没有 vnet 的 APIM 前面的 Azure AppGW
[英]Azure AppGW in front of APIM without vnet
问题描述
I'm in process of setting up an Azure APIM architecture.
我正在设置 Azure APIM 架构。 One of the requirements is to be able to handle both internal and external api's.其中一项要求是能够处理内部和外部 api。
To do so there is a nice architecture (and lots of documentation) where APIM is in a VNET and an APPGW is in front to route or block external/internal traffic to APIM:为此,有一个很好的架构(和大量文档),其中 APIM 在 VNET 中,而 APPGW 在前面以路由或阻止到 APIM 的外部/内部流量:
( https://i.stack.imgur.com/BlpIk.png ) ( https://i.stack.imgur.com/BlpIk.png )
However this setup is only possible with premium APIM, aka the rather expensive edition.然而,此设置仅适用于高级 APIM,也就是相当昂贵的版本。 For cost optimisation we would prefer to use the Standard edition if possible.为了优化成本,如果可能,我们更愿意使用标准版。
So my question: is it possible to implement the above architecture (APPGW in front of APIM) where APIM is not in a vnet.所以我的问题是:是否可以在 APIM 不在 vnet 中的情况下实现上述架构(APIM 前面的 APPGW)。 This to meet requirements to secure APIM and to expose internal/external api's.这是为了满足保护 APIM 和公开内部/外部 api 的要求。
I would think it is possible, the APPGW would have the public APIM ip in its backendpool to make the connection.我认为这是可能的,APPGW 将在其后端池中拥有公共 APIM ip 来建立连接。 however now that connection goes over the internet, which is insecure or will azure do some internal network routing for this?但是现在连接通过互联网进行,这是不安全的,或者天蓝色会为此做一些内部网络路由吗?
or more general: what's a best practice architecture when APIM is not VNET integrated?或更笼统:当 APIM 未集成 VNET 时,最佳实践架构是什么?
Could not find any detailed documentation that covers this topic.无法找到涵盖此主题的任何详细文档。
thanks谢谢
2 个解决方案
解决方案1
0 2022-12-21 14:39:05
You could have some network restriction but your APIM would still be exposed over the internet and azure will not take extra mesure to protect the traffic between your App Gateway, APIM and backends.你可能有一些网络限制,但你的 APIM 仍然会暴露在互联网上,Azure 不会采取额外措施来保护你的 App Gateway、APIM 和后端之间的流量。
Some services can route their traffic through Microsoft Global Network but unfortunately APIM is not one of them.某些服务可以通过Microsoft 全球网络路由其流量,但不幸的是 APIM 不是其中之一。
Please make sure you are using HTTPS between you services and set some whitelisting in place.请确保您在服务之间使用 HTTPS 并设置一些白名单。
解决方案2
0 2022-12-21 14:39:37
The only benefit you would get of putting a public apim behind application gateway is the layer 7 load balancing (which you may not need), but you will not benefit from any of the security features of the application gateway.将公共 apim 放在应用程序网关后面的唯一好处是第 7 层负载平衡(您可能不需要),但您不会从应用程序网关的任何安全功能中受益。 On the apim side, you may block any traffic that does not come from the traffic manager public ip using the ip-filter policy but the request still be arriving to your apim service and be blocked there instead of being blocked on the application gateway side which can be integrated with WAF to add extra security layer.在 apim 端,您可以使用ip-filter策略阻止任何不是来自流量管理器公共 ip 的流量,但请求仍然到达您的 apim 服务并在那里被阻止,而不是在应用程序网关端被阻止可以与 WAF 集成以添加额外的安全层。 So, the idea here is that your APIM service is till publicly accessible from anywhere in the world!所以,这里的想法是您的 APIM 服务直到可以从世界任何地方公开访问!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.