APIM only from the internet
I’m trying to protect a web API that is in an API Management instance that is in a subnet with NSG inbound rules definition in a VNet using Visual Studio 2022. I need help defining the network elements and connecting them together so that I may call the web API from the internet but only through API Management. I don’t want the web API to be reachable directly from the internet. I have followed the following steps using as reference Microsoft’s documentation at https://learn.microsoft.com/en-gb/azure/api-management/virtual-network-concepts?tabs=stv2.
- Create a .Net Core web API
- Publish the .Net Core web API to API Management instance.
- Assign web API to API Management instance in Azure when publishing using wizard. The Vnet and subnet is created automatically by the wizard.
- Create NSG inbound rules for the API Management’s subnet Created inbound rule with service tag to allow internet to reach vnet on port 80.
- In the web API I created an access restriction to allow traffic with service tag from API Manager from the same region as API Manager.
- In subnet-1 I have created service endpoint policies to allow traffic to specific azure resources from my virtual network over service endpoints to service endpoints Microsoft.Web.
After creating this access restriction in the API I’m no longer able to reach the API either from API Manager or directly from the internet.
API Manager is in a virtual network named vnet01 and subnet named subnet-1.
I created a public IP address.
In API Management Service in the Virtual Networks blade in the left menu I select Vnet named vnet01, subnet named subnet-1 and the public IP address.
Then I get the following error.
Failed to scale API Management service
API Management service stv2 platform deployment into /subscriptions/4ddc-9f81-3f4bb28b6579/resourcegroups/sogeti/providers/microsoft.network/virtualnetworks/vnet01/subnets/subnet-1 is not supported, as it already contains API Management service(s) with stv1 platform in it as suggested by presence of /subscriptions/3dadbf93- 3f4bb28b6579/resourceGroups/Sogeti/providers/Microsoft.Network/virtualNetworks/vnet01/subnets/subnet-1/resourceNavigationLinks/9ajlnOOH. Please select a different subnet and try again. Refer to https://aka.ms/apim-infrastructure for definition of stv1 vs stv2.
Could somebody please let me know what I’m doing wrong? My final objective is to have the API reachable only through API Management.
Upvotes: 0
Views: 706
Answers (1)
Reputation: 480
I was able to resolve the issue by creating an access restriction (networking menu on the left) for the web API that allowed access to the API Manager's Vnet/ subnet. So I am able to call the API through the API Management instance but not directly from the internet.
Upvotes: 0
Related Questions
- How do I secure an ASP.NET core 6 web API for use by external clients?
- How to prevent direct access to API hosted in Azure app service
- Securing External API EndPoint for ASP.NET Web API Service (ASP.NET 4.6)
- Need to Access Azure web services only through INTRANET
- Setup Azure External Endpoint to access to a Web API
- How to restrict the production API's from external users?
- Ways to restrict Azure Website / WebApp to only be view-able internally on a vnet
- Securing WebApi in Azure Api Management
- Securing a network between a website and VM in azure
- One web application provide both public and internal API, how to protect the internal API?