search

Azure / azure-rest-api-specs

The source for REST API specifications for Microsoft Azure.
MIT License
2.62k stars 5.04k forks source link

[APIM] cannot create an APIM with public network access disabled #23683

Open zadigus opened 1 year ago

zadigus commented 1 year ago

Following the documentation, I am trying to issue the following command:

az apim create --name "my-private-apim" --publisher-email "<my-email>" --publisher-name "<my-name>" --resource-group some-rg-name --location eastus --sku-name Developer --public-network-access false --virtual-network None

When I look at the result in the Azure Portal, I can see that the APIM has been provided with a public IP address. When I export the template on azure portal, I can see that the field "publicNetworkAccess" is filled with value "Enabled".

I tried to do the same with option --virtual-network set to Internal and I also get that the public network access actually is enabled.

Am I doing something wrong? What is happening here?

sven5 commented 1 year ago

Perhaps create does something wrong. Could you try updating with update https://learn.microsoft.com/en-us/cli/azure/apim?view=azure-cli-latest#az-apim-update

navba-MSFT commented 1 year ago

@zadigus Thanks for reaching out to us and reporting this issue. We are looking into this issue and we will provide an update.

navba-MSFT commented 1 year ago

@zadigus This issue seems like a bug in our backend service as it seems to be returning the "publicNetworkAccess": "Enabled", in the response. I am discussing this internally with the Product Owners. I will keep you posted.

navba-MSFT commented 1 year ago

@zadigus The PublicNetworkAccess setting says Whether or not public endpoint access is allowed for this API Management service. Value is optional but if passed in, must be 'Enabled' or 'Disabled'.

So Could you mention it as Disabled instead of False ? If 'Disabled', private endpoints are the exclusive access method. Default value is 'Enabled'.

Name Type Description
Disabled string  
Enabled string

More Info here: https://learn.microsoft.com/en-us/rest/api/apimanagement/current-ga/api-management-service/create-or-update?tabs=HTTP#publicnetworkaccess

Note:

  1. Blocking all public network access by setting property publicNetworkAccess of API Management service is not enabled during service creation.
  2. Disabling all publicNetworkAccess for service, is not supported if the service does not atleast one approved Private Endpoint Connections
zadigus commented 1 year ago

@navba-MSFT when I run

az apim create --name "my-private-apim" --publisher-email "<my-email>" --publisher-name "<my-name>" --resource-group some-rg-name --location eastus --sku-name Developer --public-network-access Disabled --virtual-network None

I get the following error:

az apim create: 'Disabled' is not a valid value for '--public-network-access'. Allowed values: true, false.

Here's my azure cli version stuff:

$ az --version                                                                  
azure-cli                         2.45.0 *                                   

core                              2.45.0 *                                   
telemetry                          1.0.8                                     

Extensions:                                                                  
aks-preview                       0.5.85                                     
dns-resolver                       0.2.0                                     

Dependencies:                                                                
msal                              1.20.0                                     
azure-mgmt-resource             21.1.0b1                                     

Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users\lmichel\.azure\cliextensions'                 

Python (Windows) 3.10.8 (tags/v3.10.8:aaaf517, Oct 11 2022, 16:37:59) [MSC v.1933 32 bit (Intel)]

Legal docs and information: aka.ms/AzureCliLegal
sven5 commented 1 year ago

@zadigus The doc for Azure CLI doesn't mention Disabled or Enabled

--public-network-access
Whether or not public endpoint access is allowed for this API Management service. If set to true, private endpoints are the exclusive access method.

accepted values: false, true

Source: https://learn.microsoft.com/en-us/cli/azure/apim?view=azure-cli-latest#az-apim-update

@navba-MSFT is referring to REST API, not Azure CLI.

I think the main issue is that this setting is not allowed to be set to false during creation of APIM. You only can set it to false after successful creation of APIM with the help of az apim update. I faced this issue yesterday during provisioning using terraform.

navba-MSFT commented 1 year ago

@zadigus That's an issue with Azure CLI. I will file a PR to address this in Azure CLI.

In the meantime, You can invoke this REST API where it clearly talks about the --public-network-access accepting the values Enabled or Disabled.

Also seeing the REST API Specs swagger, I see the accepted values are Enabled or Disabled.

sven5 commented 1 year ago

I think the main issue is that this setting is not allowed to be set to false during creation of APIM. You only can set it to false after successful creation of APIM with the help of az apim update. I faced this problem yesterday during provisioning using terraform.

Error Message:

Failure sending request: StatusCode=400 -- Original Error: Code="NotSupported" 
Message="Blocking all public network access by setting property `publicNetworkAccess` 
of API Management service 
/subscriptions/b3e33227-e8c0-44b7-a3b5-7b1dd13d465b/resourceGroups/xxxx-westeurope-001/providers/Microsoft.ApiManagement/service/apim-xxxx
is not enabled during service creation."