Into the Clouds
As an Integration consultant I spend my time using all sorts of integration products, whether those are ESBs, API management products or queueing mechanisms. Recently I’ve had the chance to experiment a little bit with an Azure API manager PoC. Since I ran into some issues I decided I wanted to write it down here for reference and to solidify the knowledge in my head.
Overview
So in short what I wanted to set up is as follows; an azure apim in a private vnet alongside a mock rest api which should then be tested through the apim dev portal. This was not as straightforward as I expected! First hurdle I ran into is that most documentation around this subject in terms of “Quick start” just set up an APIM on the public internet and call it a day. This is not how I wanted to go about it. Microsoft has a dedicated page for it of course as a starting point which was helpful. Unfortunately for me as an Azure beginner it didn’t quite tell me everything I needed to now (Atleast not clearly enough). So I had to do some digging and later on found this helpful article by thewindowsupdate.com
Prerequisites
Before I could connect components together had to roll them out first.
- A resource group
- A private VNET with 3 subnets
- A network security group (NSG) to attach to the VNET.
- Azure API management in “Internal mode”
- An Azure container app with my mock api (I wanted to use my custom docker image from my previous blog post which uses Stoplight Prism to mock a rest API. I put the image on dockerhub and pulled it in easily via the Azure container app wizard.)
I hoped I would be good to go and be able to test an API from the dev portal now. That was of course a bit silly as the APIM is now in internal mode and I can’t reach it from the public internet at all. So started my learning curve.
Private VNET with subnets
One subnet for the API management node, one for the mock API and as I found out later on, another VM subnet as well. I will explain down below. I just made some /24 subnets, 10.1.0.0 to 10.3.0.0.
NSG
Open ports listed for “Internal” on the docs.
Azure APIM
Just follow the instructions from the docs, use the Developer license, as it’s the cheapest option for a PoC and add the REST API to it. To add a REST API to the APIM simple upload the OAS file and you’re good to go, afterwards you only need to set a few things like the API name, the base url (like /myapi) and the backend url (In this case the container app url after it’s been set up).
API mocking container app
The wizard asked to create some extra components but generally this was fairly straightforward, I added my dockerhub image with prism + the api and it started up. One thing I did tweak is to create a revision that starts up after 1 http call. So I can have a kubernetes pod automatically start when Im testing but have it shut down soon after. (This test setup might be more logical with an azure function but I’ll try that another time..)
Computer says no
First thing that is disabled in Azure APIM is the “Try out” screen for APIs when you set it to internal mode. The test calls go via the public internet so they are not able to reach the APIM at all. To resolve this I needed the extra VM subnet to create a cheap windows VM, connect to it, start a browser and copy paste my dev portal URL into the VM. Since this VM is on the same VNET as the APIM I could now open the devportal. (If you copy the url from to “Go to devportal” button in azure, do remove the token query parameter otherwise you will end up in the portal customisation mode, which you don’t need for api testing.) Unfortunately this still doesn’t allow the devportal try out functionality to reach the container, some extra DNS wizardry has to be done for that.
Private DNS configurations for:
- scm.azure-api.net
- azure-api.net
- developer.azure-api.net
- management.azure-api.net Set these with an A record pointed at the API management node. So one of these will resolve to my_apim.azure-api.net for example. And one for
- container_hostname.westeurope.azurecontainerapps.io Which points at the specific containerapp revision.
With these Private DNS settings you might have to apply the network configurations to the APIM, as you can’t just “restart” APIM you can use the Azure API for that, listed here if you click the “Try it” button and set the right details it does the rest for you.
Testing.. Testing..
After setting all this up all I had to do was to log into the API management devportal and run some tests. After quite a few hurdles I was succesfully able to call my container and got an answer from Prism. I must say that in some cases where I couldn’t quite figure out how the Azure concept translated to my own frame of reference ChatGPT was a great help to just ask questions about the Azure docs without having the thrawl through it all. (Although I still did a lot of that..) Next I started fiddling around with a mock SOAP API as well as trying to enable OAuth2 authz for the dev portal, when I’ve figured that out I’ll write that into another blog post.
