Running Self-hosted APIM Gateways in Azure Container Apps with VNet Integration

With Azure Container Apps we can run containerized applications, completely serverless. The platform itself handles all the orchestration needed to dynamically scale based on your set triggers (such as KEDA) and even scale-to-zero!

I have been working a lot with customers recently on using Azure API Management (APIM) and the topic of how we can leverage Azure APIM to manage our internal APIs without having to expose a public IP and stay within compliance from a security standpoint, which leads to the use of a Self-Hosted Gateway. This offers a managed gateway deployed within their network, allowing a unified approach in managing their APIs while keeping all API communication in-network.

The self-hosted gateway is deployed as a container and in this article, we will go through how to provision a self-hosted gateway on Azure Container Apps specifically. I assume there is already an Azure APIM instance provisioned and will dive into creating and configuring the self-hosted gateway on ACA.

Prerequisites

As mentioned, ensure you have an existing Azure API Management instance. We will be using the Azure CLI to configure the container apps in this walkthrough. To run the commands, you need to have the Azure CLI installed on your local machine and ensure you have the necessary permissions in your Azure subscription.

1. Retrieve Gateway Deployment Settings from APIM
   

   First, we need to get the details for our gateway from APIM. Head over to the Azure portal and navigate to your API Management instance.

   -          In the left menu, under Deployment and infrastructure, select Gateways.

   -          Here, you'll find the gateway resource you provisioned. Click on it and go to Deployment.

   -          You'll need to copy the Gateway Token and Configuration endpoint values. (these tell the self-hosted gateway which APIM instance and Gateway to register under)

   
   
2. Create a Container Apps Environment
   

   Next, we need to create a Container Apps environment. This is where we will create the container app in which our self-hosted gateway will be hosted.

   Using Azure CLI:

   • Create our VNet and Subnet for our ACA Environment
     As we want access to our internal APIs, when we create the container apps environment, we need to have the VNet created with a subnet available. Note: If we’re using Workload Profiles (we will in this walkthrough), then we need to delegate the subnet to Microsoft.App/environments.
     
     

     # Create the vnet

     az network vnet create --resource-group rgContosoDemo \
     --name vnet-contoso-demo \
     --location centralUS \
     --address-prefix 10.0.0.0/16

     # Create the subnet

     az network vnet subnet create --resource-group rgContosoDemo \
     --vnet-name vnet-contoso-demo \
     --name infrastructure-subnet \
     --address-prefixes 10.0.0.0/23

     # If you are using a workload profile (we are for this walkthrough) then delegate the subnet

     az network vnet subnet update --resource-group rgContosoDemo \
     --vnet-name vnet-contoso-demo \
     --name infrastructure-subnet \
     --delegations Microsoft.App/environments
     
     

   • Create the Container App Environment in out VNet
     az containerapp env create --name aca-contoso-env \
     --resource-group rgContosoDemo \
     --location centralUS \
     --enable-workload-profiles
     
     
3. Deploy the Self-Hosted Gateway to a Container App
   

   Creating the environment takes about 10 minutes and once complete, then comes the fun part—deploying the self-hosted gateway container image to a container app.

   Using Azure CLI:

   •  Create the Container App:

     az containerapp create --name aca-apim-demo-gateway \
     --resource-group rgContosoDemo \
     --environment aca-contoso-env \
     --workload-profile-name "Consumption" \
     --image "mcr.microsoft.com/azure-api-management/gateway:2.5.0" \
     --target-port 8080 \
     --ingress 'external' \
     ---env-vars "config.service.endpoint"="<YOUR_ENDPOINT>" "config.service.auth"="<YOUR_TOKEN>" "net.server.http.forwarded.proto.enabled"="true"

     Here, you'll replace <YOUR_ENDPOINT> and <YOUR_TOKEN> with the values you copied earlier. 

   • Configure Ingress for the Container App:

     az containerapp ingress enable --name aca-apim-demo-gateway --resource-group rgContosoDemo --type external --target-port 8080

     This command ensures that your container app is accessible externally.

     
     
4. Verify the Deployment
   

   Finally, let's make sure everything is running smoothly. Navigate to the Azure portal and go to your Container Apps environment. Select the container app you created (aca-apim-demo-gateway) and navigate to Replicas to verify that it's running. You can use the status endpoint of the self-hosted gateway to determine if your gateway is running as well:

   curl -i https://aca-apim-demo-gateway.sillytreats-abcd1234.centralus.azurecontainerapps.io/status-012345678990abcdef

   
   
5. Verify Gateway Health in APIM
   You can navigate in the Azure Portal to APIM and verify the gateway is showing up as healthy. Navigate to Deployment and Infrastructure, select Gateways then choose your Gateway. On the Overview page you’ll see the status of your gateway deployment.
   

And that’s it! You've successfully deployed an Azure APIM self-hosted gateway in Azure Container Apps with VNet integration allowing access to your internal APIs with easy management from the APIM portal in Azure. This setup allows you to manage your APIs efficiently while leveraging the scalability and flexibility of Azure Container Apps.

If you have any questions or need further assistance, feel free to ask. How are you feeling about this setup? Does it make sense, or is there anything you'd like to dive deeper into?