aionic
commented
2 years ago More info around why are we using an App Gateway as a WAF in front of APIM How does APIM being setup in internal mode impact this? How does this work together?
Open petemessina opened 2 years ago
aionic
commented
2 years ago More info around why are we using an App Gateway as a WAF in front of APIM How does APIM being setup in internal mode impact this? How does this work together?
briandenicola
commented
2 years ago The reason for App Gateway in front of APIM is to follow best practice for APIM. APIM does not offer any protection against a wide variety of web-based attacks. In every Financial client that I have, it is required to have a WAF in front of APIM - and it is our recommendation to use AppGateway as the solution. The WAF protects against things like - https://owasp.org/www-project-top-ten/
When APIM is deployed in internal mode, it does not have an external IP address for the developer portal, gateway, or SCM components. The AppGateway hosts the external IP address/certificate for the gateway component. The developer portal and SCM are not typically exposed externally. The AppGateway terminates all TLS connections, inspects the packets, the establishes a connection to the APIM gateway over another TLS connection.
This link goes into details on how they work together - https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-integrate-internal-vnet-appgateway
Is it possible in the documentation and user guide to add some high-level reasoning around the use and why app gateway is in the architecture? When working through implementations with customers it is a common question I see and if we can add some guidance here it would clarify the need.