我希望有人能帮助我理解这个问题,并希望能解决它。
我的订阅中有一个api管理服务,我想通过在它前面使用Azure前门来保护它。
因此,为了实现这一点,我创建了一个API管理和一个前门。
关于前门配置,我设置如下:
Frontend/domain:
hostname: frontdoorapim.azurefd.net
Session Affinity: Disabled
WAF: Disabled
BackEndPool:
name: apimbackend
Backend: my-api-management.azure-api.net
Status: Enabled
Path: /
Protocol HTTPS
Probe: GET
Interval: 30
RoutingRules:
Status:Enabled
Accepted Protocol: HTTP and HTTPS
Frontend/domains: frontdoorapim.azurefd.net
Patterns to match: /*
Route Type: Forward
backend pool: apimbackend
Match Request
通过这个配置,我可以通过Front Door url访问我的api管理网关url。
所以我想限制对直接网关url的访问,只允许FrontDoor能够访问它。我的第一个想法是创建一个虚拟网络、子网和网络安全组。
I创建VNET和子网,并按如下参数配置安全组。
入站规则:
Priority: 100
Source: AzureFrontDoor.Frontend
Source Port Range: *
Destination: Any
Destination port: 3443
Protocol: TCP
Action: Allow
一旦我保存了这个消息,我将API管理更改为internal mode。在这一点上,一切都停止工作。API管理无法访问,前门返回:
Our services aren't available right now
We're working to restore all services as soon as possible. Please check back soon.
请如果有人可以帮助我了解如何我可以配置网络安全组只允许通过前门访问。应用程序服务,他们有Access Restriction,我想实现类似的东西,但与我的api管理。
非常感谢你能提供的任何帮助,在这个阶段我很沮丧。如果你需要任何额外的细节或截图,请不要犹豫,让我知道。
•是的,您可以实现所需的,即仅通过Azure前门URL访问APIM资源,确保相应地配置下面提到的步骤:-
a)Please ensure that if you are using a public IP address for the APIM, then you will have to disable the certificate name check from the resource explorer (https://resources.azure.com). To do that, navigate to the Azure front door resource in Azure resource explorer, and change the ‘enforceCertificateNameCheck’ as ‘Disabled’.
b)Ensure that you are entering the value for path in the backend pool health probe as ‘/status-0123456789abcdef’ and the probe method is set to ‘GET’. Also, do ensure that the certificate for HTTPS protocol is valid and complete with correct validation chain.
allow the incoming traffic from the virtual IP of the host nodes according to Azure platform consideration, i.e., 168.63.129.16 and 169.254.169.254 and allow the necessary inbound rules for APIM deployed in a virtual network according to the below documentation link. Deny all other incoming traffic to the subnet: -
https://learn.microsoft.com/en-us/azure/api-management/api-management-using-with-vnet -common-network-configuration-issues
,允许Azure前门后端IPs如下的链接APIM IP限制政策,允许虚拟主机IP地址如上所述在这里.
https://www.microsoft.com/download/details.aspx?id=56519
通过这种方式,一旦完成了上面所说的,您可以仅通过Azure前门URL访问APIM资源。. 有关更详细的信息,我建议您参考下面的链接,该链接详细说明了实现期望的进一步步骤:-https://techcommunity.microsoft.com/t5/azure-paas-blog/integrate-azure-front-door-with-azure-api-management/ba-p/2654925: ~:文本= Azure % 20门前% 20 % 20需要% 20,访问% 20从% 20外部% 20负载% 20均衡器。
你说把APIM变成内部后,一切都停止工作了。Azure前门只与公开的公共资源通信,最近开始与特定的内部资源(即内部负载平衡器)合作。在这种情况下,您需要一个FD后面的应用程序网关,APIM将在AppGw后面,因为AppGw有一个FD的公共IP,而且它可以"交谈";到内部(私有IP地址)资源