From c578bede5d77681430795e6fc5113eb7dba78eb8 Mon Sep 17 00:00:00 2001 From: Samir Solanki Date: Tue, 13 Jun 2017 10:02:21 -0700 Subject: [PATCH 1/4] Update integration document with non-existent backend as Default Backend --- ...owto-integrate-internal-vnet-appgateway.md | 43 +++++++++++++++---- 1 file changed, 35 insertions(+), 8 deletions(-) diff --git a/articles/api-management/api-management-howto-integrate-internal-vnet-appgateway.md b/articles/api-management/api-management-howto-integrate-internal-vnet-appgateway.md index 0ce7647463140..d801b283af289 100644 --- a/articles/api-management/api-management-howto-integrate-internal-vnet-appgateway.md +++ b/articles/api-management/api-management-howto-integrate-internal-vnet-appgateway.md @@ -254,19 +254,46 @@ $apimProxyBackendPool = New-AzureRmApplicationGatewayBackendAddressPool -Name "a ``` ### Step 10 + +Now we will create settings for dummy backend, which does not exist. Requests to api paths which we do not want to expose from API Management via Application Gateway will hit this backend and return 404. + +Configure HTTP settings for dummy backend. + +```powershell +$dummyBackendSetting = New-AzureRmApplicationGatewayBackendHttpSettings -Name "dummySetting01" -Port 80 -Protocol Http -CookieBasedAffinity Disabled +``` + +Configure a dummy backend **dummyBackendPool** which points to a Fqdn address **dummybackend.com**. This Fqdn address does not exist in the virtual network. + +```powershell +$dummyBackendPool = New-AzureRmApplicationGatewayBackendAddressPool -Name "dummyBackendPool" -BackendFqdns "dummybackend.com" +``` + +Create a rule setting for the Application Gateway to use by default which points to the nonexistent backend **dummybackend.com** in the virtual Network + +```powershell +$dummyPathRule = New-AzureRmApplicationGatewayPathRuleConfig -Name "nonexistentapis" -Paths "/*" -BackendAddressPool $dummyBackendPool -BackendHttpSettings $dummyBackendSetting +``` + +### Step 11 + Configure URL rule paths for the back-end pools. This enables selecting only some of the APIs from API Management for being exposed to the public. (e.g. if there are `Echo API` (/echo/), `Calculator API` (/calc/) etc. make only `Echo API` accessible from Internet). The following example creates a simple rule for the "/echo/" path routing traffic to the back-end "apimProxyBackendPool". ```powershell $echoapiRule = New-AzureRmApplicationGatewayPathRuleConfig -Name "externalapis" -Paths "/echo/*" -BackendAddressPool $apimProxyBackendPool -BackendHttpSettings $apimPoolSetting +``` -$urlPathMap = New-AzureRmApplicationGatewayUrlPathMapConfig -Name "urlpathmap" -PathRules $echoapiRule -DefaultBackendAddressPool $apimProxyBackendPool -DefaultBackendHttpSettings $apimPoolSetting +If the path doesn't match the path rules we want to enable from API Management, the rule path map configuration also configures a default back-end address pool **dummyBackendPool**. For example, http://api.contoso.net/calc/* will go to **dummyBackendPool** as it is defined as the default pool for un-matched traffic. + +```powershell +$urlPathMap = New-AzureRmApplicationGatewayUrlPathMapConfig -Name "urlpathmap" -PathRules $echoapiRule, $dummyPathRule -DefaultBackendAddressPool $dummyBackendPool -DefaultBackendHttpSettings $dummyBackendSetting ``` The above step ensures that only requests for the path "/echo" are allowed through the Application Gateway. Requests to other APIs configured in API Management will throw 404 errors from Application Gateway when accessed from the Internet. -### Step 11 +### Step 12 Create a rule setting for the Application Gateway to use URL path-based routing. @@ -274,7 +301,7 @@ Create a rule setting for the Application Gateway to use URL path-based routing. $rule01 = New-AzureRmApplicationGatewayRequestRoutingRule -Name "rule1" -RuleType PathBasedRouting -HttpListener $listener -UrlPathMap $urlPathMap ``` -### Step 12 +### Step 13 Configure the number of instances and size for the Application Gateway. Here we are using the [WAF SKU](../application-gateway/application-gateway-webapplicationfirewall-overview.md) for increased security of the API Management resource. @@ -282,7 +309,7 @@ Configure the number of instances and size for the Application Gateway. Here we $sku = New-AzureRmApplicationGatewaySku -Name "WAF_Medium" -Tier "WAF" -Capacity 2 ``` -### Step 13 +### Step 14 Configure WAF to be in "Prevention" mode. ```powershell @@ -294,7 +321,7 @@ $config = New-AzureRmApplicationGatewayWebApplicationFirewallConfiguration -Enab Create an Application Gateway with all the configuration objects from the preceding steps. ```powershell -$appgw = New-AzureRmApplicationGateway -Name "appgwtest" -ResourceGroupName "apim-appGw-RG" -Location "West US" -BackendAddressPools $apimProxyBackendPool -BackendHttpSettingsCollection $apimPoolSetting -FrontendIpConfigurations $fipconfig01 -GatewayIpConfigurations $gipconfig -FrontendPorts $fp01 -HttpListeners $listener -UrlPathMaps $urlPathMap -RequestRoutingRules $rule01 -Sku $sku -WebApplicationFirewallConfig $config -SslCertificates $cert -AuthenticationCertificates $authcert -Probes $apimprobe +$appgw = New-AzureRmApplicationGateway -Name $applicationGatewayName -ResourceGroupName $resourceGroupName -Location $location -BackendAddressPools $apimProxyBackendPool, $dummyBackendPool -BackendHttpSettingsCollection $apimPoolSetting, $dummyBackendSetting -FrontendIpConfigurations $fipconfig01 -GatewayIpConfigurations $gipconfig -FrontendPorts $fp01 -HttpListeners $listener -UrlPathMaps $urlPathMap -RequestRoutingRules $rule01 -Sku $sku -WebApplicationFirewallConfig $config -SslCertificates $cert -AuthenticationCertificates $authcert -Probes $apimprobe ``` ## CNAME the API Management proxy hostname to the public DNS name of the Application Gateway resource @@ -314,7 +341,7 @@ Azure API Management configured in a VNET provides a single gateway interface fo * Learn more about Azure Application Gateway * [Application Gateway Overview](../application-gateway/application-gateway-introduction.md) * [Application Gateway Web Application Firewall](../application-gateway/application-gateway-webapplicationfirewall-overview.md) + * [Application Gateway using Path-based Routing](../application-gateway/application-gateway-create-url-route-arm-ps.md) * Learn more about API Management and VNETs - * [Using API Management in VNET](api-management-using-with-vnet.md) - - + * [Using API Management available only within the VNET](api-management-using-with-internal-vnet.md) + * [Using API Management in VNET](api-management-using-with-vnet.md) \ No newline at end of file From bc21e30a09e86dd597168646e828a6a8aa0474ad Mon Sep 17 00:00:00 2001 From: Samir Solanki Date: Tue, 13 Jun 2017 10:16:45 -0700 Subject: [PATCH 2/4] Grammer Fixes --- ...agement-howto-integrate-internal-vnet-appgateway.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/articles/api-management/api-management-howto-integrate-internal-vnet-appgateway.md b/articles/api-management/api-management-howto-integrate-internal-vnet-appgateway.md index d801b283af289..65e72a98051ad 100644 --- a/articles/api-management/api-management-howto-integrate-internal-vnet-appgateway.md +++ b/articles/api-management/api-management-howto-integrate-internal-vnet-appgateway.md @@ -255,7 +255,7 @@ $apimProxyBackendPool = New-AzureRmApplicationGatewayBackendAddressPool -Name "a ### Step 10 -Now we will create settings for dummy backend, which does not exist. Requests to api paths which we do not want to expose from API Management via Application Gateway will hit this backend and return 404. +Now we create settings for dummy backend, which does not exist. Requests to api paths that we do not want to expose from API Management via Application Gateway will hit this backend and return 404. Configure HTTP settings for dummy backend. @@ -263,13 +263,13 @@ Configure HTTP settings for dummy backend. $dummyBackendSetting = New-AzureRmApplicationGatewayBackendHttpSettings -Name "dummySetting01" -Port 80 -Protocol Http -CookieBasedAffinity Disabled ``` -Configure a dummy backend **dummyBackendPool** which points to a Fqdn address **dummybackend.com**. This Fqdn address does not exist in the virtual network. +Configure a dummy backend **dummyBackendPool**, which points to a Fqdn address **dummybackend.com**. This Fqdn address does not exist in the virtual network. ```powershell $dummyBackendPool = New-AzureRmApplicationGatewayBackendAddressPool -Name "dummyBackendPool" -BackendFqdns "dummybackend.com" ``` -Create a rule setting for the Application Gateway to use by default which points to the nonexistent backend **dummybackend.com** in the virtual Network +Create a rule setting for the Application Gateway to use by default that points to the nonexistent backend **dummybackend.com** in the virtual Network ```powershell $dummyPathRule = New-AzureRmApplicationGatewayPathRuleConfig -Name "nonexistentapis" -Paths "/*" -BackendAddressPool $dummyBackendPool -BackendHttpSettings $dummyBackendSetting @@ -277,7 +277,7 @@ $dummyPathRule = New-AzureRmApplicationGatewayPathRuleConfig -Name "nonexistenta ### Step 11 -Configure URL rule paths for the back-end pools. This enables selecting only some of the APIs from API Management for being exposed to the public. (e.g. if there are `Echo API` (/echo/), `Calculator API` (/calc/) etc. make only `Echo API` accessible from Internet). +Configure URL rule paths for the back-end pools. This enables selecting only some of the APIs from API Management for being exposed to the public. (for example, if there are `Echo API` (/echo/), `Calculator API` (/calc/) etc. make only `Echo API` accessible from Internet). The following example creates a simple rule for the "/echo/" path routing traffic to the back-end "apimProxyBackendPool". @@ -285,7 +285,7 @@ The following example creates a simple rule for the "/echo/" path routing traffi $echoapiRule = New-AzureRmApplicationGatewayPathRuleConfig -Name "externalapis" -Paths "/echo/*" -BackendAddressPool $apimProxyBackendPool -BackendHttpSettings $apimPoolSetting ``` -If the path doesn't match the path rules we want to enable from API Management, the rule path map configuration also configures a default back-end address pool **dummyBackendPool**. For example, http://api.contoso.net/calc/* will go to **dummyBackendPool** as it is defined as the default pool for un-matched traffic. +If the path doesn't match the path rules we want to enable from API Management, the rule path map configuration also configures a default back-end address pool **dummyBackendPool**. For example, http://api.contoso.net/calc/* goes to **dummyBackendPool** as it is defined as the default pool for un-matched traffic. ```powershell $urlPathMap = New-AzureRmApplicationGatewayUrlPathMapConfig -Name "urlpathmap" -PathRules $echoapiRule, $dummyPathRule -DefaultBackendAddressPool $dummyBackendPool -DefaultBackendHttpSettings $dummyBackendSetting From 243d6020168bb6e3b6d107c578fe0767f1335676 Mon Sep 17 00:00:00 2001 From: Samir Solanki Date: Tue, 13 Jun 2017 13:54:33 -0700 Subject: [PATCH 3/4] Grammer fixes based on review comments --- ...ement-howto-integrate-internal-vnet-appgateway.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/articles/api-management/api-management-howto-integrate-internal-vnet-appgateway.md b/articles/api-management/api-management-howto-integrate-internal-vnet-appgateway.md index 65e72a98051ad..c336f599012c1 100644 --- a/articles/api-management/api-management-howto-integrate-internal-vnet-appgateway.md +++ b/articles/api-management/api-management-howto-integrate-internal-vnet-appgateway.md @@ -255,21 +255,21 @@ $apimProxyBackendPool = New-AzureRmApplicationGatewayBackendAddressPool -Name "a ### Step 10 -Now we create settings for dummy backend, which does not exist. Requests to api paths that we do not want to expose from API Management via Application Gateway will hit this backend and return 404. +Create settings for a dummy (non-existent) backend. Requests to API paths that we do not want to expose from API Management via Application Gateway will hit this backend and return 404. -Configure HTTP settings for dummy backend. +Configure HTTP settings for the dummy backend. ```powershell $dummyBackendSetting = New-AzureRmApplicationGatewayBackendHttpSettings -Name "dummySetting01" -Port 80 -Protocol Http -CookieBasedAffinity Disabled ``` -Configure a dummy backend **dummyBackendPool**, which points to a Fqdn address **dummybackend.com**. This Fqdn address does not exist in the virtual network. +Configure a dummy backend **dummyBackendPool**, which points to a FQDN address **dummybackend.com**. This FQDN address does not exist in the virtual network. ```powershell $dummyBackendPool = New-AzureRmApplicationGatewayBackendAddressPool -Name "dummyBackendPool" -BackendFqdns "dummybackend.com" ``` -Create a rule setting for the Application Gateway to use by default that points to the nonexistent backend **dummybackend.com** in the virtual Network +Create a rule setting that the Application Gateway will use by default which points to the non-existent backend **dummybackend.com** in the Virtual Network. ```powershell $dummyPathRule = New-AzureRmApplicationGatewayPathRuleConfig -Name "nonexistentapis" -Paths "/*" -BackendAddressPool $dummyBackendPool -BackendHttpSettings $dummyBackendSetting @@ -277,7 +277,7 @@ $dummyPathRule = New-AzureRmApplicationGatewayPathRuleConfig -Name "nonexistenta ### Step 11 -Configure URL rule paths for the back-end pools. This enables selecting only some of the APIs from API Management for being exposed to the public. (for example, if there are `Echo API` (/echo/), `Calculator API` (/calc/) etc. make only `Echo API` accessible from Internet). +Configure URL rule paths for the back-end pools. This enables selecting only some of the APIs from API Management for being exposed to the public. For example, if there are `Echo API` (/echo/), `Calculator API` (/calc/) etc. make only `Echo API` accessible from Internet). The following example creates a simple rule for the "/echo/" path routing traffic to the back-end "apimProxyBackendPool". @@ -285,7 +285,7 @@ The following example creates a simple rule for the "/echo/" path routing traffi $echoapiRule = New-AzureRmApplicationGatewayPathRuleConfig -Name "externalapis" -Paths "/echo/*" -BackendAddressPool $apimProxyBackendPool -BackendHttpSettings $apimPoolSetting ``` -If the path doesn't match the path rules we want to enable from API Management, the rule path map configuration also configures a default back-end address pool **dummyBackendPool**. For example, http://api.contoso.net/calc/* goes to **dummyBackendPool** as it is defined as the default pool for un-matched traffic. +If the path doesn't match the path rules we want to enable from API Management, the rule path map configuration also configures a default back-end address pool named **dummyBackendPool**. For example, http://api.contoso.net/calc/* goes to **dummyBackendPool** as it is defined as the default pool for un-matched traffic. ```powershell $urlPathMap = New-AzureRmApplicationGatewayUrlPathMapConfig -Name "urlpathmap" -PathRules $echoapiRule, $dummyPathRule -DefaultBackendAddressPool $dummyBackendPool -DefaultBackendHttpSettings $dummyBackendSetting From c15995d23a7e7524baf74ea2d23eae84c7f541b0 Mon Sep 17 00:00:00 2001 From: Samir Solanki Date: Wed, 14 Jun 2017 10:51:33 -0700 Subject: [PATCH 4/4] Update message for which certificate to use. --- ...api-management-howto-integrate-internal-vnet-appgateway.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/articles/api-management/api-management-howto-integrate-internal-vnet-appgateway.md b/articles/api-management/api-management-howto-integrate-internal-vnet-appgateway.md index c336f599012c1..3f9f2cf79f70a 100644 --- a/articles/api-management/api-management-howto-integrate-internal-vnet-appgateway.md +++ b/articles/api-management/api-management-howto-integrate-internal-vnet-appgateway.md @@ -231,7 +231,7 @@ $apimprobe = New-AzureRmApplicationGatewayProbeConfig -Name "apimproxyprobe" -Pr ### Step 7 -Upload the certificate to be used on the SSL-enabled backend pool resources. +Upload the certificate to be used on the SSL-enabled backend pool resources. This is the same certificate which you provided in Step 4 above. ```powershell $authcert = New-AzureRmApplicationGatewayAuthenticationCertificate -Name "whitelistcert1" -CertificateFile @@ -344,4 +344,4 @@ Azure API Management configured in a VNET provides a single gateway interface fo * [Application Gateway using Path-based Routing](../application-gateway/application-gateway-create-url-route-arm-ps.md) * Learn more about API Management and VNETs * [Using API Management available only within the VNET](api-management-using-with-internal-vnet.md) - * [Using API Management in VNET](api-management-using-with-vnet.md) \ No newline at end of file + * [Using API Management in VNET](api-management-using-with-vnet.md)