Azure-docs: How to place Application Gateway between APIM and App Service?

Created on 12 Sep 2019 · 8Comments · Source: MicrosoftDocs/azure-docs

I have a APIM (API Management) which is exposed to the internet, and backend is Web API (App Service).

I am using CA certificates in APIM, but not using any security mechanism for backend Web API apart from IP white listing from APIM.

I am planning to use Application Gateway in between APIM and Web app to increase the security. But now finding any right resource. Could u add a document around it?

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

ID: 37c1f253-44c2-bd07-4c74-9d4c77c45e6e
Version Independent ID: 281ce98c-115b-3c39-52b7-3df95dfd8b52
Content: How to use Azure API Management in Virtual Network with Application Gateway
Content Source: articles/api-management/api-management-howto-integrate-internal-vnet-appgateway.md
Service: api-management
GitHub Login: @solankisamir
Microsoft Alias: sasolank

Pri2 api-managemensvc assigned-to-author doc-idea triaged

Source

kudlatiger

Most helpful comment

App Gateway doesn't pass through client certificates or support client cert validation whereas APIM can do both. If mutual TLS is required, App Gateway in front doesn't work out. App GW behind APIM is less ideal but allows you to have mutual TLS and WAF.

mthompson-mac on 29 Nov 2019

👍3

All 8 comments

@kudlatiger Thank you for your question! We will review and provide an update as appropriate.

KetanChawda-MSFT on 12 Sep 2019

@kudlatiger Since you already have a CA certificate added, you can setup mutual certificate authentication between APIM and your Web App. Also, if your Web App has Azure AD Authentication setup, you can also use Managed Identity to connect to APIM.

There is an excellent discussion here on this - #26312

We are assigning this issue to the content author for further review.

PramodValavala-MSFT on 12 Sep 2019

👍1

Thanks, we don't have web app which has AD. I am particularly looking for document which helps to add Application Gateway between APIM and Web API

kudlatiger on 14 Sep 2019

May I asked why you intend to place the GW between the APIM and the App? I have placed the GW in front of APIM to leverage the WAF for security and APIM has a virtual non-public IP.

fab66m on 2 Oct 2019

👍2

May I asked why you intend to place the GW between the APIM and the App? I have placed the GW in front of APIM to leverage the WAF for security and APIM has a virtual non-public IP.

That is the best way. Put App Gateway in the front of everything, be it your web applications or APIM or APIs (when you dont have APIM).

tiwari-abhishek on 17 Oct 2019

mthompson-mac on 29 Nov 2019

👍3

May I asked why you intend to place the GW between the APIM and the App? I have placed the GW in front of APIM to leverage the WAF for security and APIM has a virtual non-public IP.

That is the best way. Put App Gateway in the front of everything, be it your web applications or APIM or APIs (when you dont have APIM).

May I ask how the integration works when I do not run APIM inside a VNet? Does the communication between the Application Gateway and APIM goes through the Internet of it's an internal communication in the Azure network?

uolter on 9 Mar 2020

This feature is available in the Premium and Developer tiers of API Management.

I think the biggest concern here is price. If APIM needs to talk to an Internal API its gotta be premium tier which is 20x the cost.. ($48 / month vs $2802/month).

If your APIs only allow Oauth2 token invocations, technically they are "secure", so why spend 20x the money to put the API in a private network?

APIM -> Public Azure App Service API = $100 / month
APIM -> Private API - $3500/month - considering an ASE, SF or AKS cluster to make the API private.