使用Azure Application Gateway与Azure API Management服务访问Azure API开发人员门户网站时会遇到错误
我们在使用本指南配置的Azure中进行了以下设置( https://learn.microsoft.com/en-us/azure/architecture/reference-Architectures/apis/protect-apis )
App Gateway带有public ip cally =======在内部模式(开发层)中配置的Azure APIM服务
详细信息:
- App Gateway和APIM在同一VNET中,但在单独的子网中。
- App Gateway仅具有禁用防火墙的公共IP(用于测试目的)。
- APIM以内部模式配置。
- 使用自定义域和SSL证书在App Gateway中配置了三个侦听器,一个用于API,一个用于开发人员门户的侦听器,另一个用于API管理端点)。
- 在同一VNET中已部署VM并配置。
App Gateway域是:(互联网可访问)
- dev.apiportal.xxxx.com ==> API Portal
- dev.api.xxxx.com ==> API Gateway
- dev.apimanagement.xxxx.com ==> API管理
APIM服务使用默认域:(在Internet上无法访问。APIM是在内部模式下配置的)
- dev-apim.developer.azure-api.net ==> API Portal
- dev-apim.azure-api.net ==> API Gateway
- dev-apim.management.azure-api.net ==> API管理
在APP GW上针对上述这些端点定义的探针是健康的,在绿色状态
问题陈述中:
- 可以使用默认链接从上面的#5中访问API门户。我可以使用门户中添加的用户登录。 VM的主机文件已通过IP地址和APIM服务的默认主机名进行修改。从VM访问时,门户网站正常工作。
- 当我尝试使用自定义域从Internet访问门户(在App GW上方#4中提到的侦听器上配置)Portal LoadS可以很好地进行。
- 当我尝试使用同一用户登录时(在#1中提到)无效,而我得到的错误是“请提供有效的电子邮件和密码”。单击登录按钮后将近15-20秒后出现此错误。
- 当我尝试检查浏览器开发人员工具中的错误时,发现即使使用互联网面向URL访问门户,也指出了API管理的内部URL。
。
想了解我们是否还需要为APIM服务提供自定义域以使此设置工作吗?有任何指针可以解决此错误吗?
We have following setup in Azure configured using this guide (https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/apis/protect-apis)
App Gateway with Public IP calling ===> Azure APIM Service configured in Internal mode (development tier)
Details:
- Both App Gateway and APIM are in same VNet but in separate subnets.
- App Gateway has only public IP with Firewall disabled (for testing purpose).
- APIM is configured in Internal mode.
- Three listeners, one for API, one for developer portal and one for API management endpoint) are configured in App Gateway using custom domains and SSL certificates.
- There is VM deployed and configure in same VNet.
APP Gateway Domains are: (Internet Accessible)
- dev.apiportal.xxxx.com ==> API Portal
- dev.api.xxxx.com ==> API
Gateway - dev.apimanagement.xxxx.com ==> API Management
APIM Service is using default domains: (Not accessible on internet. APIM is configured in Internal mode)
- dev-apim.developer.azure-api.net ==> API Portal
- dev-apim.azure-api.net ==> API Gateway
- dev-apim.management.azure-api.net ==> API Management
There probes defined on App GW for these endpoint mentioned above are healthy and in green status
Problem Statement:
- API portal is accessible from VM mentioned in #5 above using default links. I am able to login using user added in portal. VM's host file has been modified with IP address and default host name of APIM service. Portal works fine when accessed from VM.
- When I try to access portal from internet using custom domain (configured on listeners mentioned in #4 above of App GW) portal loads fine.
- When I try to login using same user (mentioned in #1) doesn't work and error I get is "Please provide a valid email and password". This error appears after almost 15-20 seconds after clicking sign in button.
- When I tried to check error in browser developer tools found that even though portal is accessed using internet facing URL one request for management Api is pointed to internal URL of Api management.
.
Wanted to understand if we need to have custom domains for APIM service as well in order to get this setup working? Any pointer to fix this error?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
•谢谢 @pankaj kapare 您的问题以及您在评论部分中提供的后续解决方案。我正在详细发表您的评论,并提供一些可能的解决方案作为答案。
使用应用程序网关中提到的自定义域设置APIM服务的URL,而APIM服务仍在内部模式下运行有助于登录APIM开发人员门户网站,即,设置定义的相同自定义域在APIM端点的应用网关 中。
•您还可以通过为应用程序网关配置的自定义域的CNAME记录来解决此DNS映射问题,并在APIM服务中提及默认域URL的别名。因此,通过为APIM服务中的默认域创建CNAME DNS记录,您可以将应用程序网关的自定义域URL的请求重定向到APIM服务中的默认域URL。
但是,为此,您还需要在Azure中创建一个私有DNS区域,并在其中创建上述内容,这将限制Internet访问APIM URL并在内部重定向请求。
• Thank you @Pankaj Kapare for your question and the subsequent resolution that you have provided in the comments section. I am posting the same comment of yours elaborately and some additional probable resolution as an answer.
Setting the APIM service’s URls with the custom domain that is mentioned in the application gateway while still the APIM service operational in internal mode helped login to the APIM developer portal successfully, i.e., setting the same custom domain that are defined in application gateway in the APIM’s endpoints.
• You can also resolve this DNS mapping issue by creating a CNAME record for the custom domain configured in application gateway and mentioning an alias to the default domain URL in the APIM service. Thus, by creating a CNAME DNS record for the default domain in the APIM service, you can redirect the requests for the application gateway’s custom domain URL to the default domain URL in the APIM service.
But for this also, you would need to create a private DNS zone in Azure and create the above said in it which will restrict the internet access to the APIM URLs and redirect the requests internally.