Add App Gateway to API Management via VNet Infrastructure (#109)

Author: simonkurtz-MSFT

README.md

@@ -25,7 +25,7 @@ _Try it out, learn from it, apply it in your setups._
 | [API Management & Container Apps][infra-apim-aca]                  | APIs are often implemented in containers running in Azure Container Apps. This architecture accesses the container apps publicly. It's beneficial to test both APIM and container app URLs to contrast and compare experiences of API calls through and bypassing APIM. It is not intended to be a security baseline.    |
 | [Front Door & API Management & Container Apps][infra-afd-apim-pe]  | A secure implementation of Azure Front Door connecting to APIM via the new private link integration. This traffic, once it traverses through Front Door, rides entirely on Microsoft-owned and operated networks. The connection from APIM to Container Apps is secured but through a VNet configuration (it is also entirely possible to do this via private link). APIM Standard V2 is used here to accept a private link from Front Door. |
 | [Application Gateway (Private Endpoint) & API Management & Container Apps][infra-appgw-apim-pe]  | A secure implementation of Azure Application Gateway connecting to APIM via the new private link integration. This traffic, once it traverses through App Gateway, uses a private endpoint set up in the VNet's private endpoint subnet. The connection from APIM to Container Apps is secured but through a VNet configuration (it is also entirely possible to do this via private link). APIM Standard V2 is used here to accept a private link from App Gateway. |
-| Application Gateway (VNet) & API Management & Container Apps       | *ETA TBD - Stay tuned!* |
+| [Application Gateway (VNet) & API Management & Container Apps][infra-appgw-apim] | Full VNet injection of APIM and ACA! APIM is shielded from any type of traffic unless it comes through App Gateway. This offers maximum isolation for instances in which customers seek VNet injection. |
 
 ## 📁 List of Samples
 
@@ -66,6 +66,7 @@ These prerequisites apply broadly across all infrastructure and samples. If ther
   - Python 3.13 and 3.14 should work as well, but have not been verified extensively
 - [VS Code][vscode] installed with the [Jupyter notebook extension][vscode-jupyter] enabled
 - [Azure CLI][azure-cli-install] installed
+- [Azure Bicep][azure-bicep-install] installed
 - [An Azure Subscription][azure-free] with Owner or Contributor+UserAccessAdministrator permissions. Execute [Verify Azure Account][verify-az-account-notebook] to verify.
 - **Azure Authentication**: Sign in to Azure with Azure CLI using the specific tenant and subscription you want to work with:
   - To log in to a specific tenant: `az login --tenant <your-tenant-id-or-domain>`
@@ -384,6 +385,7 @@ The original author of this project is [Simon Kurtz][simon-kurtz].
 [andrew-redman]: https://github.com/anotherRedbeard
 [apim-lza]: https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/app-platform/api-management/landing-zone-accelerator
 [apim-snippets-repo]: https://github.com/Azure/api-management-policy-snippets
+[azure-bicep-install]: https://learn.microsoft.com/azure/azure-resource-manager/bicep/install#azure-cli
 [azure-cli-auth]: https://learn.microsoft.com/cli/azure/authenticate-azure-cli-interactively
 [azure-cli-install]: https://learn.microsoft.com/cli/azure/install-azure-cli
 [azure-free]: https://azure.microsoft.com/free/
@@ -394,6 +396,7 @@ The original author of this project is [Simon Kurtz][simon-kurtz].
 [import-troubleshooting]: .devcontainer/IMPORT-TROUBLESHOOTING.md
 [infra-afd-apim-pe]: ./infrastructure/afd-apim-pe
 [infra-apim-aca]: ./infrastructure/apim-aca
+[infra-appgw-apim]: ./infrastructure/appgw-apim/
 [infra-appgw-apim-pe]: ./infrastructure/appgw-apim-pe/
 [infra-simple-apim]: ./infrastructure/simple-apim
 [pytest-docs]: https://docs.pytest.org/

infrastructure/appgw-apim/README.md

@@ -0,0 +1,56 @@
+# Application Gateway & API Management (VNet Internal) Infrastructure
+
+This architecture provides secure ingress through Azure Application Gateway (WAF_v2) to Azure API Management (APIM) deployed in a Virtual Network using Internal mode (private IP only). No Private Endpoints are used; traffic stays on private networking after the gateway, and APIM cannot be accessed aside from traversing Application Gateway.
+
+<!-- TODO: Generate diagram -->
+<!-- <img src="./Azure Application Gateway + APIM (Internal).svg" alt="Diagram showing Application Gateway routing to APIM in VNet Internal mode. Optional Container Apps shown behind APIM. Telemetry to Azure Monitor." title="Application Gateway + APIM (Internal)" width="1000" /> -->
+
+## 🎯 Objectives
+
+1. Expose APIs publicly via Application Gateway while keeping APIM private (VNet Internal)
+2. Maintain private networking end-to-end without Private Endpoints
+3. Enable optional backends with Azure Container Apps (ACA)
+4. Provide observability via Log Analytics and Application Insights
+
+## 💡 Why Developer SKU?
+
+- Significant cost savings for learning, demos, and dev/test:
+  - Developer is a fraction of Premium costs (often >90% cheaper)
+  - No SLA and single-instance only, which is acceptable for the purpose of this repo
+- Trade-offs:
+  - Longer deployment times compared to v2/Premium SKUs (APIM creation can be slow)
+
+We choose the Developer SKU here to dramatically lower costs for experimentation. If you need SLAs, scaling, or production-grade features, use Premium/Premiumv2 as those are the only SKUs that support VNet *injection*.
+
+## ⚙️ Configuration
+
+Adjust the user-defined parameters in this lab's Jupyter Notebook's Initialize notebook variables section.
+
+Key parameters:
+- `apimSku`: Defaults to `Developer`
+- `useACA`: Enable to provision a private ACA environment and sample apps
+
+## ▶️ Execution
+
+1. Execute this lab's Jupyter Notebook step-by-step or via Run All.
+
+👟 Expected Run All runtime: longer than v2 SKUs for APIM creation. We will measure and update this value after testing.
+
+- TODO: Measure actual runtime on Developer SKU and update this section accordingly.
+
+## 🧪 Testing
+
+Because we use a self-signed certificate for Application Gateway TLS termination (for convenience in this sample), testing can be done with curl by ignoring certificate warnings and sending the Host header:
+
+```
+curl -v -k -H "Host: api.apim-samples.contoso.com" https://<APPGW_PUBLIC_IP>/status-0123456789abcdef
+```
+
+A 200 status from the health endpoint indicates success through App Gateway to APIM.
+
+## 🔐 Security Notes
+
+- Self-signed certificates are for demos only. Use managed or trusted certs for production.
+- This sample uses RBAC-enabled Key Vault with minimal role assignments for App Gateway certificate retrieval.
+- **Azure limitation**: APIM must be created with public access enabled initially. You can disable public access in a subsequent update if desired.
+- Review and harden NSGs/WAF policy as needed for your environment.

infrastructure/appgw-apim/clean-up.ipynb

@@ -0,0 +1,48 @@
+{
+ "cells": [
+  {
+   "cell_type": "markdown",
+   "metadata": {},
+   "source": [
+    "### 🗑️ Clean up resources\n",
+    "\n",
+    "When you're finished with the lab, you should remove all your deployed resources from Azure to avoid extra charges and keep your Azure subscription uncluttered."
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "from apimtypes import INFRASTRUCTURE\n",
+    "from infrastructures import cleanup_infra_deployments\n",
+    "\n",
+    "indexes = [1]\n",
+    "\n",
+    "cleanup_infra_deployments(INFRASTRUCTURE.APPGW_APIM, indexes)"
+   ]
+  }
+ ],
+ "metadata": {
+  "kernelspec": {
+   "display_name": ".venv (3.14.0)",
+   "language": "python",
+   "name": "python3"
+  },
+  "language_info": {
+   "codemirror_mode": {
+    "name": "ipython",
+    "version": 3
+   },
+   "file_extension": ".py",
+   "mimetype": "text/x-python",
+   "name": "python",
+   "nbconvert_exporter": "python",
+   "pygments_lexer": "ipython3",
+   "version": "3.14.0"
+  }
+ },
+ "nbformat": 4,
+ "nbformat_minor": 2
+}

infrastructure/appgw-apim/create.ipynb

@@ -0,0 +1,78 @@
+{
+ "cells": [
+  {
+   "cell_type": "markdown",
+   "metadata": {},
+   "source": [
+    "### 🛠️ Configure Infrastructure Parameters & Create the Infrastructure\n",
+    "\n",
+    "Set your desired parameters for the APPGW-APIM infrastructure deployment.\n",
+    "\n",
+    "❗️ **Modify entries under _User-defined parameters_**.\n",
+    "\n",
+    "**Note:** This infrastructure includes Application Gateway with API Management using VNet injection."
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "from apimtypes import APIM_SKU, INFRASTRUCTURE\n",
+    "from utils import InfrastructureNotebookHelper\n",
+    "from console import print_ok\n",
+    "\n",
+    "# ------------------------------\n",
+    "#    USER CONFIGURATION\n",
+    "# ------------------------------\n",
+    "\n",
+    "rg_location = 'eastus2'             # Azure region for deployment\n",
+    "index       = 1                     # Infrastructure index (use different numbers for multiple environments)\n",
+    "apim_sku    = APIM_SKU.DEVELOPER    # Options: 'DEVELOPER'\n",
+    "\n",
+    "\n",
+    "\n",
+    "# ------------------------------\n",
+    "#    SYSTEM CONFIGURATION\n",
+    "# ------------------------------\n",
+    "\n",
+    "inb_helper = InfrastructureNotebookHelper(rg_location, INFRASTRUCTURE.APPGW_APIM, index, apim_sku)\n",
+    "inb_helper.create_infrastructure()\n",
+    "\n",
+    "print_ok('All done!')"
+   ]
+  },
+  {
+   "cell_type": "markdown",
+   "metadata": {},
+   "source": [
+    "### 🗑️ Clean up resources\n",
+    "\n",
+    "When you're finished experimenting, it's advisable to remove all associated resources from Azure to avoid unnecessary cost.\n",
+    "Use the [clean-up notebook](clean-up.ipynb) for that."
+   ]
+  }
+ ],
+ "metadata": {
+  "kernelspec": {
+   "display_name": ".venv (3.14.0)",
+   "language": "python",
+   "name": "python3"
+  },
+  "language_info": {
+   "codemirror_mode": {
+    "name": "ipython",
+    "version": 3
+   },
+   "file_extension": ".py",
+   "mimetype": "text/x-python",
+   "name": "python",
+   "nbconvert_exporter": "python",
+   "pygments_lexer": "ipython3",
+   "version": "3.14.0"
+  }
+ },
+ "nbformat": 4,
+ "nbformat_minor": 2
+}

infrastructure/appgw-apim/create_infrastructure.py

@@ -0,0 +1,83 @@
+"""
+Reusable script to create Application Gateway + APIM (Internal) infrastructure.
+"""
+
+import sys
+import argparse
+
+# APIM Samples imports
+import azure_resources as az
+from apimtypes import APIM_SKU, API, GET_APIOperation, BACKEND_XML_POLICY_PATH, INFRASTRUCTURE
+from infrastructures import AppGwApimInfrastructure
+import utils
+
+
+def create_infrastructure(location: str, index: int, apim_sku: APIM_SKU, no_aca: bool = False) -> None:
+    # Check if infrastructure already exists to determine messaging
+    infrastructure_exists = az.does_resource_group_exist(az.get_infra_rg_name(INFRASTRUCTURE.APPGW_APIM, index))
+
+    # Create custom APIs for APPGW-APIM with optional Container Apps backends
+    custom_apis = _create_appgw_specific_apis(not no_aca)
+
+    infra = AppGwApimInfrastructure(location, index, apim_sku, infra_apis = custom_apis)
+    result = infra.deploy_infrastructure(infrastructure_exists)
+
+    raise SystemExit(0 if result.success else 1)
+
+def _create_appgw_specific_apis(use_aca: bool = True) -> list[API]:
+    """
+    Create APPGW-APIM specific APIs with optional Container Apps backends.
+
+    Args:
+        use_aca (bool): Whether to include Azure Container Apps backends. Defaults to true.
+
+    Returns:
+        list[API]: List of AppGw-specific APIs.
+    """
+
+    # If Container Apps is enabled, create the ACA APIs in APIM
+    if use_aca:
+        pol_backend          = utils.read_policy_xml(BACKEND_XML_POLICY_PATH)
+        pol_aca_backend_1    = pol_backend.format(backend_id = 'aca-backend-1')
+        pol_aca_backend_2    = pol_backend.format(backend_id = 'aca-backend-2')
+        pol_aca_backend_pool = pol_backend.format(backend_id = 'aca-backend-pool')
+
+        # API 1: Hello World (ACA Backend 1)
+        api_hwaca_1_get      = GET_APIOperation('This is a GET for Hello World on ACA Backend 1')
+        api_hwaca_1          = API('hello-world-aca-1', 'Hello World (ACA 1)', '/aca-1', 'This is the ACA API for Backend 1', pol_aca_backend_1, [api_hwaca_1_get])
+
+        # API 2: Hello World (ACA Backend 2)
+        api_hwaca_2_get      = GET_APIOperation('This is a GET for Hello World on ACA Backend 2')
+        api_hwaca_2          = API('hello-world-aca-2', 'Hello World (ACA 2)', '/aca-2', 'This is the ACA API for Backend 2', pol_aca_backend_2, [api_hwaca_2_get])
+
+        # API 3: Hello World (ACA Backend Pool)
+        api_hwaca_pool_get   = GET_APIOperation('This is a GET for Hello World on ACA Backend Pool')
+        api_hwaca_pool       = API('hello-world-aca-pool', 'Hello World (ACA Pool)', '/aca-pool', 'This is the ACA API for Backend Pool', pol_aca_backend_pool, [api_hwaca_pool_get])
+
+        return [api_hwaca_1, api_hwaca_2, api_hwaca_pool]
+
+    return []
+
+def main():
+    """
+    Main entry point for command-line usage.
+    """
+
+    parser = argparse.ArgumentParser(description = 'Create APPGW-APIM infrastructure (VNet Internal)')
+    parser.add_argument('--location', default = 'eastus2', help = 'Azure region (default: eastus2)')
+    parser.add_argument('--index', type = int, help = 'Infrastructure index')
+    parser.add_argument('--sku', choices = ['Developer', 'Basicv2', 'Standardv2'], default = 'Developer', help = 'APIM SKU (default: Developer)')
+    parser.add_argument('--no-aca', action = 'store_true', help = 'Disable Azure Container Apps')
+    args = parser.parse_args()
+
+    # Convert SKU string to enum using the enum's built-in functionality
+    try:
+        apim_sku = APIM_SKU(args.sku)
+    except ValueError:
+        print(f"Error: Invalid SKU '{args.sku}'. Valid options are: {', '.join([sku.value for sku in APIM_SKU])}")
+        sys.exit(1)
+
+    create_infrastructure(args.location, args.index, apim_sku, args.no_aca)
+
+if __name__ == '__main__':
+    main()