cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Integrate API Management Service with Application Insights availability tests
By
jiayiwu
Published Mar 13 2023 12:26 AM 4,700 Views
jiayiwu
Microsoft
‎Mar 13 2023 12:26 AM

Integrate API Management Service with Application Insights availability tests

‎Mar 13 2023 12:26 AM

Background Introduction

 

Azure Application Insights is a powerful tool for monitoring the performance and availability of your applications. By sending web requests to your application at regular intervals from Application Insight’s servers around the world, it can alert you if your application isn't responding or responds too slowly. Since it is a useful tool to check the server's availability, some users may integrate the availability test feature of Application Insight with the API management service.

 

As the Application Insights server is in the public network, we need to ensure that the API Management’s endpoints should be accessible from the public internet. Therefore, when integrating with API Management service (APIM) deployed in an internal virtual network (VNet), there is a challenge that all the API Management service's endpoints are in the VNet which is not accessible from the public. To enable the availability test for APIM service, we need to establish a network connection between the APIM endpoint in the VNet and the Application Insight server on the public internet.

 

This blog will show you how to integrate Azure Application Insights availability tests with API management deployed in an internal VNet.

 

Solutions

 

Solution 1: Test availability of the APIM's management endpoint by custom domain and external DNS server.

Solution 2: Test availability of all the APIM's endpoints by the Application Gateway.

 

 

Solution 1: Test availability on the APIM's management endpoint by custom domain and external DNS server.

 

Underlying Mechanism

Since the Application Insight's servers are deployed on the public internet, the API management service is capable to be connected by public traffic. However, what if the APIM is deployed in the internal VNet?

 

Let's start with why the APIM in the internal VNet is inaccessible from the public internet. Here are three reasons.

 

  1. For the APIM deployed the internal VNet, the host names of the APIM are not resolvable by the public DNS due to lack of registered DNS record.
  2. All custom requests made to the APIM instances will be rejected by the network security group (NSG) rules.
  3. For the APIM in internal VNet, the public incoming traffic will be rejected because APIM's standard HTTP/HTTPS port 80/443 are disabled for public traffic. 

 

So how can we create a connection from public internet to the APIM service in an internal VNet without leveraging an application gateway? Here are the solutions.

 

To ensure that the API management resource provider can visit each resource and ensure that the service is responsive, the load balancer in front of APIM instances by default leaves a back door opened for the APIM resource provider that it opens 3443 port which is accessible by public network. In this case, the APIM resource provider is able to connect to the Internal VNET Mode APIM management endpoint from the public network via the particular port 3443. In another word, there is an acceptable connection from the public internet to the public IP of the APIM with port 3443, which is intended to preserve for the APIM resource provider. This is the trick that we can take advantage of to build the connection between Application Insight and APIM.

 

The concept is clearer now. Then, how do we overcome the aforementioned constraints?

 

To begin, we can set up a custom domain for the APIM’s management endpoint and add an A record to the external DNS server to make the public IP address resolvable from the internet. Next, open up port 3443 to the public internet by configuring the NSG rules. With these two steps, the APIM's management endpoint will be reachable by the public server of Application Insight, and the availability test can be configured.

 

Prerequisites

  • An API Management instance.
  • A custom domain with its TLS certificate which is owned by you or your organization. This article does not provide instructions on how to procure a custom domain name.

 

Configuration Guidance

 

Step 1: Set up a custom domain for APIM management endpoint and resolve it to APIM’s public IP.

Here, let's take the custom domain 'mgt.jiayiwu.net' as an example.

 

a. Configure the custom domain for the management endpoint in the API Management service refers to: Configure custom domain name for Azure API Management instance - Azure API Management | Microsoft Le...

 

Here is a configuration of 'mgt.jiayiwu.net' for your reference:

jiayiwu_3-1678460513173.png

 

 

b. Create a DNS record for the API management service's public IP.

jiayiwu_2-1678460494050.png

 

You will find the public IP of the API Management service in the overview page as below:

jiayiwu_1-1678460461974.png

 

 

Step 2: Expose the port 3443 of the virtual network to the public internet.

In this step, we need to configure the NSG rules that associated with the subnet of the API Management service as below.

jiayiwu_0-1678460433694.png

 

Tips: If you want to limit the clients who can access the management endpoint, you can expose port 3443 only to the ‘ApplicationInsightAvailability’ service tag as above. For more details about service tag, please check the official document: Azure service tags overview | Microsoft Learn

 

Step 3: Create availability test.

So far, everything is ready for the management endpoint. Let’s create an availability test.

 

In the Azure Portal, navigate to your Application Insight instance.

  1. Under Investigate, select Availability.
  2. Select Add Classic Test
  3. Fill in the Test name, select the SKU as URL ping, and input your custom domain. Don't forget to specify the port: adding ':3443' after the custom domain.

     

    Hint: Due to the nature that the external A record is not able to be specified with a particular port, the traffic will go to port 443 with HTTPS and 80 with HTTP by default. However, the only publicly accessible port is 3443. Hence, we need to specify the port when creating the availability test.

  4. Unmark the box of 'HTTP response'.

  Hint: Since the management endpoint is designed for the resource provider. Users are not able to customize the response based on their requirement. In this case, only HTTP/HTTPS connection can be checked for availability, which refers to the ‘URL ping’ test. For more information about the other test type, please check https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-overview#types-of-tests.

 

Below is an example for the management endpoint ‘mgt.jiayiwu.net’ as reference:

jiayiwu_4-1678459102978.png

 

So far, we've created a classic availability test for the API management service's management endpoint in an internal VNet. But what if the proxy endpoint or developer portal endpoint is also required for the availability test? In that case, the application gateway is the recommended solution of Integration with Azure Application Gateway.

 

 

Solution 2: Expose the APIM's gateway or management endpoint by the Application Gateway

 

Prerequisites

  • An API Management instance with the application gateway integration.

 

This article will not introduce how to proceed with the integration. For more guidance, please follow the blogs:  APIM with Application Gateway v1 - Microsoft Community Hub for the Application Gateway in V1, and Integrating API Management with App Gateway V2 - Microsoft Community Hub for the Application Gateway in V2.

 

Configuration Guidance

As mentioned in the prerequisites, after the integration of API Management service the Application Gateway, all the APIM endpoints are exposed to the public network which is ready to be visit by the public users.  In this section, I'll go through how to set up the Application Insight Availability test.

 

Since all the endpoints can be tested for availability and performance, you can feel free to customize the test sample as per your own requirement. Below, I will provide several examples for your reference.

 

1. Test the status of the gateway endpoint by ‘URL ping’.

    The URL ‘<gateway endpoint custom domain>/status-0123456789abcdef’ will reply to the client with a 200 response by default.

 

    Take ‘gateway.jiayiwu.info’ as an example. ‘gateway.jiayiwu.info’ is the custom domain of the APIM’s gateway endpoint.

jiayiwu_5-1678459102984.png

 

2. Test the APIs in the API Management service by 'Standard Test'.

    Since the gateway endpoint is also used for various APIs, we suppose there is a GET method API which will respond 200 OK by design. Then, the above URL for the gateway endpoint can also be tested by sending a simple GET request to the particular operation and expecting a 200 response. Create a Standard Test and specify the HTTP method to be GET as below.

 

jiayiwu_0-1678460307969.png

 

 

Tips. Since the HTTP method, URL, and expected response code can be defined in the standard test, it also allows you to create an availability test for other APIs and specify the expected response as well.

 

Notice:

In solution 2, if you want to restrict the access to the Application gateway, you may use Application Gateway V2 WAF version and configure your own WAF rule. 

 

Feel free to explore more features provided by the Application Insight Availability test.

 

Co-Authors
Version history
Last update:
‎Mar 12 2023 10:25 PM
Updated by:
Labels