I have a worker role that hosts an ApiController
, and it currently communicates with the public internet via http and https input endpoints I've defined in its Service Configuration file.
I would like to put this API behind an Azure APIM API, and have all traffic go through there, rather than hitting the worker role directly. I'm most of the way there, but am having trouble ensuring the worker role can't be hit directly from the public internet.
Currently:
I believe the best way for me to prevent my worker role from being accessed directly from the public internet would be defining Access Control List rules in its configuration file that would only allow calls originating from my APIM API. It would look something like this:
<AccessControls>
<AccessControl name="APIM">
<Rule action="permit" description="OnlyPermitAPIM" order="100" remoteSubnet="?" />
</AccessControl>
</AccessControls>
<EndpointAcls>
<EndpointAcl role="RoleName" endPoint="httpsIn" accessControl="APIM"/>
<EndpointAcl role="RoleName" endPoint="httpIn" accessControl="APIM"/>
</EndpointAcls>
I'm not sure what the correct value would be for the remoteSubnet
property. I tried entering the Address space value of my ARM Virtual Network (which my APIM API resides on), but that didn't seem to work, test calls returned a 500 status.
Is this the right approach? Also, is there a way to ensure that my APIM API makes a call directly through the peered virtual networks? Right now I believe it's still going through the public internet.
I was on the right track. The only thing I needed to change was the value of remoteSubnet. Rather than the address space of the ARM virtual network, I needed to include the API Management service's VIP. The relevant section of the .cscfg file looked like this:
<AccessControls>
<AccessControl name="APIM">
<Rule action="permit" description="OnlyPermitAPIM" order="100" remoteSubnet="<VIP address of APIM service>/32" />
</AccessControl>
</AccessControls>
<EndpointAcls>
<EndpointAcl role="RoleName" endPoint="httpsIn" accessControl="APIM"/>
<EndpointAcl role="RoleName" endPoint="httpIn" accessControl="APIM"/>
</EndpointAcls>