Azure API Management (3) API Management 与虚拟网络VNet集成，并通过Application Gateway进行保护

　　之前做了一个客户案例，在这里记录一下。

　　我们在使用Azure API Management的时候，需要同时对内部用户(企业内网)和外部用户(Internet)访问：

　　-　　对于内部用户(企业内网)来说，可以把API Managemant加入到虚拟网络(Virtual Network)，然后企业内网用户通过专线(Express Route)或者VPN (Site-to-Site VPN)，访问到API Management的内网IP地址

　　-　　对于外部用户(Internet)来说，可以先访问到Azure Application Gateway的公网地址，通过Application Gateway进行保护，然后把再流量转发到API Management

　　整体架构图如下：

　　在开始下面的操作步骤之前，需要提前准备：

自定义域名
自定义域名证书
DNS Server

　　本实例中，会创建的资源有：

新的资源组，名称为APIM-RG

子网appGatewaySubnet，CIDR：172.25.0.0/24，新建了面向公网的Azure Application Gateway
子网vmSubnet，CIDR：172.25.1.0/24。未来可以手动创建VM
子网apimSubnet，CIDR：172.25.2.0/24。会创建面向内网的API Management

另外还会创建1个虚拟网络VNet，和apim_vnet通过vnet peering打通，具体的步骤略
API Management分别有三个访问地址：
- api.leidemo.biz
- management.leidemo.biz
- portal.leidemo.biz
会创建1个Private DNS Zone，指向到API Management的内网IP地址。在VNet内部的虚拟机，都会通过Private DNS Zone进行DNS解析
会创建一个Azure Application Gateway，公网访问的用户流量都会指向到Azure Application Gateway的公网IP地址

API Management访问地址	内网解析(通过Private DNS Zone)	公网解析(通过共同DNS解析)
api.leidemo.biz	API Management的内网IP地址	Azure Application Gateway的公网IP地址
management.leidemo.biz	API Management的内网IP地址	Azure Application Gateway的公网IP地址
portal.leidemo.biz	API Management的内网IP地址	Azure Application Gateway的公网IP地址

　　注意事项：

针对内网访问 (Internal only)的Azure API Management，在All API里的test测试是不work的

　　以下是部署脚本：

#Refer to:https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-integrate-internal-vnet-appgateway


Connect-AzAccount -Environment AzureChinaCloud

$subscriptionId = "这里是订阅ID" 
Get-AzSubscription -Subscriptionid $subscriptionId | Select-AzSubscription


$resGroupName = "APIM-RG" 
$location = "chinaeast2"         
New-AzResourceGroup -Name $resGroupName -Location $location


#=====================================================================================
#Create a virtual network and a subnet for the application gateway
#=====================================================================================
$appGwRule1 = New-AzNetworkSecurityRuleConfig -Name appgw-in -Description "AppGw inbound" `
    -Access Allow -Protocol * -Direction Inbound -Priority 100 -SourceAddressPrefix `
    GatewayManager -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 65200-65535
$appGwRule2 = New-AzNetworkSecurityRuleConfig -Name appgw-in-internet -Description "AppGw inbound Internet" `
    -Access Allow -Protocol "TCP" -Direction Inbound -Priority 110 -SourceAddressPrefix `
    Internet -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 443
$appGwNsg = New-AzNetworkSecurityGroup -ResourceGroupName $resGroupName -Location $location -Name `
    "NSG-APPGW" -SecurityRules $appGwRule1, $appGwRule2

$apimRule1 = New-AzNetworkSecurityRuleConfig -Name apim-in -Description "APIM inbound" `
    -Access Allow -Protocol Tcp -Direction Inbound -Priority 100 -SourceAddressPrefix `
    ApiManagement -SourcePortRange * -DestinationAddressPrefix VirtualNetwork -DestinationPortRange 3443
$apimNsg = New-AzNetworkSecurityGroup -ResourceGroupName $resGroupName -Location $location -Name `
    "NSG-APIM" -SecurityRules $apimRule1


#172.25.0.0/24 for Application Gateway
$appGatewaySubnet = New-AzVirtualNetworkSubnetConfig -Name "appGatewaySubnet" -NetworkSecurityGroup $appGwNsg -AddressPrefix "172.25.0.0/24"

#172.25.1.0/24 for test vm
$vmSubnet = New-AzVirtualNetworkSubnetConfig -Name "vmSubnet" -AddressPrefix "172.25.1.0/24"

#172.25.2.0/24 for API Management
$apimSubnet = New-AzVirtualNetworkSubnetConfig -Name "apimSubnet" -NetworkSecurityGroup $apimNsg -AddressPrefix "172.25.2.0/24"

#Create this VNet
$vnet = New-AzVirtualNetwork -Name "appgwvnet" -ResourceGroupName $resGroupName `
  -Location $location -AddressPrefix "172.25.0.0/16" -Subnet $appGatewaySubnet,$vmSubnet,$apimSubnet

$appGatewaySubnetData = $vnet.Subnets[0]
$apimSubnetData = $vnet.Subnets[2]

#=====================================================================================
#Create an API Management instance inside a virtual network
#=====================================================================================
$apimVirtualNetwork = New-AzApiManagementVirtualNetwork -SubnetResourceId $apimSubnetData.Id

$apimServiceName = "contosoPOC01"       # API Management service instance name, must be globally unique
$apimOrganization = "Contoso"         # Organization name
$apimAdminEmail = "admin@contoso.com" # Administrator's email address
$apimService = New-AzApiManagement -ResourceGroupName $resGroupName -Location $location -Name $apimServiceName -Organization $apimOrganization -AdminEmail $apimAdminEmail -VirtualNetwork $apimVirtualNetwork -VpnType "Internal" -Sku "Developer"

#=====================================================================================
#Set up custom domain names in API Management
#=====================================================================================

$gatewayHostname = "api.leidemo.biz"                 # API gateway host
$portalHostname = "portal.leidemo.biz"               # API developer portal host
$managementHostname = "management.leidemo.biz"               # API management endpoint host
$gatewayCertPfxPath = "C:\Users\Contoso\gateway.pfx" # Full path to api.contoso.net .pfx file
$portalCertPfxPath = "C:\Users\Contoso\portal.pfx"   # Full path to portal.contoso.net .pfx file
$managementCertPfxPath = "C:\Users\Contoso\management.pfx"   # Full path to management.contoso.net .pfx file
$gatewayCertPfxPassword = "这里输入api.leidemo.biz pfx的私钥密码"   # Password for api.leidemo.biz pfx certificate
$portalCertPfxPassword = "这里输入portal.leidemo.biz pfx的私钥密码"    # Password for portal.leidemo.biz pfx certificate
$managementCertPfxPassword = "这里输入management.leidemo.biz pfx的私钥密码"    # Password for management.leidemo.biz pfx certificate

# Path to trusted root CER file used in Application Gateway HTTP settings
$trustedRootCertCerPath = "C:\Users\Contoso\trustedroot.cer" # Full path to leidemo.biz trusted root .cer file

$certGatewayPwd = ConvertTo-SecureString -String $gatewayCertPfxPassword -AsPlainText -Force
$certPortalPwd = ConvertTo-SecureString -String $portalCertPfxPassword -AsPlainText -Force
$certManagementPwd = ConvertTo-SecureString -String $managementCertPfxPassword -AsPlainText -Force



$gatewayHostnameConfig = New-AzApiManagementCustomHostnameConfiguration -Hostname $gatewayHostname `
  -HostnameType Proxy -PfxPath $gatewayCertPfxPath -PfxPassword $certGatewayPwd
$portalHostnameConfig = New-AzApiManagementCustomHostnameConfiguration -Hostname $portalHostname `
  -HostnameType DeveloperPortal -PfxPath $portalCertPfxPath -PfxPassword $certPortalPwd
$managementHostnameConfig = New-AzApiManagementCustomHostnameConfiguration -Hostname $managementHostname `
  -HostnameType Management -PfxPath $managementCertPfxPath -PfxPassword $certManagementPwd

$apimService.ProxyCustomHostnameConfiguration = $gatewayHostnameConfig
$apimService.PortalCustomHostnameConfiguration = $portalHostnameConfig
$apimService.ManagementCustomHostnameConfiguration = $managementHostnameConfig

Set-AzApiManagement -InputObject $apimService


#=====================================================================================
#Configure a private zone for DNS resolution in the virtual network
#=====================================================================================

$dnsname = "leidemo.biz"

$myZone = New-AzPrivateDnsZone -Name $dnsname -ResourceGroupName $resGroupName 

$link = New-AzPrivateDnsVirtualNetworkLink -ZoneName $dnsname `
  -ResourceGroupName $resGroupName -Name "mylink" `
  -VirtualNetworkId $vnet.id


$apimIP = $apimService.PrivateIPAddresses[0]

New-AzPrivateDnsRecordSet -Name api -RecordType A -ZoneName $dnsname `
  -ResourceGroupName $resGroupName -Ttl 3600 `
  -PrivateDnsRecords (New-AzPrivateDnsRecordConfig -IPv4Address $apimIP)

New-AzPrivateDnsRecordSet -Name portal -RecordType A -ZoneName $dnsname `
  -ResourceGroupName $resGroupName -Ttl 3600 `
  -PrivateDnsRecords (New-AzPrivateDnsRecordConfig -IPv4Address $apimIP)

New-AzPrivateDnsRecordSet -Name management -RecordType A -ZoneName $dnsname `
  -ResourceGroupName $resGroupName -Ttl 3600 `
  -PrivateDnsRecords (New-AzPrivateDnsRecordConfig -IPv4Address $apimIP)

#=====================================================================================
#Create a public IP address for the front-end configuration
#=====================================================================================

$publicip = New-AzPublicIpAddress -ResourceGroupName $resGroupName `
  -name "publicIP01" -location $location -AllocationMethod Static -Sku Standard


#=====================================================================================
#Create application gateway configuration
#=====================================================================================

$gipconfig = New-AzApplicationGatewayIPConfiguration -Name "gatewayIP01" -Subnet $appGatewaySubnetData
$fp01 = New-AzApplicationGatewayFrontendPort -Name "port01"  -Port 443
$fipconfig01 = New-AzApplicationGatewayFrontendIPConfig -Name "frontend1" -PublicIPAddress $publicip


$certGateway = New-AzApplicationGatewaySslCertificate -Name "gatewaycert" `
  -CertificateFile $gatewayCertPfxPath -Password $certGatewayPwd
$certPortal = New-AzApplicationGatewaySslCertificate -Name "portalcert" `
  -CertificateFile $portalCertPfxPath -Password $certPortalPwd
$certManagement = New-AzApplicationGatewaySslCertificate -Name "managementcert" `
  -CertificateFile $managementCertPfxPath -Password $certManagementPwd


$gatewayListener = New-AzApplicationGatewayHttpListener -Name "gatewaylistener" `
  -Protocol "Https" -FrontendIPConfiguration $fipconfig01 -FrontendPort $fp01 `
  -SslCertificate $certGateway -HostName $gatewayHostname -RequireServerNameIndication true
$portalListener = New-AzApplicationGatewayHttpListener -Name "portallistener" `
  -Protocol "Https" -FrontendIPConfiguration $fipconfig01 -FrontendPort $fp01 `
  -SslCertificate $certPortal -HostName $portalHostname -RequireServerNameIndication true
$managementListener = New-AzApplicationGatewayHttpListener -Name "managementlistener" `
  -Protocol "Https" -FrontendIPConfiguration $fipconfig01 -FrontendPort $fp01 `
  -SslCertificate $certManagement -HostName $managementHostname -RequireServerNameIndication true


$apimGatewayProbe = New-AzApplicationGatewayProbeConfig -Name "apimgatewayprobe" `
  -Protocol "Https" -HostName $gatewayHostname -Path "/status-0123456789abcdef" `
  -Interval 30 -Timeout 120 -UnhealthyThreshold 8
$apimPortalProbe = New-AzApplicationGatewayProbeConfig -Name "apimportalprobe" `
  -Protocol "Https" -HostName $portalHostname -Path "/signin" `
  -Interval 60 -Timeout 300 -UnhealthyThreshold 8
$apimManagementProbe = New-AzApplicationGatewayProbeConfig -Name "apimmanagementprobe" `
  -Protocol "Https" -HostName $managementHostname -Path "/ServiceStatus" `
  -Interval 60 -Timeout 300 -UnhealthyThreshold 8



$trustedRootCert = New-AzApplicationGatewayTrustedRootCertificate -Name "whitelistcert1" -CertificateFile $trustedRootCertCerPath


$apimPoolGatewaySetting = New-AzApplicationGatewayBackendHttpSettings -Name "apimPoolGatewaySetting" `
  -Port 443 -Protocol "Https" -CookieBasedAffinity "Disabled" -Probe $apimGatewayProbe `
  -TrustedRootCertificate $trustedRootCert -PickHostNameFromBackendAddress -RequestTimeout 180
$apimPoolPortalSetting = New-AzApplicationGatewayBackendHttpSettings -Name "apimPoolPortalSetting" `
  -Port 443 -Protocol "Https" -CookieBasedAffinity "Disabled" -Probe $apimPortalProbe `
  -TrustedRootCertificate $trustedRootCert -PickHostNameFromBackendAddress -RequestTimeout 180
$apimPoolManagementSetting = New-AzApplicationGatewayBackendHttpSettings -Name "apimPoolManagementSetting" `
  -Port 443 -Protocol "Https" -CookieBasedAffinity "Disabled" -Probe $apimManagementProbe `
  -TrustedRootCertificate $trustedRootCert -PickHostNameFromBackendAddress -RequestTimeout 180


$apimGatewayBackendPool = New-AzApplicationGatewayBackendAddressPool -Name "gatewaybackend" `
  -BackendFqdns $gatewayHostname
$apimPortalBackendPool = New-AzApplicationGatewayBackendAddressPool -Name "portalbackend" `
  -BackendFqdns $portalHostname
$apimManagementBackendPool = New-AzApplicationGatewayBackendAddressPool -Name "managementbackend" `
  -BackendFqdns $managementHostname



$gatewayRule = New-AzApplicationGatewayRequestRoutingRule -Name "gatewayrule" `
  -RuleType Basic -HttpListener $gatewayListener -BackendAddressPool $apimGatewayBackendPool `
  -BackendHttpSettings $apimPoolGatewaySetting
$portalRule = New-AzApplicationGatewayRequestRoutingRule -Name "portalrule" `
  -RuleType Basic -HttpListener $portalListener -BackendAddressPool $apimPortalBackendPool `
  -BackendHttpSettings $apimPoolPortalSetting
$managementRule = New-AzApplicationGatewayRequestRoutingRule -Name "managementrule" `
  -RuleType Basic -HttpListener $managementListener -BackendAddressPool $apimManagementBackendPool `
  -BackendHttpSettings $apimPoolManagementSetting



$sku = New-AzApplicationGatewaySku -Name "WAF_v2" -Tier "WAF_v2" -Capacity 2

$config = New-AzApplicationGatewayWebApplicationFirewallConfiguration -Enabled $true -FirewallMode "Prevention"

$policy = New-AzApplicationGatewaySslPolicy -PolicyType Predefined -PolicyName AppGwSslPolicy20170401S


#=====================================================================================
#Create an application gateway
#=====================================================================================

$appgwName = "apim-app-gw"
$appgw = New-AzApplicationGateway -Name $appgwName -ResourceGroupName $resGroupName -Location $location `
  -BackendAddressPools $apimGatewayBackendPool,$apimPortalBackendPool,$apimManagementBackendPool `
  -BackendHttpSettingsCollection $apimPoolGatewaySetting, $apimPoolPortalSetting, $apimPoolManagementSetting `
  -FrontendIpConfigurations $fipconfig01 -GatewayIpConfigurations $gipconfig -FrontendPorts $fp01 `
  -HttpListeners $gatewayListener,$portalListener,$managementListener `
  -RequestRoutingRules $gatewayRule,$portalRule,$managementRule `
  -Sku $sku -WebApplicationFirewallConfig $config -SslCertificates $certGateway,$certPortal,$certManagement `
  -TrustedRootCertificate $trustedRootCert -Probes $apimGatewayProbe,$apimPortalProbe,$apimManagementProbe `
  -SslPolicy $policy


Get-AzApplicationGatewayBackendHealth -Name $appgwName -ResourceGroupName $resGroupName


#=====================================================================================
#Create a CNAME record from the public DNS name
#=====================================================================================

#获得公网IP地址
Get-AzPublicIpAddress -ResourceGroupName $resGroupName -Name "publicIP01"


#最后请添加公共DNS解析
#api.leidemo.biz          增加A记录到上面的publicIP01的IP地址
#portal.leidemo.biz         增加A记录到上面的publicIP01的IP地址
#management.leidemo.biz     增加A记录到上面的publicIP01的IP地址