Update api-management-howto-integrate-internal-vnet-appgateway.md

simonkurtz-MSFT · web-flow · commit e62128114285 · 2023-04-11T21:22:24.000-04:00
This PR includes several necessary updates as well as some cosmetic ones: - [Functional] Add API Management NSG rules and API Management public IP to create an `stv2` instead of an `stv1` API Management instance. - [Functional] Add `Priority` to `New-AzApplicationGatewayRequestRoutingRule` as the newer API version requires this parameter. - [Cosmetic] Extract the desired domain name to a `$domain` variable for ease-of-use. - [Cosmetic] Standardize on `contoso.net` by removing mentions of `contoso.com`. Fixes MicrosoftDocs/azure-docs#108050 ------- cc: @dlepow
diff --git a/articles/api-management/api-management-howto-integrate-internal-vnet-appgateway.md b/articles/api-management/api-management-howto-integrate-internal-vnet-appgateway.md
@@ -52,7 +52,7 @@ To follow the steps described in this article, you must have:
 
 ## Scenario
 
-In this article, you learn how to use a single API Management instance for internal and external consumers and make it act as a single front end for both on-premises and cloud APIs. You'll also understand how to expose only a subset of your APIs for external consumption by using routing functionality available in Application Gateway. In the example, the APIs are highlighted in green.
+In this article, you learn how to use a single API Management instance for internal and external consumers and make it act as a single front end for both on-premises and cloud APIs. You'll create an API Management instance of the newer single-tenant version 2 (stv2) type. You'll also understand how to expose only a subset of your APIs for external consumption by using routing functionality available in Application Gateway. In the example, the APIs are highlighted in green.
 
 In the first setup example, all your APIs are managed only from within your virtual network. Internal consumers can access all your internal and external APIs. Traffic never goes out to the internet. High-performance connectivity can be delivered via Azure ExpressRoute circuits. In the example, the internal consumers are highlighted in orange.
 
@@ -115,7 +115,7 @@ Resource Manager requires that all resource groups specify a location. This loca
 
 The following example shows how to create a virtual network by using Resource Manager. The virtual network in this example consists of separate subnets for Application Gateway and API Management.
 
-1. Create network security groups (NSGs) and NSG rules for the Application Gateway and API Management subnets.
+1. Create a network security group (NSG) and NSG rules for the Application Gateway subnet.
 
     ```powershell
     $appGwRule1 = New-AzNetworkSecurityRuleConfig -Name appgw-in -Description "AppGw inbound" `
@@ -124,14 +124,32 @@ The following example shows how to create a virtual network by using Resource Ma
     $appGwRule2 = New-AzNetworkSecurityRuleConfig -Name appgw-in-internet -Description "AppGw inbound Internet" `
         -Access Allow -Protocol "TCP" -Direction Inbound -Priority 110 -SourceAddressPrefix `
         Internet -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 443
+        
     $appGwNsg = New-AzNetworkSecurityGroup -ResourceGroupName $resGroupName -Location $location -Name `
         "NSG-APPGW" -SecurityRules $appGwRule1, $appGwRule2
+    ```
+    
+1.  Create a network security group (NSG) and NSG rules for the API Management subnet. [API Management stv2 requires several specific rules](https://learn.microsoft.com/en-us/azure/api-management/api-management-using-with-internal-vnet?tabs=stv2#configure-nsg-rules).
+
+    ```powershell
+    $apimRule1 = New-AzNetworkSecurityRuleConfig -Name APIM-Management -Description "APIM inbound" `
+        -Access Allow -Protocol Tcp -Direction Inbound -Priority 100 -SourceAddressPrefix ApiManagement `
+        -SourcePortRange * -DestinationAddressPrefix VirtualNetwork -DestinationPortRange 3443
+    $apimRule2 = New-AzNetworkSecurityRuleConfig -Name AllowAppGatewayToAPIM -Description "Allows inbound App Gateway traffic to APIM" `
+        -Access Allow -Protocol Tcp -Direction Inbound -Priority 110 -SourceAddressPrefix "10.0.0.0/24" `
+        -SourcePortRange * -DestinationAddressPrefix "10.0.1.0/24" -DestinationPortRange 443
+    $apimRule3 = New-AzNetworkSecurityRuleConfig -Name AllowAzureLoadBalancer -Description "Allows inbound Azure Infrastructure Load Balancer traffic to APIM" `
+        -Access Allow -Protocol Tcp -Direction Inbound -Priority 120 -SourceAddressPrefix AzureLoadBalancer `
+        -SourcePortRange * -DestinationAddressPrefix "10.0.1.0/24" -DestinationPortRange 6390
+    $apimRule4 = New-AzNetworkSecurityRuleConfig -Name AllowKeyVault -Description "Allows outbound traffic to Azure Key Vault" `
+        -Access Allow -Protocol Tcp -Direction Outbound -Priority 100 -SourceAddressPrefix "10.0.1.0/24" `
+        -SourcePortRange * -DestinationAddressPrefix AzureKeyVault -DestinationPortRange 443
+    $apimRule5 = New-AzNetworkSecurityRuleConfig -Name DenyAll -Description "Denies all inbound traffic" `
+        -Access Deny -Protocol * -Direction Inbound -Priority 4096 -SourceAddressPrefix "10.0.1.0/24" `
+        -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange *
     
-    $apimRule1 = New-AzNetworkSecurityRuleConfig -Name apim-in -Description "APIM inbound" `
-        -Access Allow -Protocol Tcp -Direction Inbound -Priority 100 -SourceAddressPrefix `
-        ApiManagement -SourcePortRange * -DestinationAddressPrefix VirtualNetwork -DestinationPortRange 3443
     $apimNsg = New-AzNetworkSecurityGroup -ResourceGroupName $resGroupName -Location $location -Name `
-        "NSG-APIM" -SecurityRules $apimRule1
+        "NSG-APIM" -SecurityRules $apimRule1, $apimRule2, $apimRule3, $apimRule4, $apimRule5
     ```
 
 1. Assign the address range 10.0.0.0/24 to the subnet variable to be used for Application Gateway while you create a virtual network.
@@ -164,6 +182,13 @@ The following example shows how to create a virtual network by using Resource Ma
 
 The following example shows how to create an API Management instance in a virtual network configured for internal access only.
 
+1. API Management stv2 requires a public IP with a `DomainNameLabel`:
+
+    ```powershell
+    $apimPublicIpAddressId = New-AzPublicIpAddress -ResourceGroupName $resGroupName -name "pip-apim" -location $location `
+        -AllocationMethod Static -Sku Standard -Force -DomainNameLabel "apim-contoso"
+    ```
+
 1. Create an API Management virtual network object by using the subnet `$apimSubnetData` you created.
 
     ```powershell
@@ -173,10 +198,13 @@ The following example shows how to create an API Management instance in a virtua
 1. Create an API Management instance inside the virtual network. This example creates the service in the Developer service tier. Substitute a unique name for your API Management instance.
     
     ```powershell
+    $domain = "contoso.net"
     $apimServiceName = "ContosoApi"       # API Management service instance name, must be globally unique
     $apimOrganization = "Contoso"         # Organization name
-    $apimAdminEmail = "admin@contoso.com" # Administrator's email address
-    $apimService = New-AzApiManagement -ResourceGroupName $resGroupName -Location $location -Name $apimServiceName -Organization $apimOrganization -AdminEmail $apimAdminEmail -VirtualNetwork $apimVirtualNetwork -VpnType "Internal" -Sku "Developer"
+    $apimAdminEmail = "admin@contoso.net" # Administrator's email address
+    
+    $apimService = New-AzApiManagement -ResourceGroupName $resGroupName -Location $location -Name $apimServiceName -Organization $apimOrganization `
+        -AdminEmail $apimAdminEmail -VirtualNetwork $apimVirtualNetwork -VpnType "Internal" -Sku "Developer" -PublicIpAddressId $apimPublicIpAddressId.Id
     ```
 
 It can take between 30 and 40 minutes to create and activate an API Management instance in this tier. After the previous command succeeds, see [DNS configuration required to access internal virtual network API Management service](api-management-using-with-internal-vnet.md#dns-configuration) to confirm access to it.
@@ -188,9 +216,9 @@ To set up custom domain names in API Management:
 1. Initialize the following variables with the details of the certificates with private keys for the domains and the trusted root certificate. In this example, we use `api.contoso.net`, `portal.contoso.net`, and `management.contoso.net`.  
 
     ```powershell
-    $gatewayHostname = "api.contoso.net"                 # API gateway host
-    $portalHostname = "portal.contoso.net"               # API developer portal host
-    $managementHostname = "management.contoso.net"               # API management endpoint host
+    $gatewayHostname = "api.$domain"                 # API gateway host
+    $portalHostname = "portal.$domain"               # API developer portal host
+    $managementHostname = "management.$domain"               # API management endpoint host
     $gatewayCertPfxPath = "C:\Users\Contoso\gateway.pfx" # Full path to api.contoso.net .pfx file
     $portalCertPfxPath = "C:\Users\Contoso\portal.pfx"   # Full path to portal.contoso.net .pfx file
     $managementCertPfxPath = "C:\Users\Contoso\management.pfx"   # Full path to management.contoso.net .pfx file
@@ -232,8 +260,8 @@ To configure a private DNS zone for DNS resolution in the virtual network:
 1. Create a private DNS zone and link the virtual network.
 
     ```powershell
-    $myZone = New-AzPrivateDnsZone -Name "contoso.net" -ResourceGroupName $resGroupName 
-    $link = New-AzPrivateDnsVirtualNetworkLink -ZoneName contoso.net `
+    $myZone = New-AzPrivateDnsZone -Name $domain -ResourceGroupName $resGroupName 
+    $link = New-AzPrivateDnsVirtualNetworkLink -ZoneName $domain `
       -ResourceGroupName $resGroupName -Name "mylink" `
       -VirtualNetworkId $vnet.id
     ```
@@ -243,13 +271,13 @@ To configure a private DNS zone for DNS resolution in the virtual network:
     ```powershell
     $apimIP = $apimService.PrivateIPAddresses[0]
     
-    New-AzPrivateDnsRecordSet -Name api -RecordType A -ZoneName contoso.net `
+    New-AzPrivateDnsRecordSet -Name api -RecordType A -ZoneName $domain `
       -ResourceGroupName $resGroupName -Ttl 3600 `
       -PrivateDnsRecords (New-AzPrivateDnsRecordConfig -IPv4Address $apimIP)
-    New-AzPrivateDnsRecordSet -Name portal -RecordType A -ZoneName contoso.net `
+    New-AzPrivateDnsRecordSet -Name portal -RecordType A -ZoneName $domain `
       -ResourceGroupName $resGroupName -Ttl 3600 `
       -PrivateDnsRecords (New-AzPrivateDnsRecordConfig -IPv4Address $apimIP)
-    New-AzPrivateDnsRecordSet -Name management -RecordType A -ZoneName contoso.net `
+    New-AzPrivateDnsRecordSet -Name management -RecordType A -ZoneName $domain `
       -ResourceGroupName $resGroupName -Ttl 3600 `
       -PrivateDnsRecords (New-AzPrivateDnsRecordConfig -IPv4Address $apimIP)
     ```
@@ -260,7 +288,7 @@ Create a Standard public IP resource **publicIP01** in the resource group.
 
 ```powershell
 $publicip = New-AzPublicIpAddress -ResourceGroupName $resGroupName `
-  -name "publicIP01" -location $location -AllocationMethod Static -Sku Standard
+  -name "pip-appgateway" -location $location -AllocationMethod Static -Sku Standard
 ```
 
 An IP address is assigned to the application gateway when the service starts.
@@ -369,13 +397,13 @@ All configuration items must be set up before you create the application gateway
     ```powershell
     $gatewayRule = New-AzApplicationGatewayRequestRoutingRule -Name "gatewayrule" `
       -RuleType Basic -HttpListener $gatewayListener -BackendAddressPool $apimGatewayBackendPool `
-      -BackendHttpSettings $apimPoolGatewaySetting
+      -BackendHttpSettings $apimPoolGatewaySetting -Priority 10
     $portalRule = New-AzApplicationGatewayRequestRoutingRule -Name "portalrule" `
       -RuleType Basic -HttpListener $portalListener -BackendAddressPool $apimPortalBackendPool `
-      -BackendHttpSettings $apimPoolPortalSetting
+      -BackendHttpSettings $apimPoolPortalSetting -Priority 20
     $managementRule = New-AzApplicationGatewayRequestRoutingRule -Name "managementrule" `
       -RuleType Basic -HttpListener $managementListener -BackendAddressPool $apimManagementBackendPool `
-      -BackendHttpSettings $apimPoolManagementSetting
+      -BackendHttpSettings $apimPoolManagementSetting -Priority 30
     ```
 
     > [!TIP]
