《Windows Azure Platform 系列文章目录》
之前做了一个客户案例,在这里记录一下。
我们在使用Azure API Management的时候,需要同时对内部用户(企业内网)和外部用户(Internet)访问:
- 对于内部用户(企业内网)来说,可以把API Managemant加入到虚拟网络(Virtual Network),然后企业内网用户通过专线(Express Route)或者VPN (Site-to-Site VPN),访问到API Management的内网IP地址
- 对于外部用户(Internet)来说,可以先访问到Azure Application Gateway的公网地址,通过Application Gateway进行保护,然后把再流量转发到API Management
整体架构图如下:
在开始下面的操作步骤之前,需要提前准备:
- 自定义域名
- 自定义域名证书
- DNS Server
本实例中,会创建的资源有:
- 新的资源组,名称为APIM-RG 在这个资源组里,创建新的虚拟网络VNet,名称为:apim_vnet,主要是DMZ区
- 子网appGatewaySubnet,CIDR:172.25.0.0/24,新建了面向公网的Azure Application Gateway
- 子网vmSubnet,CIDR:172.25.1.0/24。未来可以手动创建VM
- 子网apimSubnet,CIDR:172.25.2.0/24。会创建面向内网的API Management
- 另外还会创建1个虚拟网络VNet,和apim_vnet通过vnet peering打通,具体的步骤略
- API Management分别有三个访问地址:
- api.leidemo.biz
- management.leidemo.biz
- portal.leidemo.biz
- 会创建1个Private DNS Zone,指向到API Management的内网IP地址。在VNet内部的虚拟机,都会通过Private DNS Zone进行DNS解析
- 会创建一个Azure Application Gateway,公网访问的用户流量都会指向到Azure Application Gateway的公网IP地址
-
API Management访问地址 内网解析(通过Private DNS Zone) 公网解析(通过共同DNS解析) api.leidemo.biz API Management的内网IP地址 Azure Application Gateway的公网IP地址 management.leidemo.biz API Management的内网IP地址 Azure Application Gateway的公网IP地址 portal.leidemo.biz API Management的内网IP地址 Azure Application Gateway的公网IP地址
注意事项:
- 针对内网访问 (Internal only)的Azure API Management,在All API里的test测试是不work的
以下是部署脚本:
#Refer to:https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-integrate-internal-vnet-appgateway
Connect-AzAccount -Environment AzureChinaCloud $subscriptionId = "这里是订阅ID" Get-AzSubscription -Subscriptionid $subscriptionId | Select-AzSubscription $resGroupName = "APIM-RG" $location = "chinaeast2" New-AzResourceGroup -Name $resGroupName -Location $location #===================================================================================== #Create a virtual network and a subnet for the application gateway #===================================================================================== $appGwRule1 = New-AzNetworkSecurityRuleConfig -Name appgw-in -Description "AppGw inbound" ` -Access Allow -Protocol * -Direction Inbound -Priority 100 -SourceAddressPrefix ` GatewayManager -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 65200-65535 $appGwRule2 = New-AzNetworkSecurityRuleConfig -Name appgw-in-internet -Description "AppGw inbound Internet" ` -Access Allow -Protocol "TCP" -Direction Inbound -Priority 110 -SourceAddressPrefix ` Internet -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 443 $appGwNsg = New-AzNetworkSecurityGroup -ResourceGroupName $resGroupName -Location $location -Name ` "NSG-APPGW" -SecurityRules $appGwRule1, $appGwRule2 $apimRule1 = New-AzNetworkSecurityRuleConfig -Name apim-in -Description "APIM inbound" ` -Access Allow -Protocol Tcp -Direction Inbound -Priority 100 -SourceAddressPrefix ` ApiManagement -SourcePortRange * -DestinationAddressPrefix VirtualNetwork -DestinationPortRange 3443 $apimNsg = New-AzNetworkSecurityGroup -ResourceGroupName $resGroupName -Location $location -Name ` "NSG-APIM" -SecurityRules $apimRule1 #172.25.0.0/24 for Application Gateway $appGatewaySubnet = New-AzVirtualNetworkSubnetConfig -Name "appGatewaySubnet" -NetworkSecurityGroup $appGwNsg -AddressPrefix "172.25.0.0/24" #172.25.1.0/24 for test vm $vmSubnet = New-AzVirtualNetworkSubnetConfig -Name "vmSubnet" -AddressPrefix "172.25.1.0/24" #172.25.2.0/24 for API Management $apimSubnet = New-AzVirtualNetworkSubnetConfig -Name "apimSubnet" -NetworkSecurityGroup $apimNsg -AddressPrefix "172.25.2.0/24" #Create this VNet $vnet = New-AzVirtualNetwork -Name "appgwvnet" -ResourceGroupName $resGroupName ` -Location $location -AddressPrefix "172.25.0.0/16" -Subnet $appGatewaySubnet,$vmSubnet,$apimSubnet $appGatewaySubnetData = $vnet.Subnets[0] $apimSubnetData = $vnet.Subnets[2] #===================================================================================== #Create an API Management instance inside a virtual network #===================================================================================== $apimVirtualNetwork = New-AzApiManagementVirtualNetwork -SubnetResourceId $apimSubnetData.Id $apimServiceName = "contosoPOC01" # API Management service instance name, must be globally unique $apimOrganization = "Contoso" # Organization name $apimAdminEmail = "admin@contoso.com" # Administrator's email address $apimService = New-AzApiManagement -ResourceGroupName $resGroupName -Location $location -Name $apimServiceName -Organization $apimOrganization -AdminEmail $apimAdminEmail -VirtualNetwork $apimVirtualNetwork -VpnType "Internal" -Sku "Developer" #===================================================================================== #Set up custom domain names in API Management #===================================================================================== $gatewayHostname = "api.leidemo.biz" # API gateway host $portalHostname = "portal.leidemo.biz" # API developer portal host $managementHostname = "management.leidemo.biz" # API management endpoint host $gatewayCertPfxPath = "C:\Users\Contoso\gateway.pfx" # Full path to api.contoso.net .pfx file $portalCertPfxPath = "C:\Users\Contoso\portal.pfx" # Full path to portal.contoso.net .pfx file $managementCertPfxPath = "C:\Users\Contoso\management.pfx" # Full path to management.contoso.net .pfx file $gatewayCertPfxPassword = "这里输入api.leidemo.biz pfx的私钥密码" # Password for api.leidemo.biz pfx certificate $portalCertPfxPassword = "这里输入portal.leidemo.biz pfx的私钥密码" # Password for portal.leidemo.biz pfx certificate $managementCertPfxPassword = "这里输入management.leidemo.biz pfx的私钥密码" # Password for management.leidemo.biz pfx certificate # Path to trusted root CER file used in Application Gateway HTTP settings $trustedRootCertCerPath = "C:\Users\Contoso\trustedroot.cer" # Full path to leidemo.biz trusted root .cer file $certGatewayPwd = ConvertTo-SecureString -String $gatewayCertPfxPassword -AsPlainText -Force $certPortalPwd = ConvertTo-SecureString -String $portalCertPfxPassword -AsPlainText -Force $certManagementPwd = ConvertTo-SecureString -String $managementCertPfxPassword -AsPlainText -Force $gatewayHostnameConfig = New-AzApiManagementCustomHostnameConfiguration -Hostname $gatewayHostname ` -HostnameType Proxy -PfxPath $gatewayCertPfxPath -PfxPassword $certGatewayPwd $portalHostnameConfig = New-AzApiManagementCustomHostnameConfiguration -Hostname $portalHostname ` -HostnameType DeveloperPortal -PfxPath $portalCertPfxPath -PfxPassword $certPortalPwd $managementHostnameConfig = New-AzApiManagementCustomHostnameConfiguration -Hostname $managementHostname ` -HostnameType Management -PfxPath $managementCertPfxPath -PfxPassword $certManagementPwd $apimService.ProxyCustomHostnameConfiguration = $gatewayHostnameConfig $apimService.PortalCustomHostnameConfiguration = $portalHostnameConfig $apimService.ManagementCustomHostnameConfiguration = $managementHostnameConfig Set-AzApiManagement -InputObject $apimService #===================================================================================== #Configure a private zone for DNS resolution in the virtual network #===================================================================================== $dnsname = "leidemo.biz" $myZone = New-AzPrivateDnsZone -Name $dnsname -ResourceGroupName $resGroupName $link = New-AzPrivateDnsVirtualNetworkLink -ZoneName $dnsname ` -ResourceGroupName $resGroupName -Name "mylink" ` -VirtualNetworkId $vnet.id $apimIP = $apimService.PrivateIPAddresses[0] New-AzPrivateDnsRecordSet -Name api -RecordType A -ZoneName $dnsname ` -ResourceGroupName $resGroupName -Ttl 3600 ` -PrivateDnsRecords (New-AzPrivateDnsRecordConfig -IPv4Address $apimIP) New-AzPrivateDnsRecordSet -Name portal -RecordType A -ZoneName $dnsname ` -ResourceGroupName $resGroupName -Ttl 3600 ` -PrivateDnsRecords (New-AzPrivateDnsRecordConfig -IPv4Address $apimIP) New-AzPrivateDnsRecordSet -Name management -RecordType A -ZoneName $dnsname ` -ResourceGroupName $resGroupName -Ttl 3600 ` -PrivateDnsRecords (New-AzPrivateDnsRecordConfig -IPv4Address $apimIP) #===================================================================================== #Create a public IP address for the front-end configuration #===================================================================================== $publicip = New-AzPublicIpAddress -ResourceGroupName $resGroupName ` -name "publicIP01" -location $location -AllocationMethod Static -Sku Standard #===================================================================================== #Create application gateway configuration #===================================================================================== $gipconfig = New-AzApplicationGatewayIPConfiguration -Name "gatewayIP01" -Subnet $appGatewaySubnetData $fp01 = New-AzApplicationGatewayFrontendPort -Name "port01" -Port 443 $fipconfig01 = New-AzApplicationGatewayFrontendIPConfig -Name "frontend1" -PublicIPAddress $publicip $certGateway = New-AzApplicationGatewaySslCertificate -Name "gatewaycert" ` -CertificateFile $gatewayCertPfxPath -Password $certGatewayPwd $certPortal = New-AzApplicationGatewaySslCertificate -Name "portalcert" ` -CertificateFile $portalCertPfxPath -Password $certPortalPwd $certManagement = New-AzApplicationGatewaySslCertificate -Name "managementcert" ` -CertificateFile $managementCertPfxPath -Password $certManagementPwd $gatewayListener = New-AzApplicationGatewayHttpListener -Name "gatewaylistener" ` -Protocol "Https" -FrontendIPConfiguration $fipconfig01 -FrontendPort $fp01 ` -SslCertificate $certGateway -HostName $gatewayHostname -RequireServerNameIndication true $portalListener = New-AzApplicationGatewayHttpListener -Name "portallistener" ` -Protocol "Https" -FrontendIPConfiguration $fipconfig01 -FrontendPort $fp01 ` -SslCertificate $certPortal -HostName $portalHostname -RequireServerNameIndication true $managementListener = New-AzApplicationGatewayHttpListener -Name "managementlistener" ` -Protocol "Https" -FrontendIPConfiguration $fipconfig01 -FrontendPort $fp01 ` -SslCertificate $certManagement -HostName $managementHostname -RequireServerNameIndication true $apimGatewayProbe = New-AzApplicationGatewayProbeConfig -Name "apimgatewayprobe" ` -Protocol "Https" -HostName $gatewayHostname -Path "/status-0123456789abcdef" ` -Interval 30 -Timeout 120 -UnhealthyThreshold 8 $apimPortalProbe = New-AzApplicationGatewayProbeConfig -Name "apimportalprobe" ` -Protocol "Https" -HostName $portalHostname -Path "/signin" ` -Interval 60 -Timeout 300 -UnhealthyThreshold 8 $apimManagementProbe = New-AzApplicationGatewayProbeConfig -Name "apimmanagementprobe" ` -Protocol "Https" -HostName $managementHostname -Path "/ServiceStatus" ` -Interval 60 -Timeout 300 -UnhealthyThreshold 8 $trustedRootCert = New-AzApplicationGatewayTrustedRootCertificate -Name "whitelistcert1" -CertificateFile $trustedRootCertCerPath $apimPoolGatewaySetting = New-AzApplicationGatewayBackendHttpSettings -Name "apimPoolGatewaySetting" ` -Port 443 -Protocol "Https" -CookieBasedAffinity "Disabled" -Probe $apimGatewayProbe ` -TrustedRootCertificate $trustedRootCert -PickHostNameFromBackendAddress -RequestTimeout 180 $apimPoolPortalSetting = New-AzApplicationGatewayBackendHttpSettings -Name "apimPoolPortalSetting" ` -Port 443 -Protocol "Https" -CookieBasedAffinity "Disabled" -Probe $apimPortalProbe ` -TrustedRootCertificate $trustedRootCert -PickHostNameFromBackendAddress -RequestTimeout 180 $apimPoolManagementSetting = New-AzApplicationGatewayBackendHttpSettings -Name "apimPoolManagementSetting" ` -Port 443 -Protocol "Https" -CookieBasedAffinity "Disabled" -Probe $apimManagementProbe ` -TrustedRootCertificate $trustedRootCert -PickHostNameFromBackendAddress -RequestTimeout 180 $apimGatewayBackendPool = New-AzApplicationGatewayBackendAddressPool -Name "gatewaybackend" ` -BackendFqdns $gatewayHostname $apimPortalBackendPool = New-AzApplicationGatewayBackendAddressPool -Name "portalbackend" ` -BackendFqdns $portalHostname $apimManagementBackendPool = New-AzApplicationGatewayBackendAddressPool -Name "managementbackend" ` -BackendFqdns $managementHostname $gatewayRule = New-AzApplicationGatewayRequestRoutingRule -Name "gatewayrule" ` -RuleType Basic -HttpListener $gatewayListener -BackendAddressPool $apimGatewayBackendPool ` -BackendHttpSettings $apimPoolGatewaySetting $portalRule = New-AzApplicationGatewayRequestRoutingRule -Name "portalrule" ` -RuleType Basic -HttpListener $portalListener -BackendAddressPool $apimPortalBackendPool ` -BackendHttpSettings $apimPoolPortalSetting $managementRule = New-AzApplicationGatewayRequestRoutingRule -Name "managementrule" ` -RuleType Basic -HttpListener $managementListener -BackendAddressPool $apimManagementBackendPool ` -BackendHttpSettings $apimPoolManagementSetting $sku = New-AzApplicationGatewaySku -Name "WAF_v2" -Tier "WAF_v2" -Capacity 2 $config = New-AzApplicationGatewayWebApplicationFirewallConfiguration -Enabled $true -FirewallMode "Prevention" $policy = New-AzApplicationGatewaySslPolicy -PolicyType Predefined -PolicyName AppGwSslPolicy20170401S #===================================================================================== #Create an application gateway #===================================================================================== $appgwName = "apim-app-gw" $appgw = New-AzApplicationGateway -Name $appgwName -ResourceGroupName $resGroupName -Location $location ` -BackendAddressPools $apimGatewayBackendPool,$apimPortalBackendPool,$apimManagementBackendPool ` -BackendHttpSettingsCollection $apimPoolGatewaySetting, $apimPoolPortalSetting, $apimPoolManagementSetting ` -FrontendIpConfigurations $fipconfig01 -GatewayIpConfigurations $gipconfig -FrontendPorts $fp01 ` -HttpListeners $gatewayListener,$portalListener,$managementListener ` -RequestRoutingRules $gatewayRule,$portalRule,$managementRule ` -Sku $sku -WebApplicationFirewallConfig $config -SslCertificates $certGateway,$certPortal,$certManagement ` -TrustedRootCertificate $trustedRootCert -Probes $apimGatewayProbe,$apimPortalProbe,$apimManagementProbe ` -SslPolicy $policy Get-AzApplicationGatewayBackendHealth -Name $appgwName -ResourceGroupName $resGroupName #===================================================================================== #Create a CNAME record from the public DNS name #===================================================================================== #获得公网IP地址 Get-AzPublicIpAddress -ResourceGroupName $resGroupName -Name "publicIP01" #最后请添加公共DNS解析 #api.leidemo.biz 增加A记录到上面的publicIP01的IP地址 #portal.leidemo.biz 增加A记录到上面的publicIP01的IP地址 #management.leidemo.biz 增加A记录到上面的publicIP01的IP地址
