When API Management is with internal Virtual Network, the connection to this API Management will be blocked from outside. To be able to call the API or visit the developer portal of such API Management, Application Gateway will be a good choice for you.
By using Application Gateway, the request sent to API Management will be automatically routed. And the Application Gateway can also help user to monitor whether the API Management is still in a healthy status.
Pre-requirements:
Before starting, you must setup the environment at first.
To set up a local development environment, you need to have:
$cert = New-SelfSignedCertificate -DnsName management.minalinsky.top -CertStoreLocation "D:\" -KeyLength 2048 -KeySpec "KeyExchange"
$password = ConvertTo-SecureString -String "your-password" -Force -AsPlainText
Export-PfxCertificate -Cert $cert -FilePath ".\management.pfx" -Password $password
Export-Certificate -Type CERT -Cert $cert -FilePath .\management.cer
Some points to explain before starting:
Steps to implement:
Once you are done with the above preparations, you can follow these steps to link the API Management with Application Gateway. Please remember that if you want to be able to visit the new developer portal of the API Management, you’ll also need to enable the new developer portal endpoint and management endpoint at the same time. This is due to the design of the new developer portal. (In this example, we’re using HTTPS protocol because the HTTP protocol setting is almost the same only without some certificate configuration.)
4. Then, create one Health probe for each API Management endpoint which you want to visit. Put your own custom domain name in the Host part, fill the Path part as following table and configure the other configuration as you want. The detailed information about how Application Gateway health probe is working can be found in our official document.
The following is an example health probe of legacy developer portal endpoint.
In Additional settings, choose Multi site as listener type and input your own custom domain URL configured in API Management.
The detailed information about how Application Gateway listener is working can be found in our official document.
Here is an example listener configuration of legacy developer portal endpoint.
6. It’s time to configure the most important thing, the HTTP settings. In Application Gateway, you’ll also need to create one HTTP setting for each endpoint of API Management. For HTTPS protocol, you’ll be asked to upload the certificate again as the previous step. But here, please upload the certificate used in the custom domain configuration of API Management of the Default SSL Binding one. For the HTTP settings of all endpoints, the uploaded and used certificate will be always the same one!
In the Host name part, select Override with specific domain name and input your own custom domain. Then select the health probe which you created in step 4 for Custom probe option.
Here is an example HTTP setting of the gateway endpoint.
About how the HTTP setting is working in Application Gateway, we can learn more from here.
7. When you’ve finished above steps, you need to create one Rule in Application Gateway for each API Management endpoint. It’s quite easy. You only need to select the created Listener, Backend pool and HTTP setting together.
Here is an example rule of my new developer portal endpoint:
8. Here we need to take a break and check whether the previous steps are good. If everything is going well, when we click the Backend Health blade in Azure Portal, we’ll be able to see that the backend server is healthy as:
9. Finally, the last step is to make a CNAME record in your own domain DNS setting. In the overview page of Application Gateway, you’ll be able to find a domain name like somethinglikeid.cloudapp.net. Please create a CNAME record of the custom domain which you configured in API Management custom domain part and in Application Gateway to this domain name ending with cloudapp.net. Once it’s active, we should be able to visit our API Management from outside of Virtual Network.
Here is the example DNS setting:
Common problems when using Application Gateway with API Management:
When you use the Application Gateway with API Management, you maybe will meet some common issues like being unable to visit developer portal or the request sent to API Management or developer portal returns error code such as 502, 503 etc. Here is a summary of the common problems and possible solution. If this cannot resolve the issue, please create support ticket and our technical support engineer will be glad to assist.
For this scenario, there are 4 possible common reasons:
a. The backend health status is not healthy in Application Gateway Backend Health page (step 8 in previous part).
Solution:
1. Check the Network Security Group configuration to make sure that all necessary ports are open.
2. Create a Virtual Machine in the same Virtual Network and visit the developer portal or call API from Virtual Machine to verify the API Management corresponding endpoint is healthy.
b. The certificate uploaded in HTTP settings in Application Gateway doesn’t match the certificate used in the custom domain configuration in API Management.
Solution:
Upload the correct matching certificate in HTTP settings in Application Gateway. (Step 6 in previous part)
c. The timeout setting of HTTP settings in Application Gateway is too short.
Solution:
Reset the timeout setting of HTTP settings in Application Gateway (Step 6 in previous part)
d. The certificate used in Application Gateway or API Management expires.
Solution:
Update both the timeout setting in API Management and Application Gateway
2. When trying to call API or visit developer portal, 503 error code is returned.
For this scenario, there is 1 possible common reason:
The custom domain name used in Application Gateway configuration and API Management custom domain configuration doesn’t match.
Solution:
Reconfigure the setting to make sure that the 2 custom domain names are the same one.
3. When trying to visit new developer portal from Azure Portal “Overview” blade, the developer portal doesn’t open and show following message:
Unable to start the portal
Check if the settings specified in the configuration file config.design.json are correct or refer to the frequently asked questions
For this scenario, there is 1 possible common reason but we need one more step to verify whether it’s this situation:
Follow this document to capture the browser trace when opening developer portal and check whether there is a failed call to https://<management-endpoint-hostman>/subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.ApiManagement/service/xxx/contentTypes/document/contentItems/configuration?api-version=2018-06-01-preview
If it’s true that there is such a failed call, then the reason is that user only enables the new developer portal endpoint in Application Gateway but doesn’t enable the management endpoint.
Solution:
Follow this blog to enable the management endpoint in Application Gateway.
4. When trying to visit new developer portal, the developer portal doesn’t open and show following message:
Oops, something went wrong.
We are unable to complete your operation this time. Please try again later.
For this scenario, there is 1 possible common reason but we need one more step to verify whether it’s this situation:
Follow this document to capture the browser trace when opening developer portal and check whether there is a failed call to https://<management-endpoint-hostman>/subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.ApiManagement/service/xxx/contentTypes/document/contentItems?$orderby=en_us/title&$filter=en_us/permalink%20eq%20%27/%27&api-version=2018-06-01-preview with 403 error code
If it’s true that there is such a failed call, then the reason is that the Application Gateway Web Application Firewall is enabled in Prevention mode and this WAF blocked the requests.
Solution:
Change the configuration of Application Gateway WAF to disable the following rules:
1. For administrative mode of developer portal:
920330, 9331130, 942100, 942110, 942180, 942200, 942260, 942370, 949110, 980130
2. For published portal:
942200, 942260, 942370, 942430, 942440
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.