Azure API Management service with external virtual network to Docker

%3CLINGO-SUB%20id%3D%22lingo-sub-2267948%22%20slang%3D%22en-US%22%3EAzure%20API%20Management%20service%20with%20external%20virtual%20network%20to%20Docker%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2267948%22%20slang%3D%22en-US%22%3E%3CP%3EI%20want%20to%20use%20the%20Azure%20API%20Management%20Service%20(AMS)%20to%20expose%20the%20API%20created%20with%20%3CEM%3ER%2FPlumber%3C%2FEM%3E%20hosted%20in%20a%20%3CSTRONG%3EDocker%3C%2FSTRONG%3E%20container%20and%20runs%20in%20an%20%3CSTRONG%3EUbuntu%3C%2FSTRONG%3E%20machine.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EScenario%3C%2FSTRONG%3E%3CBR%20%2F%3EWith%20%60R%2FPlumber%60%20I%20created%20some%20APIs%20that%20I%20want%20to%20protect.%20Then%2C%20I%20created%20a%20virtual%20machine%20on%20Azure%20with%20Ubuntu%20and%20installed%20Docker.%20The%20APIs%20are%20in%20a%20container%20that%20I%20published%20on%20the%20virtual%20machine%20by%20Docker.%20I%20can%20access%20them%20via%20internet.%3C%2FP%3E%3CP%3EOn%20Azure%20I%20created%20an%20API%20Management%20service%20and%20added%20the%20APIs%20from%20the%20Swagger%20OpenAPI%20documentation.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22YXcty%22%20style%3D%22width%3A%20896px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F271979i37E755CF97C31BB6%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22YXcty%22%20alt%3D%22YXcty%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EProblem%3C%2FSTRONG%3E%3CBR%20%2F%3EI%20want%20to%20secure%20the%20APIs.%20I%20want%20to%20expose%20to%20the%20internet%20only%20the%20AMS.%20Then%2C%20my%20idea%20was%20to%20remove%20the%20public%20IP%20from%20the%20virtual%20machine%20and%20via%20a%20virtual%20network%20using%20the%20internal%20IPs%20to%20connect%20the%20API%20Management%20Service%20to%20the%20API%20with%20the%20internal%20IP%20(%3CA%20href%3D%22http%3A%2F%2F10.0.1.5%3A8000%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2F10.0.1.5%3A8000%3C%2FA%3E).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%2C%20I%20tried%20to%20set%20a%20Virtual%20Network.%20Clicked%20on%20the%20menu%2C%20then%20External%20and%20then%20on%20the%20row%2C%20I%20can%20select%20a%20network.%20In%20this%20virtual%20network%2C%20I%20have%20one%20%60network%20interface%60%20that%20is%20the%20one%20the%20virtual%20machine%20is%20using.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%223pHc3%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F271980i84115340AE8738C9%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%223pHc3%22%20alt%3D%223pHc3%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20I%20save%20the%20changes%2C%20I%20have%20to%20wait%20a%20while%20and%20then%20I%20receive%20an%20error%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CBLOCKQUOTE%3EFailed%20to%20connect%20to%20management%20endpoint%20at%20azuks-chi-testapi-d1.management.azure-api.net%3A3443%20for%20a%20service%20deployed%20in%20a%20virtual%20network.%20Make%20sure%20to%20follow%20guidance%20at%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fapim-vnet-common-issues%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2Fapim-vnet-common-issues%3C%2FA%3E.%3C%2FBLOCKQUOTE%3E%3CP%3EI%20read%20the%20following%20documentation%20but%20I%20can't%20understand%20how%20to%20do%20what%20I%20wanted%3C%2FP%3E%3CUL%3E%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fstackoverflow.com%2Fquestions%2F65060005%2Fazure-api-management-external-type-gateway-unable-to-access-resources-within%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3EAzure%20API%20Management%20-%20External%20Type%3A%20gateway%20unable%20to%20access%20resources%20within%20the%20virtual%20network%3F%3C%2FA%3E%3C%2FLI%3E%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fazure%2Fapi-management%2Fapi-management-using-with-vnet%23-common-network-configuration-issues%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EHow%20to%20use%20Azure%20API%20Management%20with%20virtual%20networks%3C%2FA%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%2C%20I%20tried%20to%20add%20more%20%3CSTRONG%3EAddress%20space%3C%2FSTRONG%3E%20in%20the%20%3CSTRONG%3EVirtual%20network%3C%2FSTRONG%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22erossini_0-1618235740837.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F271984i0F91D8014A0C2C03%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22erossini_0-1618235740837.png%22%20alt%3D%22erossini_0-1618235740837.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOne%20of%20them%20(10.0.0.2%2F24)%20is%20delegate%20for%20the%20API%20Management.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22erossini_1-1618236001806.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F271986i015BB43C4640DB29%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22erossini_1-1618236001806.png%22%20alt%3D%22erossini_1-1618236001806.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThen%2C%20in%20the%20Network%20security%20group%20I%20added%20the%20port%203443.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22erossini_2-1618236165763.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F271988i0E2A8DA3C375AB11%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22erossini_2-1618236165763.png%22%20alt%3D%22erossini_2-1618236165763.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFrom%20the%20API%20manager%20I%20can't%20reach%20the%20server%20with%20the%20internet%20IP%20(10.0.2.5).%3C%2FP%3E%3CP%3EIs%20there%20any%20how-to%20to%20use%3F%20Any%20advice%3F%20What%20are%20I%20doing%20wrong%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2267948%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAPI%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ENetworking%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%20%26amp%3B%20Compliance%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EVirtual%20Network%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
New Contributor

I want to use the Azure API Management Service (AMS) to expose the API created with R/Plumber hosted in a Docker container and runs in an Ubuntu machine.

 

Scenario
With `R/Plumber` I created some APIs that I want to protect. Then, I created a virtual machine on Azure with Ubuntu and installed Docker. The APIs are in a container that I published on the virtual machine by Docker. I can access them via internet.

On Azure I created an API Management service and added the APIs from the Swagger OpenAPI documentation.

YXcty

 

Problem
I want to secure the APIs. I want to expose to the internet only the AMS. Then, my idea was to remove the public IP from the virtual machine and via a virtual network using the internal IPs to connect the API Management Service to the API with the internal IP (http://10.0.1.5:8000).

 

So, I tried to set a Virtual Network. Clicked on the menu, then External and then on the row, I can select a network. In this virtual network, I have one `network interface` that is the one the virtual machine is using.

 

3pHc3

 

When I save the changes, I have to wait a while and then I receive an error

 

Failed to connect to management endpoint at azuks-chi-testapi-d1.management.azure-api.net:3443 for a service deployed in a virtual network. Make sure to follow guidance at https://aka.ms/apim-vnet-common-issues.

I read the following documentation but I can't understand how to do what I wanted

 

Also, I tried to add more Address space in the Virtual network.

 

erossini_0-1618235740837.png

 

One of them (10.0.0.2/24) is delegate for the API Management.

 

erossini_1-1618236001806.png

 

Then, in the Network security group I added the port 3443.

 

erossini_2-1618236165763.png

 

From the API manager I can't reach the server with the internet IP (10.0.2.5).

Is there any how-to to use? Any advice? What are I doing wrong?

0 Replies