|
| 1 | +--- |
| 2 | +title: Deploy Azure Front Door in front of Azure API Management |
| 3 | +description: Learn how to front your API Management instance with an instance of Azure Front Door. |
| 4 | +services: api-management |
| 5 | +author: dlepow |
| 6 | + |
| 7 | +ms.service: api-management |
| 8 | +ms.topic: how-to |
| 9 | +ms.date: 08/19/2022 |
| 10 | +ms.author: danlep |
| 11 | +--- |
| 12 | +# Create Front Door in front of Azure API Management |
| 13 | + |
| 14 | +Ref: https://techcommunity.microsoft.com/t5/azure-paas-blog/integrate-azure-front-door-with-azure-api-management/ba-p/2654925 |
| 15 | + |
| 16 | +Azure Front Door is a modern application delivery network platform providing a secure, scalable CDN, dynamic site acceleration, and global HTTP(s) load balancing for your global web applications. |
| 17 | + |
| 18 | + |
| 19 | +Azure Front Door supports ... and offers always-on availability, low latency, SSL offload, health probes, etc. etc. For a full list of supported features, see [What is Azure Front Door?](../frontdoor/front-door-overview.md). |
| 20 | + |
| 21 | +This article provides detailed steps to set up Azure Front Door Standard/Premium in front of an Azure API Management instance. It also shows the steps to restrict API Management to accept traffic only from Azure Front Door. |
| 22 | + |
| 23 | +In this scenario, Azure Front Door requires a publicly accessibly origin, so that API Management must be non-networked, or injected in an [external virtual network](api-management-using-with-vnet.md). This article shows steps to use Front Door with a VNet-injected API Management instance, which supports the following scenario: |
| 24 | +... |
| 25 | +... |
| 26 | +... |
| 27 | + |
| 28 | +[!INCLUDE [premium-dev.md](../../includes/api-management-availability-premium-dev.md)] |
| 29 | + |
| 30 | + |
| 31 | +## Prerequisites |
| 32 | + |
| 33 | +* API Management instance deployed in an external VNet |
| 34 | +* Import one or more APIs to your API Management instance to confirm routing through Front Door. |
| 35 | +* You can also use the custom domain of APIM instance in the Front Door origin host name. But please note if you are going to route traffic using HTTPS via port 443, only certificates from valid Certificate Authorities can be used at the backend (origin) with Front Door. Certificates from internal CAs or self-signed certificates aren't allowed. |
| 36 | + |
| 37 | +## Deploy Azure Front profile |
| 38 | + |
| 39 | +For detailed steps to deploy an Azure Front Door Standard/Premium profile, see [Quickstart: Create an Azure Front Door profile - Azure portal](../frontdoor/create-front-door-portal.md). |
| 40 | + |
| 41 | +* Backend pool - API Management service |
| 42 | +* Health probe settings to gatway: - Path `/status-0123456789abcdef`, HTTPS, GET method, 30 sec interval |
| 43 | +* Health probe settings to developer portal ? |
| 44 | +* Routing rules |
| 45 | + * Gateway |
| 46 | + |
| 47 | + * Developer portal |
| 48 | + |
| 49 | + |
| 50 | +### Quick create Front Door profile |
| 51 | + |
| 52 | +### Update default origin group |
| 53 | + |
| 54 | +### Associate route |
| 55 | + |
| 56 | +* Update default route that is configured. Set **Forwarding protocol** to **Match incoming request**. [Might be OK to accept default value of **HTTPS only**?] |
| 57 | +* Select **Enable caching** to enable Front Door to [cache static content](../frontdoor/front-door-caching.md?pivots=front-door-standard-premium). In **Query string caching behavior** select **Use query string** (or another value if that works better for your scenario?) |
| 58 | + |
| 59 | +## Test |
| 60 | + |
| 61 | +Use Postman |
| 62 | + |
| 63 | + |
| 64 | +## (Optional) Configure Front Door for developer portal |
| 65 | + |
| 66 | +## Restrict traffic to API Management instance |
| 67 | + |
| 68 | +Restrict Inbound IP |
| 69 | + |
| 70 | +Restrict Inbound IP to accept traffic from Azure Front Door's backend IP address space and Azure's infrastructure services only. |
| 71 | + |
| 72 | + |
| 73 | + |
| 74 | +External Virtual Network Type APIM |
| 75 | + |
| 76 | +For APIM instance deployed as external VNet mode, we can simply restrict the incoming IP using inbound rule in the network security groups of your APIM subnet. |
| 77 | + |
| 78 | +* Allow service tag **AzureFrontDoor.Backend** in inbound rule for port 443. (Is it also needed for port 80?) |
| 79 | +* Also allow incoming traffic from Azure's basic infrastructure services through virtualized host IP addresses: 168.63.129.16 and 169.254.169.254 |
| 80 | +* If your APIM service isn’t deployed into Vnet (None for the Virtual Network type), then there’s nowhere you can put the inbound rule in. But you can still leverage APIM IP restriction policy to achieve this goal. See policy doc here: https://docs.microsoft.com/en-us/azure/api-management/api-management-access-restriction-policies#Res.... |
| 81 | + |
| 82 | +Allow Azure Front Door Backend Ips. Refer AzureFrontDoor.Backend section in Azure IP Ranges and Service Tags for Front Door's IPv4 backend IP address range. |
| 83 | + |
| 84 | +### Check Front Door header |
| 85 | + |
| 86 | +```xml |
| 87 | +<check-header name="X-Azure-FDID" failed-check-httpcode="403" failed-check-error-message="Invalid request." ignore-case="false"> |
| 88 | + <value>{{FrontDoorId}}</value> |
| 89 | + </check-header> |
| 90 | +``` |
| 91 | + |
| 92 | + |
| 93 | + |
| 94 | + |
| 95 | + |
| 96 | +## Next steps |
| 97 | + |
| 98 | +To automate deployments, see the following Quickstart Templates: |
| 99 | + |
| 100 | +* [Front Door Standard/Premium with API Management origin](https://azure.microsoft.com/resources/templates/front-door-standard-premium-api-management-external/) |
| 101 | +* [Create Azure Front Door in front of Azure API Management](https://docs.microsoft.com/samples/azure/azure-quickstart-templates/front-door-api-management/) |
| 102 | + |
0 commit comments