You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/api-management/api-management-howto-protect-backend-with-aad.md
+15-15Lines changed: 15 additions & 15 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -43,12 +43,12 @@ Here is a quick overview of the steps:
43
43
44
44
To protect an API with Azure AD, the first step is to register an application in Azure AD that represents the API.
45
45
46
-
1.Navigate to the [Azure portal - App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) page.
46
+
1.Go to the [Azure portal](https://portal.azure.com) to register your application. Search for and select **API registrations**.
47
47
48
48
1. Select **New registration**.
49
49
50
50
1. When the **Register an application page** appears, enter your application's registration information:
51
-
- In the **Name** section, enter a meaningful application name that will be displayed to users of the app, for example `backend-app`.
51
+
- In the **Name** section, enter a meaningful application name that will be displayed to users of the app, such as *backend-app*.
52
52
- In the **Supported account types** section, select an option that suits your scenario.
53
53
54
54
1. Leave the **Redirect URI** section empty.
@@ -59,51 +59,51 @@ To protect an API with Azure AD, the first step is to register an application in
59
59
60
60
1. Select **Expose an API** and set the **Application ID URI** with the default value. Record this value for later.
61
61
62
-
1.In the **Add a scope** page, create a new scope supported by the API. (e.g., Read) then click on *Add scope* to create the scope. Repeat this step to add all scopes supported by your API.
62
+
1.Select the **Add a scope**button to display the **Add a scope**page. Then create a new scope that's supported by the API (for example, `Files.Read`). Finally, select the **Add scope** button to create the scope. Repeat this step to add all scopes supported by your API.
63
63
64
-
1. When the scope is created, make a note of it, for use in a subsequent step.
64
+
1. When the scopes are created, make a note of them for use in a subsequent step.
65
65
66
66
## Register another application in Azure AD to represent a client application
67
67
68
68
Every client application that calls the API needs to be registered as an application in Azure AD as well. In this example, the client application is the Developer Console in the API Management developer portal. Here's how to register another application in Azure AD to represent the Developer Console.
69
69
70
-
1.Navigate to the [Azure portal - App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) page.
70
+
1.Go to the [Azure portal](https://portal.azure.com) to register your application. Search for and select **API registrations**.
71
71
72
72
1. Select **New registration**.
73
73
74
74
1. When the **Register an application page** appears, enter your application's registration information:
75
-
- In the **Name** section, enter a meaningful application name that will be displayed to users of the app, for example `client-app`.
76
-
- In the **Supported account types** section, select **Accounts in any organizational directory**.
75
+
- In the **Name** section, enter a meaningful application name that will be displayed to users of the app, such as *client-app*.
76
+
- In the **Supported account types** section, select **Accounts in any organizational directory (Any Azure AD directory - Multitenant)**.
77
77
78
-
1. In the **Redirect URI** section, select `Web` and enter the URL `https://contoso5.portal.azure-api.net/signin`
78
+
1. In the **Redirect URI** section, select `Web` and enter the URL `https://contoso5.portal.azure-api.net/signin`.
79
79
80
80
1. Select **Register** to create the application.
81
81
82
82
1. On the app **Overview** page, find the **Application (client) ID** value and record it for later.
83
83
84
-
Now, create a client secret for this application, for use in a subsequent step.
84
+
Now, create a client secret for this application to use in a subsequent step.
85
85
86
86
1. From the list of pages for your client app, select **Certificates & secrets**, and select **New client secret**.
87
87
88
88
1. Under **Add a client secret**, provide a **Description**. Choose when the key should expire, and select **Add**.
89
89
90
-
When the secret is created, make a note of the key value, for use in a subsequent step.
90
+
When the secret is created, note the key value for use in a subsequent step.
91
91
92
92
## Grant permissions in Azure AD
93
93
94
94
Now that you have registered two applications to represent the API and the Developer Console, you need to grant permissions to allow the client-app to call the backend-app.
95
95
96
-
1.Navigate to **App registrations**.
96
+
1.Go to the [Azure portal](https://portal.azure.com) to grant permissions to your client application. Search for and select **API registrations**.
97
97
98
-
1.Select `client-app`, and in the list of pages for the app go to**API permissions**.
98
+
1.Choose your clientapp. Then in the list of pages for the app, select**API permissions**.
99
99
100
100
1. Select **Add a Permission**.
101
101
102
-
1. Under **Select an API**, find and select `backend-app`.
102
+
1. Under **Select an API**, select **My APIs**, and then find and select your backend-app.
103
103
104
-
1. Under **Delegated Permissions**, select the appropriate permissions to `backend-app` then click on**Add permissions**.
104
+
1. Under **Delegated Permissions**, select the appropriate permissions to your backend-app, then select**Add permissions**.
105
105
106
-
1. Optionally, on the **API permissions** page, click on **Grant admin consent for <your-tenant-name>** in the bottom of the page to grant consent on behalf of all users in this directory.
106
+
1. Optionally, on the **API permissions** page, select **Grant admin consent for \<your-tenant-name>** to grant consent on behalf of all users in this directory.
107
107
108
108
## Enable OAuth 2.0 user authorization in the Developer Console
Copy file name to clipboardExpand all lines: articles/api-management/api-management-using-with-vnet.md
+21-18Lines changed: 21 additions & 18 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -41,44 +41,47 @@ To perform the steps described in this article, you must have:
41
41
42
42
### Enable VNET connectivity using the Azure portal
43
43
44
-
1. Navigate to your APIM instance in the [Azure portal](https://portal.azure.com/).
45
-
2. Select **Virtual Network**.
46
-
3. Configure the API Management instance to be deployed inside a Virtual network.
44
+
1. Go to the [Azure portal](https://portal.azure.com) to find your API management instance. Search for and select **API Management services**.
45
+
46
+
2. Choose your API Management instance.
47
+
48
+
3. Select **Virtual network**.
49
+
4. Configure the API Management instance to be deployed inside a Virtual network.
47
50
48
51
![Virtual network menu of API Management][api-management-using-vnet-menu]
49
-
4. Select the desired access type:
52
+
5. Select the desired access type:
53
+
54
+
***Off**: This is the default. API Management is not deployed into a virtual network.
50
55
51
-
***Off**: this is the default. API Management is not deployed into a virtual network.
56
+
***External**: The API Management gateway and developer portal are accessible from the public internet via an external load balancer. The gateway can access resources within the virtual network.
52
57
53
-
***External**: the API Management gateway and developer portal are accessible from the public internet via an external load balancer. The gateway can access resources within the virtual network.
58
+
![Public peering][api-management-vnet-public]
54
59
55
-
![Public peering][api-management-vnet-public]
60
+
***Internal**: The API Management gateway and developer portal are accessible only from within the virtual network via an internal load balancer. The gateway can access resources within the virtual network.
56
61
57
-
***Internal**: the API Management gateway and developer portal are accessible only from within the virtual network via an internal load balancer. The gateway can access resources within the virtual network.
62
+
![Private peering][api-management-vnet-private]
58
63
59
-
![Private peering][api-management-vnet-private]
64
+
6. If you selected **External** or **Internal**, you will see a list of all regions where your API Management service is provisioned. Choose a **Location**, and then pick its **Virtual network** and **Subnet**. The virtual network list is populated with both classic and Resource Manager virtual networks available in your Azure subscriptions that are set up in the region you are configuring.
60
65
61
-
You will now see a list of all regions where your API Management service is provisioned. Select a VNET and subnet for every region. The list is populated with both classic and Resource Manager virtual networks available in your Azure subscriptions that are setup in the region you are configuring.
66
+
> [!IMPORTANT]
67
+
> When deploying an Azure API Management instance to a Resource Manager VNET, the service must be in a dedicated subnet that contains no other resources except for Azure API Management instances. If an attempt is made to deploy an Azure API Management instance to a Resource Manager VNET subnet that contains other resources, the deployment will fail.
62
68
63
-
> [!IMPORTANT]
64
-
> When deploying an Azure API Management instance to a Resource Manager VNET, the service must be in a dedicated subnet that contains no other resources except for Azure API Management instances. If an attempt is made to deploy an Azure API Management instance to a Resource Manager VNET subnet that contains other resources, the deployment will fail.
65
-
>
69
+
Then select **Apply**. The **Virtual network** page of your API Management instance is updated with your new virtual network and subnet choices.
66
70
67
-
![Select VPN][api-management-setup-vpn-select]
71
+
![Select VPN][api-management-setup-vpn-select]
68
72
69
-
5. Click **Save** in the top navigation bar.
70
-
6. Click **Apply network configuration** in the top navigation bar.
73
+
7. In the top navigation bar, select **Save**, and then select **Apply network configuration**.
71
74
72
75
> [!NOTE]
73
76
> The VIP address of the API Management instance will change each time VNET is enabled or disabled.
74
-
> The VIP address will also change when API Management is moved from **External** to **Internal** or vice-versa
77
+
> The VIP address will also change when API Management is moved from **External** to **Internal**, or vice-versa.
75
78
>
76
79
77
80
> [!IMPORTANT]
78
81
> If you remove API Management from a VNET or change the one it is deployed in, the previously used VNET can remain locked for up to six hours. During this period it will not be possible to delete the VNET or deploy a new resource to it. This behavior is true for clients using api-version 2018-01-01 and earlier. Clients using api-version 2019-01-01 and later, the VNET is freed up as soon as the associated API Management service is deleted.
79
82
80
83
## <aname="enable-vnet-powershell"> </a>Enable VNET connection using PowerShell cmdlets
81
-
You can also enable VNET connectivity using the PowerShell cmdlets
84
+
You can also enable VNET connectivity using the PowerShell cmdlets.
82
85
83
86
***Create an API Management service inside a VNET**: Use the cmdlet [New-AzApiManagement](/powershell/module/az.apimanagement/new-azapimanagement) to create an Azure API Management service inside a VNET.
0 commit comments