Open petemessina opened 2 years ago
More info around why are we using an App Gateway as a WAF in front of APIM How does APIM being setup in internal mode impact this? How does this work together?
The reason for App Gateway in front of APIM is to follow best practice for APIM. APIM does not offer any protection against a wide variety of web-based attacks. In every Financial client that I have, it is required to have a WAF in front of APIM - and it is our recommendation to use AppGateway as the solution. The WAF protects against things like - https://owasp.org/www-project-top-ten/
When APIM is deployed in internal mode, it does not have an external IP address for the developer portal, gateway, or SCM components. The AppGateway hosts the external IP address/certificate for the gateway component. The developer portal and SCM are not typically exposed externally. The AppGateway terminates all TLS connections, inspects the packets, the establishes a connection to the APIM gateway over another TLS connection.
This link goes into details on how they work together - https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-integrate-internal-vnet-appgateway
Is it possible in the documentation and user guide to add some high-level reasoning around the use and why app gateway is in the architecture? When working through implementations with customers it is a common question I see and if we can add some guidance here it would clarify the need.