Initial working commit of new appgw-apim infrastructure

Author: simonkurtz-MSFT

infrastructure/appgw-apim/README.md

@@ -0,0 +1,56 @@
+# Application Gateway & API Management (VNet Internal) Infrastructure
+
+This architecture provides secure ingress through Azure Application Gateway (WAF_v2) to Azure API Management (APIM) deployed in a Virtual Network using Internal mode (private IP only). No Private Endpoints are used; traffic stays on private networking after the gateway, and APIM cannot be accessed aside from traversing Application Gateway.
+
+<!-- TODO: Generate diagram -->
+<!-- <img src="./Azure Application Gateway + APIM (Internal).svg" alt="Diagram showing Application Gateway routing to APIM in VNet Internal mode. Optional Container Apps shown behind APIM. Telemetry to Azure Monitor." title="Application Gateway + APIM (Internal)" width="1000" /> -->
+
+## 🎯 Objectives
+
+1. Expose APIs publicly via Application Gateway while keeping APIM private (VNet Internal)
+2. Maintain private networking end-to-end without Private Endpoints
+3. Enable optional backends with Azure Container Apps (ACA)
+4. Provide observability via Log Analytics and Application Insights
+
+## 💡 Why Developer SKU?
+
+- Significant cost savings for learning, demos, and dev/test:
+  - Developer is a fraction of Premium costs (often >90% cheaper)
+  - No SLA and single-instance only, which is acceptable for the purpose of this repo
+- Trade-offs:
+  - Longer deployment times compared to v2/Premium SKUs (APIM creation can be slow)
+
+We choose the Developer SKU here to dramatically lower costs for experimentation. If you need SLAs, scaling, or production-grade features, use Premium/Premiumv2 as those are the only SKUs that support VNet *injection*.
+
+## ⚙️ Configuration
+
+Adjust the user-defined parameters in this lab's Jupyter Notebook's Initialize notebook variables section.
+
+Key parameters:
+- `apimSku`: Defaults to `Developer`
+- `useACA`: Enable to provision a private ACA environment and sample apps
+
+## ▶️ Execution
+
+1. Execute this lab's Jupyter Notebook step-by-step or via Run All.
+
+👟 Expected Run All runtime: longer than v2 SKUs for APIM creation. We will measure and update this value after testing.
+
+- TODO: Measure actual runtime on Developer SKU and update this section accordingly.
+
+## 🧪 Testing
+
+Because we use a self-signed certificate for Application Gateway TLS termination (for convenience in this sample), testing can be done with curl by ignoring certificate warnings and sending the Host header:
+
+```
+curl -v -k -H "Host: api.apim-samples.contoso.com" https://<APPGW_PUBLIC_IP>/status-0123456789abcdef
+```
+
+A 200 status from the health endpoint indicates success through App Gateway to APIM.
+
+## 🔐 Security Notes
+
+- Self-signed certificates are for demos only. Use managed or trusted certs for production.
+- This sample uses RBAC-enabled Key Vault with minimal role assignments for App Gateway certificate retrieval.
+- **Azure limitation**: APIM must be created with public access enabled initially. You can disable public access in a subsequent update if desired.
+- Review and harden NSGs/WAF policy as needed for your environment.

infrastructure/appgw-apim/clean-up.ipynb

@@ -0,0 +1,48 @@
+{
+ "cells": [
+  {
+   "cell_type": "markdown",
+   "metadata": {},
+   "source": [
+    "### 🗑️ Clean up resources\n",
+    "\n",
+    "When you're finished with the lab, you should remove all your deployed resources from Azure to avoid extra charges and keep your Azure subscription uncluttered."
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "from apimtypes import INFRASTRUCTURE\n",
+    "from infrastructures import cleanup_infra_deployments\n",
+    "\n",
+    "indexes = [1]\n",
+    "\n",
+    "cleanup_infra_deployments(INFRASTRUCTURE.APPGW_APIM, indexes)"
+   ]
+  }
+ ],
+ "metadata": {
+  "kernelspec": {
+   "display_name": ".venv (3.14.0)",
+   "language": "python",
+   "name": "python3"
+  },
+  "language_info": {
+   "codemirror_mode": {
+    "name": "ipython",
+    "version": 3
+   },
+   "file_extension": ".py",
+   "mimetype": "text/x-python",
+   "name": "python",
+   "nbconvert_exporter": "python",
+   "pygments_lexer": "ipython3",
+   "version": "3.14.0"
+  }
+ },
+ "nbformat": 4,
+ "nbformat_minor": 2
+}

infrastructure/appgw-apim/create.ipynb

@@ -0,0 +1,78 @@
+{
+ "cells": [
+  {
+   "cell_type": "markdown",
+   "metadata": {},
+   "source": [
+    "### 🛠️ Configure Infrastructure Parameters & Create the Infrastructure\n",
+    "\n",
+    "Set your desired parameters for the APPGW-APIM infrastructure deployment.\n",
+    "\n",
+    "❗️ **Modify entries under _User-defined parameters_**.\n",
+    "\n",
+    "**Note:** This infrastructure includes Application Gateway with API Management using VNet injection."
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "from apimtypes import APIM_SKU, INFRASTRUCTURE\n",
+    "from utils import InfrastructureNotebookHelper\n",
+    "from console import print_ok\n",
+    "\n",
+    "# ------------------------------\n",
+    "#    USER CONFIGURATION\n",
+    "# ------------------------------\n",
+    "\n",
+    "rg_location = 'eastus2'             # Azure region for deployment\n",
+    "index       = 1                     # Infrastructure index (use different numbers for multiple environments)\n",
+    "apim_sku    = APIM_SKU.DEVELOPER    # Options: 'DEVELOPER'\n",
+    "\n",
+    "\n",
+    "\n",
+    "# ------------------------------\n",
+    "#    SYSTEM CONFIGURATION\n",
+    "# ------------------------------\n",
+    "\n",
+    "inb_helper = InfrastructureNotebookHelper(rg_location, INFRASTRUCTURE.APPGW_APIM, index, apim_sku)\n",
+    "inb_helper.create_infrastructure()\n",
+    "\n",
+    "print_ok('All done!')"
+   ]
+  },
+  {
+   "cell_type": "markdown",
+   "metadata": {},
+   "source": [
+    "### 🗑️ Clean up resources\n",
+    "\n",
+    "When you're finished experimenting, it's advisable to remove all associated resources from Azure to avoid unnecessary cost.\n",
+    "Use the [clean-up notebook](clean-up.ipynb) for that."
+   ]
+  }
+ ],
+ "metadata": {
+  "kernelspec": {
+   "display_name": ".venv (3.14.0)",
+   "language": "python",
+   "name": "python3"
+  },
+  "language_info": {
+   "codemirror_mode": {
+    "name": "ipython",
+    "version": 3
+   },
+   "file_extension": ".py",
+   "mimetype": "text/x-python",
+   "name": "python",
+   "nbconvert_exporter": "python",
+   "pygments_lexer": "ipython3",
+   "version": "3.14.0"
+  }
+ },
+ "nbformat": 4,
+ "nbformat_minor": 2
+}

infrastructure/appgw-apim/create_infrastructure.py

@@ -0,0 +1,83 @@
+"""
+Reusable script to create Application Gateway + APIM (Internal) infrastructure.
+"""
+
+import sys
+import argparse
+
+# APIM Samples imports
+import azure_resources as az
+from apimtypes import APIM_SKU, API, GET_APIOperation, BACKEND_XML_POLICY_PATH, INFRASTRUCTURE
+from infrastructures import AppGwApimInfrastructure
+import utils
+
+
+def create_infrastructure(location: str, index: int, apim_sku: APIM_SKU, no_aca: bool = False) -> None:
+    # Check if infrastructure already exists to determine messaging
+    infrastructure_exists = az.does_resource_group_exist(az.get_infra_rg_name(INFRASTRUCTURE.APPGW_APIM, index))
+
+    # Create custom APIs for APPGW-APIM with optional Container Apps backends
+    custom_apis = _create_appgw_specific_apis(not no_aca)
+
+    infra = AppGwApimInfrastructure(location, index, apim_sku, infra_apis = custom_apis)
+    result = infra.deploy_infrastructure(infrastructure_exists)
+
+    raise SystemExit(0 if result.success else 1)
+
+def _create_appgw_specific_apis(use_aca: bool = True) -> list[API]:
+    """
+    Create APPGW-APIM specific APIs with optional Container Apps backends.
+
+    Args:
+        use_aca (bool): Whether to include Azure Container Apps backends. Defaults to true.
+
+    Returns:
+        list[API]: List of AppGw-specific APIs.
+    """
+
+    # If Container Apps is enabled, create the ACA APIs in APIM
+    if use_aca:
+        pol_backend          = utils.read_policy_xml(BACKEND_XML_POLICY_PATH)
+        pol_aca_backend_1    = pol_backend.format(backend_id = 'aca-backend-1')
+        pol_aca_backend_2    = pol_backend.format(backend_id = 'aca-backend-2')
+        pol_aca_backend_pool = pol_backend.format(backend_id = 'aca-backend-pool')
+
+        # API 1: Hello World (ACA Backend 1)
+        api_hwaca_1_get      = GET_APIOperation('This is a GET for Hello World on ACA Backend 1')
+        api_hwaca_1          = API('hello-world-aca-1', 'Hello World (ACA 1)', '/aca-1', 'This is the ACA API for Backend 1', pol_aca_backend_1, [api_hwaca_1_get])
+
+        # API 2: Hello World (ACA Backend 2)
+        api_hwaca_2_get      = GET_APIOperation('This is a GET for Hello World on ACA Backend 2')
+        api_hwaca_2          = API('hello-world-aca-2', 'Hello World (ACA 2)', '/aca-2', 'This is the ACA API for Backend 2', pol_aca_backend_2, [api_hwaca_2_get])
+
+        # API 3: Hello World (ACA Backend Pool)
+        api_hwaca_pool_get   = GET_APIOperation('This is a GET for Hello World on ACA Backend Pool')
+        api_hwaca_pool       = API('hello-world-aca-pool', 'Hello World (ACA Pool)', '/aca-pool', 'This is the ACA API for Backend Pool', pol_aca_backend_pool, [api_hwaca_pool_get])
+
+        return [api_hwaca_1, api_hwaca_2, api_hwaca_pool]
+
+    return []
+
+def main():
+    """
+    Main entry point for command-line usage.
+    """
+
+    parser = argparse.ArgumentParser(description = 'Create APPGW-APIM infrastructure (VNet Internal)')
+    parser.add_argument('--location', default = 'eastus2', help = 'Azure region (default: eastus2)')
+    parser.add_argument('--index', type = int, help = 'Infrastructure index')
+    parser.add_argument('--sku', choices = ['Developer', 'Basicv2', 'Standardv2'], default = 'Developer', help = 'APIM SKU (default: Developer)')
+    parser.add_argument('--no-aca', action = 'store_true', help = 'Disable Azure Container Apps')
+    args = parser.parse_args()
+
+    # Convert SKU string to enum using the enum's built-in functionality
+    try:
+        apim_sku = APIM_SKU(args.sku)
+    except ValueError:
+        print(f"Error: Invalid SKU '{args.sku}'. Valid options are: {', '.join([sku.value for sku in APIM_SKU])}")
+        sys.exit(1)
+
+    create_infrastructure(args.location, args.index, apim_sku, args.no_aca)
+
+if __name__ == '__main__':
+    main()