Azure API Management Standard v2 Secure Baseline

Introduction

This reference implementation demonstrates a secure baseline infrastructure architecture for provisioning Azure API Management Standard v2. Specifically this scenario addresses deploying Azure API Management with a private virtual network for outbound connections and a private endpoint for inbound connections. This allows secure communication between Azure API Management and other services within the same virtual network, as well as secure access to Azure API Management from on-premises networks or other virtual networks.

This is intended to be a starting point for those who want to deploy Azure API Management in a cost-effective and secure manner, following best practices for network isolation and access control.

Limitations

• Only the API Management instance's Gateway endpoint supports inbound Private Link connections.
• Connections aren't supported on the self-hosted gateway or on a workspace gateway.

Prerequisites

• An active Azure subscription.
• The Owner Azure built-in role or the User Access Administrator and Contributor built-in roles, on a subscription in your Azure account.
• Azure CLI version 2.61.0 or later.
• Visual Studio Code installed on one of the supported platforms along with the Bicep extension.
• An existing Azure Key Vault resource with a valid TLS certificate for the application gateway.
• An existing Azure DNS Zone or equivalent DNS server for the name resolution of the application gateway.

Architecture

The solution architecture is designed as follows:

• The Application Gateway handles TLS termination and communicates with API Management over HTTPS.
• The Application Gateway Listener utilizes an SSL certificate obtained from Azure Key Vault.
• The Azure WAF Policy associated to the Listener is used to run OWASP rules and custom rules against the incoming request and block malicous attacks.
• The Application Gateway Backend HTTP Settings are configured to invoke API Management via HTTPS on port 443.
• The Application Gateway Backend Pool and Health Probe are set to call the API Management's status endpoint.
• API Management is deployed with a dedicated subnet, ensuring that all outbound traffic is routed through the virtual network.
• A Private Endpoint is created for API Management, allowing secure inbound connections from the Application Gateway.
• Azure Key Vault is used to securely store the TLS certificate for the Application Gateway.

Message Flow

The following diagram shows the steps for the message flow during deployment and runtime.

Deployment workflow

1. A security engineer generates a certificate for the custom domain that the workload uses and saves it in an Azure key vault.

2. A platform engineer specifies the necessary information in the main.bicepparams Bicep parameters file and deploys the Bicep modules to create the Azure resources. The necessary information includes:

   • A prefix for the Azure resources.
   • A location for the Azure resources.
   • The name and resource group of the existing key vault that holds the TLS certificate for the Application Gateway custom domain.
   • The name of the certificate in the key vault.

3. The Application Gateway Listener is configured to use the TLS certificate from the key vault. This certificate is used by the custom domain that's associated with the Application Gateway endpoint. The Application Gateway uses a user-assigned managed identity to access the key vault and retrieve the TLS certificate.

4. A developer can deploy APIs to App Services or other backend services that are secured with a private endpoint.

5. A developer or platform engineer can then publish those APIs to the API Management instance.

Runtime workflow

1. The client application calls the backend web application using its hostname and path. The DNS zone that's associated with the custom domain of the Application Gateway Listener uses an A record to resolve the DNS query with the addres of the Azure Public IP used by the Frontend IP Configuration of the Application Gateway.

2. The request is sent to the Azure Public IP used by the Frontend IP Configuration of the Application Gateway.

3. The Application Gateway performs thw following actions.

   • The Application Gateway handles TLS termination and communicates with the backend application over HTTPS.
   • The Azure WAF Policy associated to the Listener is used to run OWASP rules and custom rules against the incoming request and block malicous attacks.
   • The Application Gateway Backend HTTP Settings are configured to forward the request to API Management via HTTPS on port 443.

4. The Application Gateway Backend Pool forwards the request to API Management using its Private Endpoint.

5. API Management processes the request and forwards it to the corresponding backend web application. The request is sent over a private connection within the virtual network.

Deployment

You can deploy the Bicep modules in the infra folder using the deploy.sh Bash script in the same folder. Specify a value for the following parameters in the deploy.sh script and main.bicepparam parameter files before deploying the Bicep modules.

• prefix: A prefix for the resource names.
• apimName: The globally unique name of the API Management instance.
• apimResourceGroupName: The name of the resource group where the API Management instance will be deployed.
• location: The Azure region where the resources will be deployed.
• hostnames: The custom domain name(s) for the Application Gateway instance.

Prior to deployment, ensure you have an Azure Key Vault deployed with the TLS certificate for the Application Gateway and the following parameters set in the main.bicepparam file:

• keyVaultName: The name of the Key Vault containing the SSL certificate.
• keyVaultResourceGroupName: The resource group name of the Key Vault.
• keyVaultCertificateName: The name of the SSL certificate in the Key Vault.

Once you have set the parameters, you can run the deploy.sh script to deploy the Bicep modules.

# Clone the repo
git clone https://github.com/rcoenmans/appgw-apim-std-v2.git

# Change directory to infra
cd appgw-apim-std-v2/infra

# Deploy the infrastructure
./deploy.sh

Once the deployment is complete, you can verify the network configuration of Azure API Management in the Azure portal.

IMPORTANT
You can only disable public network access for Azure API Management after you have configured a private endpoint for inbound connections.

Cleanup

To delete all the resources created by this deployment, you can delete the resource group where the resources were deployed. You can do this using the Azure CLI with the following command:

az group delete --name <resource-group-name> --yes --no-wait

References

• Integrate an Azure API Management instance with a private virtual network for outbound connections
• Connect privately to API Management by using an inbound private endpoint