I hope somebody can help me to understand this issue and hopefully to solve it.
I have an api management service in my subscription, and I wanted to try to protect it by using an Azure Front Door in front of it.
So to achieve this I create an API Management, and a front door.
Regarding the Front Door configuration I set this:
Frontend/domain:
hostname: frontdoorapim.azurefd.net
Session Affinity: Disabled
WAF: Disabled
BackEndPool:
name: apimbackend
Backend: my-api-management.azure-api.net
Status: Enabled
Path: /
Protocol HTTPS
Probe: GET
Interval: 30
RoutingRules:
Status:Enabled
Accepted Protocol: HTTP and HTTPS
Frontend/domains: frontdoorapim.azurefd.net
Patterns to match: /*
Route Type: Forward
backend pool: apimbackend
Match Request
With this configuration, I was able to access my api management gateway url through the Front Door url.
So I wanted to restrict the access to the direct gateway url and allow only the FrontDoor to be able to access it. My first thought was just to create a virtual network and subnet and a network security group.
I Create the VNET and the Subnet, and configured the security group as follow:
As inbound rule:
Priority: 100
Source: AzureFrontDoor.Frontend
Source Port Range: *
Destination: Any
Destination port: 3443
Protocol: TCP
Action: Allow
Once I saved this msg, I changed the API Management to be in a internal mode.
At this point everything stopped working. The API Management is not reachable anymore, and the Front Door is returning:
Our services aren't available right now
We're working to restore all services as soon as possible. Please check back soon.
Please if anyone can help me to understand how Can I configure the Network Security Group to allow access only through the Frontdoor.
App services they have Access Restriction, I would like to achieve something similar to that but with my api management.
Thank you so much for any help you can provide, at this stage I am so frustrated. Please if you need any extra details or screenshot, don't hesitate to let me know.
• Yes, you can achieve the required, i.e., access the APIM resources only through Azure Front Door URL by ensuring the steps mentioned below are configured accordingly: -
a) Please ensure that if you are using a public IP address for the APIM, then you will have to disable the certificate name check from the resource explorer (https://resources.azure.com). To do that, navigate to the Azure front door resource in Azure resource explorer, and change the ‘enforceCertificateNameCheck’ as ‘Disabled’.
b) Ensure that you are entering the value for path in the backend pool health probe as ‘/status-0123456789abcdef’ and the probe method is set to ‘GET’. Also, do ensure that the certificate for HTTPS protocol is valid and complete with correct validation chain.
c) Ensure that in the rules section for Azure front door, you have allowed all the paths for the frontend domain/endpoint configured and have configured HTTPS only as the forwarding protocol in it.
d) Once the above has been configured, ensure that you are setting up IP address ACLs for APIM instance and then restrict the traffic to the specific value of the header 'X-Azure-FDID' sent by Front Door.
• For that purpose, you will have to create an inbound rule in the network security group to allow port 443 for the service tag ‘AzureFrontDoor.Backend’ of your APIM subnet. Also, allow the incoming traffic from the virtual IP of the host nodes according to Azure platform consideration, i.e., 168.63.129.16 and 169.254.169.254 and allow the necessary inbound rules for APIM deployed in a virtual network according to the below documentation link. Deny all other incoming traffic to the subnet: -
Then allow Azure Front Door backend IPs as given in the below link in the APIM IP restriction policy and allow the virtualized host IP addresses as stated above in here.
https://www.microsoft.com/download/details.aspx?id=56519
In this way, once the above said has been done, you can access the APIM resources only through Azure front door URL. For more detailed information, I would suggest you to please refer to the link below which explains in detail further steps for fulfilling the desired: -