Merge pull request #237925 from dlepow/shgwaad

[APIM] Azure AD authentication by SHGW

Author: ttorble

articles/api-management/TOC.yml

@@ -208,6 +208,8 @@
                   href: how-to-configure-local-metrics-logs.md
                 - name: Enable Dapr support on self-hosted gateway
                   href: self-hosted-gateway-enable-dapr.md  
+                - name: Use Azure AD authentication on self-hosted gateway
+                  href: self-hosted-gateway-enable-azure-ad.md
                 - name: Guidance for running on Kubernetes
                   href: how-to-self-hosted-gateway-on-kubernetes-in-production.md
                 - name: Migrate to self-hosted gateway v2

articles/api-management/how-to-deploy-self-hosted-gateway-kubernetes.md

@@ -7,7 +7,7 @@ ms.service: api-management
 ms.workload: mobile
 ms.topic: article
 ms.author: danlep
-ms.date: 05/25/2021
+ms.date: 05/22/2023
 ---
 # Deploy a self-hosted gateway to Kubernetes with YAML
 
@@ -30,6 +30,9 @@ This article describes the steps for deploying the self-hosted gateway component
 
 ## Deploy to Kubernetes
 
+> [!TIP]
+> The following steps deploy the self-hosted gateway to Kubernetes and enable authentication to the API Management instance by using a gateway access token (authentication key). You can also deploy the self-hosted gateway to Kubernetes and enable authentication to the API Management instance by using [Azure AD](self-hosted-gateway-enable-azure-ad.md).
+
 1. Select **Gateways** under **Deployment and infrastructure**.
 2. Select the self-hosted gateway resource that you want to deploy.
 3. Select **Deployment**.
@@ -40,34 +43,8 @@ This article describes the steps for deploying the self-hosted gateway component
 8. When using Azure Kubernetes Service (AKS), run `az aks get-credentials --resource-group <resource-group-name> --name <resource-name> --admin` in a new terminal session.
 9. Run the commands to create the necessary Kubernetes objects in the [default namespace](https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/) and start self-hosted gateway pods from the [container image](https://aka.ms/apim/shgw/registry-portal) downloaded from the Microsoft Artifact Registry.
    - The first step creates a Kubernetes secret that contains the access token generated in step 4. Next, it creates a Kubernetes deployment for the self-hosted gateway which uses a ConfigMap with the configuration of the gateway.
-10. Run the following command to check if the deployment succeeded. Note that it might take a little time for all the objects to be created and for the pods to initialize.
-
-    ```console
-    kubectl get deployments
-    ```
-    It should return
-    ```console
-        NAME             READY   UP-TO-DATE   AVAILABLE   AGE
-    <gateway-name>   1/1     1            1           18s
-    ```
-11. Run the following command to check if the service was successfully created. Note that your service IPs and ports will be different.
 
-    ```console
-    kubectl get services
-    ```
-    It should return
-    ```console
-    NAME             TYPE           CLUSTER-IP      EXTERNAL-IP   PORT(S)                      AGE
-    <gateway-name>   LoadBalancer   10.99.236.168   <pending>     80:31620/TCP,443:30456/TCP   9m1s
-    ```
-1. Go back to the Azure portal and select **Overview**.
-1. Confirm that **Status** shows a green check mark, followed by a node count that matches the number of replicas specified in the YAML file. This status means the deployed self-hosted gateway pods are successfully communicating with the API Management service and have a regular "heartbeat."
-
-    ![Gateway status](media/how-to-deploy-self-hosted-gateway-kubernetes/status.png)
-
-> [!TIP]
-> Run the `kubectl logs deployment/<gateway-name>` command to view logs from a randomly selected pod if there's more than one.
-> Run `kubectl logs -h` for a complete set of command options, such as how to view logs for a specific pod or container.
+[!INCLUDE [api-management-self-hosted-gateway-kubernetes-services](../../includes/api-management-self-hosted-gateway-kubernetes-services.md)]
 
 ## Next steps
 

articles/api-management/how-to-self-hosted-gateway-on-kubernetes-in-production.md

@@ -25,6 +25,9 @@ Without a valid access token, a self-hosted gateway can't access and download co
 
 When you're automating token refresh, use [this management API operation](/rest/api/apimanagement/current-ga/gateway/generate-token) to generate a new token. For information on managing Kubernetes secrets, see the [Kubernetes website](https://kubernetes.io/docs/concepts/configuration/secret).
 
+> [!TIP]
+> You can also deploy the self-hosted gateway to Kubernetes and enable authentication to the API Management instance by using [Azure AD](self-hosted-gateway-enable-azure-ad.md).
+
 ## Autoscaling
 
 While we provide [guidance on the minimum number of replicas](#number-of-replicas) for the self-hosted gateway, we recommend that you use autoscaling for the self-hosted gateway to meet the demand of your traffic more proactively.
@@ -110,7 +113,7 @@ The YAML file provided in the Azure portal applies the default [ClusterFirst](ht
 To learn about name resolution in Kubernetes, see the [Kubernetes website](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service). Consider customizing [DNS policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy) or [DNS configuration](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-config) as appropriate for your setup.
 
 ## External traffic policy
-The YAML file provided in the Azure portal sets `externalTrafficPolicy` field on the [Service](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#service-v1-core) object to `Local`. This preserves caller IP address (accessible in the [request context](api-management-policy-expressions.md#ContextVariables)) and disables cross node load balancing, eliminating network hops caused by it. Be aware, that this setting might cause asymmetric distribution of traffic in deployments with unequal number of gateway pods per node.
+The YAML file provided in the Azure portal sets `externalTrafficPolicy` field on the [Service](https://kubernetes.io/docs/reference/kubernetes-api/service-resources/service-v1/) object to `Local`. This preserves caller IP address (accessible in the [request context](api-management-policy-expressions.md#ContextVariables)) and disables cross node load balancing, eliminating network hops caused by it. Be aware, that this setting might cause asymmetric distribution of traffic in deployments with unequal number of gateway pods per node.
 
 ## High availability
 The self-hosted gateway is a crucial component in the infrastructure and has to be highly available. However, failure will and can happen.

articles/api-management/self-hosted-gateway-enable-azure-ad.md

@@ -0,0 +1,256 @@
+---
+title: Azure API Management self-hosted gateway - Azure AD authentication
+description: Enable the Azure API Management self-hosted gateway to authenticate with its associated cloud-based API Management instance using Azure Active Directory authentication. 
+services: api-management
+author: dlepow
+
+ms.service: api-management
+ms.topic: article
+ms.date: 05/22/2023
+ms.author: danlep
+---
+
+# Use Azure AD authentication for the self-hosted gateway
+
+The Azure API Management [self-hosted gateway](self-hosted-gateway-overview.md) needs connectivity with its associated cloud-based API Management instance for reporting status, checking for and applying configuration updates, and sending metrics and events. 
+
+In addition to using a gateway access token (authentication key) to connect with its cloud-based API Management instance, you can enable the self-hosted gateway to authenticate to its associated cloud instance by using an [Azure AD app](../active-directory/develop/app-objects-and-service-principals.md). With Azure AD authentication, you can configure longer expiry times for secrets and use standard steps to manage and rotate secrets in Active Directory. 
+
+## Scenario overview
+
+The self-hosted gateway configuration API can check Azure RBAC to determine who has permissions to read the gateway configuration. After you create an Azure AD app with those permissions, the self-hosted gateway can authenticate to the API Management instance using the app. 
+
+To enable Azure AD authentication, complete the following steps:
+1. Create two custom roles to:
+    * Let the configuration API get access to customer's RBAC information
+    * Grant permissions to read self-hosted gateway configuration
+1. Grant RBAC access to the API Management instance's managed identity 
+1. Create an Azure AD app and grant it access to read the gateway configuration
+1. Deploy the gateway with new configuration options
+
+## Prerequisites
+
+* An API Management instance in the Developer or Premium service tier. If needed, complete the following quickstart: [Create an Azure API Management instance](get-started-create-service-instance.md).
+* Provision a [gateway resource](api-management-howto-provision-self-hosted-gateway.md) on the instance.
+* Enable a [managed identity](api-management-howto-use-managed-service-identity.md) on the instance.
+
+## Create custom roles
+
+Create the following two [custom roles](../role-based-access-control/custom-roles.md) that are assigned in later steps. You can use the permissions listed in the following JSON templates to create the custom roles using the [Azure portal](../role-based-access-control/custom-roles-portal.md), [Azure CLI](../role-based-access-control/custom-roles-cli.md), [Azure PowerShell](../role-based-access-control/custom-roles-powershell.md), or other Azure tools.
+
+When configuring the custom roles, update the [`AssignableScopes`](../role-based-access-control/role-definitions.md#assignablescopes) property with appropriate scope values for your directory, such as a subscription in which your API Management instance is deployed. 
+
+**API Management Configuration API Access Validator Service Role**
+
+```json
+{
+  "Description": "Can access RBAC permissions on the API Management resource to authorize requests in Configuration API.",
+  "IsCustom": true,
+  "Name": "API Management Configuration API Access Validator Service Role",
+  "Permissions": [
+    {
+      "Actions": [
+        "Microsoft.Authorization/denyAssignments/read",
+        "Microsoft.Authorization/roleAssignments/read",
+        "Microsoft.Authorization/roleDefinitions/read"
+      ],
+      "NotActions": [],
+      "DataActions": [],
+      "NotDataActions": []
+    }
+  ],
+  "NotDataActions": [],
+  "AssignableScopes": [
+    "/subscriptions/{subscriptionID}"
+  ]
+}
+```
+
+**API Management Gateway Configuration Reader Role**
+
+```json
+{
+  "Description": "Can read self-hosted gateway configuration from Configuration API",
+  "IsCustom": true,
+  "Name": "API Management Gateway Configuration Reader Role",
+  "Permissions": [
+    {
+      "Actions": [],
+      "NotActions": [],
+      "DataActions": [
+        "Microsoft.ApiManagement/service/gateways/getConfiguration/action"
+      ],
+      "NotDataActions": []
+    }
+  ],
+  "NotDataActions": [],
+  "AssignableScopes": [
+    "/subscriptions/{subscriptionID}"
+  ]
+}
+```
+
+## Add role assignments
+
+### Assign API Management Configuration API Access Validator Service Role 
+
+Assign the API Management Configuration API Access Validator Service Role to the managed identity of the API Management instance. For detailed steps to assign a role, see [Assign Azure roles using the portal](../role-based-access-control/role-assignments-portal.md). 
+
+* Scope: The  resource group or subscription in which the API Management instance is deployed
+* Role: API Management Configuration API Access Validator Service Role
+* Assign access to: Managed identity of API Management instance
+
+### Assign API Management Gateway Configuration Reader Role
+
+#### Step 1. Register Azure AD app 
+
+Create a new Azure AD app. For steps, see [Create an Azure Active Directory application and service principal that can access resources](../active-directory/develop/howto-create-service-principal-portal.md). This app will be used by the self-hosted gateway to authenticate to the API Management instance.
+
+* Generate a [client secret](../active-directory/develop/howto-create-service-principal-portal.md#option-3-create-a-new-application-secret) 
+* Take note of the following application values for use in the next section when deploying the self-hosted gateway: application (client) ID, directory (tenant) ID, and client secret
+
+#### Step 2. Assign API Management Gateway Configuration Reader Service Role
+
+[Assign](../active-directory/develop/howto-create-service-principal-portal.md#assign-a-role-to-the-application) the API Management Gateway Configuration Reader Service Role to the app.
+
+* Scope: The API Management instance (or resource group or subscription in which it's deployed)
+* Role: API Management Gateway Configuration Reader Role
+* Assign access to: Azure AD app
+
+## Deploy the self-hosted gateway
+
+Deploy the self-hosted gateway to Kubernetes, adding Azure AD app registration settings to the `data` element of the gateways `ConfigMap`. In the following example YAML configuration file, the gateway is named *mygw* and the file is named `mygw.yaml`.
+
+> [!IMPORTANT]
+> If you're following the existing Kubernetes [deployment guidance](how-to-deploy-self-hosted-gateway-kubernetes.md):
+> * Make sure to omit the step to store the default authentication key using the `kubectl create secret generic` command. 
+> * Substitute the following basic configuration file for the default YAML file that's generated for you in the Azure portal. The following file adds Azure AD configuration in place of configuration to use an authentication key.
+  
+```yml
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: mygw-env
+  labels:
+    app: mygw
+data:
+  config.service.endpoint: "<service-name>.configuration.azure-api.net"
+  config.service.auth: azureAdApp 
+  config.service.auth.azureAd.authority: "https://login.microsoftonline.com"  
+  config.service.auth.azureAd.tenantId: "<Azure AD tenant ID>" 
+  config.service.auth.azureAd.clientId: "<Azure AD client ID>" 
+  config.service.auth.azureAd.clientSecret: "<Azure AD client secret>"
+  gateway.name: <gateway-id>
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mygw
+  labels:
+    app: mygw
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: mygw
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 0
+      maxSurge: 25%
+  template:
+    metadata:
+      labels:
+        app: mygw
+    spec:
+      terminationGracePeriodSeconds: 60
+      containers:
+      - name: mygw
+        image: mcr.microsoft.com/azure-api-management/gateway:v2
+        ports:
+        - name: http
+          containerPort: 8080
+        - name: https
+          containerPort: 8081
+          # Container port used for rate limiting to discover instances
+        - name: rate-limit-dc
+          protocol: UDP
+          containerPort: 4290
+          # Container port used for instances to send heartbeats to each other
+        - name: dc-heartbeat
+          protocol: UDP
+          containerPort: 4291
+        readinessProbe:
+          httpGet:
+            path: /status-0123456789abcdef
+            port: http
+            scheme: HTTP
+          initialDelaySeconds: 0
+          periodSeconds: 5
+          failureThreshold: 3
+          successThreshold: 1
+        envFrom:
+        - configMapRef:
+            name: mygw-env
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: mygw-live-traffic
+  labels:
+    app: mygw
+spec:
+  type: LoadBalancer
+  externalTrafficPolicy: Local
+  ports:
+  - name: http
+    port: 80
+    targetPort: 8080
+  - name: https
+    port: 443
+    targetPort: 8081
+  selector:
+    app: mygw
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: mygw-instance-discovery
+  labels:
+    app: mygw
+  annotations:
+    azure.apim.kubernetes.io/notes: "Headless service being used for instance discovery of self-hosted gateway"
+spec:
+  clusterIP: None
+  type: ClusterIP
+  ports:
+  - name: rate-limit-discovery
+    port: 4290
+    targetPort: rate-limit-dc
+    protocol: UDP
+  - name: discovery-heartbeat
+    port: 4291
+    targetPort: dc-heartbeat
+    protocol: UDP
+  selector:
+    app: mygw
+```
+
+Deploy the gateway to Kubernetes with the following command:
+
+```Console
+kubectl apply -f mygw.yaml
+```
+
+[!INCLUDE [api-management-self-hosted-gateway-kubernetes-services](../../includes/api-management-self-hosted-gateway-kubernetes-services.md)]
+
+
+## Next steps
+
+* Learn more about the API Management [self-hosted gateway overview](self-hosted-gateway-overview.md).
+* Learn more about guidance for [running the self-hosted gateway on Kubernetes in production](how-to-self-hosted-gateway-on-kubernetes-in-production.md).
+* Learn [how to deploy API Management self-hosted gateway to Azure Arc-enabled Kubernetes clusters](how-to-deploy-self-hosted-gateway-azure-arc.md).
+
+[helm]: https://helm.sh/
+[helm-install]: https://helm.sh/docs/intro/install/

includes/api-management-self-hosted-gateway-kubernetes-services.md

@@ -0,0 +1,37 @@
+---
+author: dlepow
+ms.service: api-management
+ms.topic: include
+ms.date: 05/22/2023
+ms.author: danlep
+---
+## Confirm that the gateway is running
+
+1. Run the following command to check if the deployment succeeded. It might take a little time for all the objects to be created and for the pods to initialize.
+
+    ```console
+    kubectl get deployments
+    ```
+    It should return
+    ```console
+    NAME             READY   UP-TO-DATE   AVAILABLE   AGE
+    <gateway-name>   1/1     1            1           18s
+    ```
+1. Run the following command to check if the services were successfully created. Your service IPs and ports will be different.
+
+    ```console
+    kubectl get services
+    ```
+    It should return
+    ```console
+    NAME                                TYPE           CLUSTER-IP      EXTERNAL-IP   PORT(S)                      AGE
+    <gateway-name>-live-traffic         ClusterIP      None            <none>        4290/UDP,4291/UDP   9m1s
+    <gateway-name>-instance-discovery   LoadBalancer   10.99.236.168   <pending>     80:31620/TCP,443:30456/TCP   9m1s
+    ```
+1. Go back to the Azure portal and select **Overview**.
+1. Confirm that **Status** shows a green check mark, followed by a node count that matches the number of replicas specified in the YAML file. This status means the deployed self-hosted gateway pods are successfully communicating with the API Management service and have a regular "heartbeat."
+    :::image type="content" source="./media/api-management-self-hosted-gateway-kubernetes-services/status.png" alt-text="Screenshot showing status of self-hosted gateway in the portal.":::
+
+> [!TIP]
+> * Run the `kubectl logs deployment/<gateway-name>` command to view logs from a randomly selected pod if there's more than one.
+> * Run `kubectl logs -h` for a complete set of command options, such as how to view logs for a specific pod or container.