azure azure-cloud-services azure-worker-roles azure-api-management azure-virtual-network

How do I have my Worker Role only communicate with my APIM API?

I have a worker role that hosts an ApiController, and it currently communicates with the public internet via http and https input endpoints I've defined in its Service Configuration file.

I would like to put this API behind an Azure APIM API, and have all traffic go through there, rather than hitting the worker role directly. I'm most of the way there, but am having trouble ensuring the worker role can't be hit directly from the public internet.

Currently:

I've created an ARM virtual network, and an Azure APIM API
I've configured our API to run on the ARM virtual network
I also created a classic virtual network and configured our worker role to deploy to it
I've defined a peering in the ARM virtual network between it and our classic virtual network
The API's Web service URL is set to the Cloud Service's Site URL value
Our worker role configuration file currently has http and https input endpoints that can be hit from the public internet
I currently have a url that maps to the Virtual IP (VIP) address of my API Management service, and can successfully make requests to my API via that url.

I believe the best way for me to prevent my worker role from being accessed directly from the public internet would be defining Access Control List rules in its configuration file that would only allow calls originating from my APIM API. It would look something like this:

<AccessControls>
  <AccessControl name="APIM">
    <Rule action="permit" description="OnlyPermitAPIM" order="100" remoteSubnet="?" />
  </AccessControl>
</AccessControls>
<EndpointAcls>
  <EndpointAcl role="RoleName" endPoint="httpsIn" accessControl="APIM"/>
  <EndpointAcl role="RoleName" endPoint="httpIn" accessControl="APIM"/>
</EndpointAcls>

I'm not sure what the correct value would be for the remoteSubnet property. I tried entering the Address space value of my ARM Virtual Network (which my APIM API resides on), but that didn't seem to work, test calls returned a 500 status.

Is this the right approach? Also, is there a way to ensure that my APIM API makes a call directly through the peered virtual networks? Right now I believe it's still going through the public internet.

Solution

I was on the right track. The only thing I needed to change was the value of remoteSubnet. Rather than the address space of the ARM virtual network, I needed to include the API Management service's VIP. The relevant section of the .cscfg file looked like this:

<AccessControls>
  <AccessControl name="APIM">
    <Rule action="permit" description="OnlyPermitAPIM" order="100" remoteSubnet="<VIP address of APIM service>/32" />
  </AccessControl>
</AccessControls>
<EndpointAcls>
  <EndpointAcl role="RoleName" endPoint="httpsIn" accessControl="APIM"/>
  <EndpointAcl role="RoleName" endPoint="httpIn" accessControl="APIM"/>
</EndpointAcls>