Azure API Management in VNET with Gateway (502 - Web server received an invalid response while acting as a gateway or proxy server)

1
votes

I need to integrate Azure API Management in an internal VNET with Application Gateway. I used the manual from Microsoft: Integrate API Management in an internal VNET with Application Gateway

I used self-signed certificate for custom domain.

Here is the diagram of API Management in an internal VNET with Application Gateway enter image description here

I developed PowerShell script based on the following manual Integrate API Management in an internal VNET with Application Gateway

#Configuration
$organizationName = "TestOrg1"
$resourceGroupName = "API-Management-in-VNET-with-Gateway-Test"
$appGatewayHostname = "myapi.azure-api.net"
$apiManagementServiceName = "MyApi"

#Credentials
$subscriptionId = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
$azureAccountName ="[email protected]"
$azurePassword = "xxxxxx"

#Configuration
$location = "South Central US"
$apiManagementAdminEmail = "[email protected]" 
$apiHostname = "api.mydomain.com"
$sslPort = 443

#Network
$virtualNetworkAddressPrefix = "10.0.0.0/16"
$gatewaySubnetAddressPrefix = "10.0.0.0/24"
$apiManagementSubnetAddressPrefix = "10.0.1.0/24"

#Certificate
$pfxCertificatePassword = "xxxxxxxxxxxx"
$certificateThumbprint = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
$pfxCertificateFilename = $PSScriptRoot + "\PfxCert.pfx"
$cerCertificateFilename = $PSScriptRoot + "\CerCert.cer" 

#Output colors
$foregroundColor = "green"
$backgroundColor = "black"

#Log 
$ErrorActionPreference = "SilentlyContinue"
Stop-Transcript | out-null
$ErrorActionPreference = "Continue"
$date = (get-date).tostring("MM-dd-yyyy-HH-mm-ss")
$logFile = $PSScriptRoot + "\log\CreateApiManagementEnvLog-" + $date + ".txt"
Start-Transcript -path $logFile
$startTime = Get-Date
Write-Host("Start Time: " + $startTime) 
$azurePasswordSecureString = ConvertTo-SecureString $azurePassword -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($azureAccountName, $azurePasswordSecureString)
$colors = "-foregroundcolor $foregroundColor -backgroundcolor $backgroundcolor"

#Step 01
Login-AzureRmAccount -Credential $credentials
Write-Host("Step 01 [Login-AzureRmAccount] completed") $colors

#Step 02
Get-AzureRmSubscription -Subscriptionid $subscriptionId | Select-AzureRmSubscription
Write-Host("Step 02 [Get-AzureRmSubscription] completed") $colors

#Step 03
New-AzureRmResourceGroup -Name $resourceGroupName -Location $location
Write-Host("Step 03 [New-AzureRmResourceGroup] completed") $colors

#Step 04
$appgatewaysubnet = New-AzureRmVirtualNetworkSubnetConfig -Name apim01 -AddressPrefix $gatewaySubnetAddressPrefix
Write-Host("Step 04 [New-AzureRmVirtualNetworkSubnetConfig] completed") $colors

#Step 05
$apimsubnet = New-AzureRmVirtualNetworkSubnetConfig -Name apim02 -AddressPrefix $apiManagementSubnetAddressPrefix
Write-Host("Step 05 [New-AzureRmVirtualNetworkSubnetConfig] completed") $colors

#Step 06
$vnet = New-AzureRmVirtualNetwork -Name appgwvnet -ResourceGroupName $resourceGroupName -Location $location -AddressPrefix $virtualNetworkAddressPrefix -Subnet $appgatewaysubnet,$apimsubnet
Write-Host("Step 06 [New-AzureRmVirtualNetwork] completed") $colors

#Step 07
$appgatewaysubnetdata=$vnet.Subnets[0]
Write-Host("Step 07 [$appgatewaysubnetdata] completed") $colors

#Step 08
$apimsubnetdata=$vnet.Subnets[1]
Write-Host("Step 08 [$apimsubnetdata] completed") $colors

#Step 10
$apimVirtualNetwork = New-AzureRmApiManagementVirtualNetwork -Location $location -SubnetResourceId $apimsubnetdata.Id
Write-Host("Step 09 [New-AzureRmApiManagementVirtualNetwork] completed") $colors

#Step 10
$apimService = New-AzureRmApiManagement -ResourceGroupName "$resourceGroupName" -Location $location -Name $apiManagementServiceName -Organization $organizationName -AdminEmail $apiManagementAdminEmail -VirtualNetwork $apimVirtualNetwork -VpnType "Internal" -Sku "Premium"
Write-Host("Step 10 [New-AzureRmApiManagement] completed") $colors

#Step 11
$certUploadResult = Import-AzureRmApiManagementHostnameCertificate -ResourceGroupName "$resourceGroupName" -Name $apiManagementServiceName -HostnameType "Proxy" -PfxPath $pfxCertificateFilename -PfxPassword $pfxCertificatePassword -PassThru
Write-Host("Step 11 [Import-AzureRmApiManagementHostnameCertificate] completed") $colors

#Step 12
$proxyHostnameConfig = New-AzureRmApiManagementHostnameConfiguration -CertificateThumbprint $certificateThumbprint -Hostname "$apiHostname"
Write-Host("Step 12 [New-AzureRmApiManagementHostnameConfiguration] completed") $colors

#Step 13
$result = Set-AzureRmApiManagementHostnames -Name $apiManagementServiceName -ResourceGroupName "$resourceGroupName" –PortalHostnameConfiguration $proxyHostnameConfig
Write-Host("Step 13 [Set-AzureRmApiManagementHostnames] completed") $colors

#Step 14
$publicip = New-AzureRmPublicIpAddress -ResourceGroupName $resourceGroupName -name publicIP01 -location $location -AllocationMethod Dynamic
Write-Host("Step 14 [New-AzureRmPublicIpAddress] completed") $colors

#Step 15
$gipconfig = New-AzureRmApplicationGatewayIPConfiguration -Name gatewayIP01 -Subnet $appgatewaysubnetdata
Write-Host("Step 15 [New-AzureRmApplicationGatewayIPConfiguration] completed") $colors

#Step 16
$fp01 = New-AzureRmApplicationGatewayFrontendPort -Name 'port01' -Port $sslPort
Write-Host("Step 16 [New-AzureRmApplicationGatewayFrontendPort] completed") $colors

#Step 17
$fipconfig01 = New-AzureRmApplicationGatewayFrontendIPConfig -Name "frontend1" -PublicIPAddress $publicip
Write-Host("Step 17 [New-AzureRmApplicationGatewayFrontendIPConfig] completed") $colors

#Step 18
$cert = New-AzureRmApplicationGatewaySslCertificate -Name cert01 -CertificateFile $pfxCertificateFilename -Password $pfxCertificatePassword
Write-Host("Step 18 [New-AzureRmApplicationGatewaySslCertificate] completed") $colors

#Step 19
$listener = New-AzureRmApplicationGatewayHttpListener -Name listener01 -Protocol Https -FrontendIPConfiguration $fipconfig01 -FrontendPort $fp01 -SslCertificate $cert
Write-Host("Step 19 [New-AzureRmApplicationGatewayHttpListener] completed") $colors

#Step 20
$apimprobe = New-AzureRmApplicationGatewayProbeConfig -Name apimproxyprobe -Protocol Https -HostName $appGatewayHostname -Path "/status-0123456789abcdef" -Interval 30 -Timeout 120 -UnhealthyThreshold 8
Write-Host("Step 20 [New-AzureRmApplicationGatewayHttpListener] completed") $colors

#Step 21
$authcert = New-AzureRmApplicationGatewayAuthenticationCertificate -Name 'whitelistcert1' -CertificateFile $cerCertificateFilename
Write-Host("Step 21 [New-AzureRmApplicationGatewayAuthenticationCertificate] completed") $colors

#Step 22
$apimPoolSetting = New-AzureRmApplicationGatewayBackendHttpSettings -Name "apimPoolSetting" -Port $sslPort -Protocol Https -CookieBasedAffinity Disabled -Probe $apimprobe -AuthenticationCertificates $authcert -RequestTimeout 180
Write-Host("Step 22 [New-AzureRmApplicationGatewayBackendHttpSettings] completed") $colors

#Step 23
$apimProxyBackendPool = New-AzureRmApplicationGatewayBackendAddressPool -Name apimbackend -BackendIPAddresses $apimService.StaticIPs[0]
Write-Host("Step 23 [New-AzureRmApplicationGatewayBackendAddressPool] completed") $colors

#Step 24
$echoapiRule = New-AzureRmApplicationGatewayPathRuleConfig -Name "externalapis" -Paths "/echo/*" -BackendAddressPool $apimProxyBackendPool -BackendHttpSettings $apimPoolSetting
Write-Host("Step 24 [New-AzureRmApplicationGatewayPathRuleConfig] completed") $colors

#Step 25
$urlPathMap = New-AzureRmApplicationGatewayUrlPathMapConfig -Name "urlpathmap" -PathRules $echoapiRule -DefaultBackendAddressPool $apimProxyBackendPool -DefaultBackendHttpSettings $apimPoolSetting
Write-Host("Step 25 [New-AzureRmApplicationGatewayUrlPathMapConfig] completed") $colors

#Step 26
$rule01 = New-AzureRmApplicationGatewayRequestRoutingRule -Name "rule1" -RuleType PathBasedRouting -HttpListener $listener -UrlPathMap $urlPathMap
Write-Host("Step 26 [New-AzureRmApplicationGatewayRequestRoutingRule] completed") $colors

#Step 27
$sku = New-AzureRmApplicationGatewaySku -Name WAF_Medium -Tier WAF -Capacity 2
Write-Host("Step 27 [New-AzureRmApplicationGatewaySku] completed") $colors

#Step 28
$config = New-AzureRmApplicationGatewayWebApplicationFirewallConfiguration -Enabled $true -FirewallMode "Prevention"
Write-Host("Step 28 [New-AzureRmApplicationGatewayWebApplicationFirewallConfiguration] completed") $colors

#Step 29
$appgw = New-AzureRmApplicationGateway -Name appgwtest -ResourceGroupName $resourceGroupName -Location $location -BackendAddressPools $apimProxyBackendPool -BackendHttpSettingsCollection $apimPoolSetting -FrontendIpConfigurations $fipconfig01 -GatewayIpConfigurations $gipconfig -FrontendPorts $fp01 -HttpListeners $listener -UrlPathMaps $urlPathMap -RequestRoutingRules $rule01 -Sku $sku -WebApplicationFirewallConfig $config -SslCertificates $cert -AuthenticationCertificates $authcert -Probes $apimprobe
Write-Host("Step 29 [New-AzureRmApplicationGateway] completed") $colors

#Step 30
Get-AzureRmPublicIpAddress -ResourceGroupName $resourceGroupName -Name publicIP01
Write-Host("Step 30 [Get-AzureRmPublicIpAddress] completed") $colors

#Step 31
Write-Host("Step 31 You need to create CNAME record for custom api domain(see DnsSettingsText -> fqdn)") $colors

#Done
Write-Host("Done") $colors
$endTime = Get-Date
$elapsedTime = New-Timespan –Start $startTime –End $endTime

Write-Host("End Time: " + $endTime) $colors
Write-Host("Elapsed Time: " + $elapsedTime) $colors
Write-Host "Press any key to continue ..." $colors

$x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")

Stop-Transcript

The configuration script run successfully. There is no any error. But if I try to access Echo API through Gateway there is error: "502 - Web server received an invalid response while acting as a gateway or proxy server." If I use Azure API Management service without internal virtual network it works fine.

I went through several manuals: How to use Azure API Management with virtual networks

Troubleshooting bad gateway errors in Application Gateway

Control network traffic flow with network security groups

I found these details:

After configuring an Azure Application Gateway, one of the errors which users may encounter is "Server Error: 502 - Web server received an invalid response while acting as a gateway or proxy server". This error may happen due to the following main reasons:

  • Azure Application Gateway's back-end pool is not configured or empty.

  • None of the VMs or instances in VM Scale Set are healthy.

  • Back-end VMs or instances of VM Scale Set are not responding to the default health probe.

  • Invalid or improper configuration of custom health probes. Request time out or connectivity issues with user requests.

My questions are

  1. Do I need to configure Virtual Machine?
  2. Do I need to configure Firewall Rules using Azure Network Security Group for Subnets I have?
  3. Should I export custom domain self-signed certificate in Base-64 encoded or in DER encoded binary format to upload it to Azure?
  4. How to troubleshoot my issue?
  5. What is missed from Microsoft manual Integrate API Management in an internal VNET with Application Gateway ?
  6. How to solve 502 error?
3
azureazure-powershellazure-api-management
how are you trying to access the gateway? - 4c74356b41
I tried to post to Echo REST API through Gateway. - Dmitry Kazakov
you tried accessing developer\publisher portal doing a rest api request? - 4c74356b41
No, for developer\publisher portal I added related DNS records (public IP) and tried to access using Chrome browser. - Dmitry Kazakov
from where? internally? - 4c74356b41

3 Answers

3
votes

Finally, I solved (502) gateway issue. The problem was in Integrate API Management in an internal VNET with Application Gateway manual.

Wrong line:

#Step 13
$result = Set-AzureRmApiManagementHostnames -Name $apiManagementServiceName -ResourceGroupName "$resourceGroupName" –PortalHostnameConfiguration $proxyHostnameConfig

To set up a custom domain name for API proxy -ProxyHostnameConfiguration $proxyHostnameConfig should be used instead of -PortalHostnameConfiguration $proxyHostnameConfig

Actually, I found 2 mistakes in Integrate API Management in an internal VNET with Application Gateway manual.

Contributed #1, #2 and Integrate API Management in an internal VNET with Application Gateway manual is updated now.

1
votes
  1. You need to create a VM to test APIM internally (you can use this guide)
  2. No, unless you want to restrict some sort of traffic
  3. Question is unclear, upload to where exactly, but usually Azure Services accept base64 encoded certificates
  4. Create a VM inside the VNet and try accessing the API Management
  5. No idea, probably nothing, rarely do I see things that are blatantly wrong in MS documentation
  6. Make sure the HTTP probes are showing OK, check API Gateway configuration, if you are using certificate to talk to APIM, you should make sure APIM accepts that certificate
0
votes

The Post Integrate API Management in an internal VNET with Application Gateway covers the scenario of only exposing some APIs of Gateway/Proxy via the Application Gateway.

If you want to access the Developer Portal/Publisher Portal also via Application Gateway. You will need to do the follow the document Create AppGateway to access multiple web application

I have tried to capture, the change in steps here (there might be minor typos)

    #Configuration
    $organizationName = "TestOrg1"
    $resourceGroupName = "API-Management-in-VNET-with-Gateway-Test"
    $appGatewayHostname = "myapi.azure-api.net"
    $apiPortalHostname = "myapi.portal.azure-api.net"
    $apiManagementServiceName = "MyApi"

    #Credentials
    $subscriptionId = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
    $azureAccountName ="[email protected]"
    $azurePassword = "xxxxxx"

    #Configuration
    $location = "South Central US"
    $apiManagementAdminEmail = "[email protected]" 
    $apiHostname = "api.mydomain.com"
    $portalHostname = "portal.mydomain.com"
    $sslPort = 443

    #Network
    $virtualNetworkAddressPrefix = "10.0.0.0/16"
    $gatewaySubnetAddressPrefix = "10.0.0.0/24"
    $apiManagementSubnetAddressPrefix = "10.0.1.0/24"

    #Certificate <!-- This Certificate is *.mydomain.com -->
    $pfxCertificatePassword = "xxxxxxxxxxxx"
    $certificateThumbprint = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
    $pfxCertificateFilename = $PSScriptRoot + "\PfxCert.pfx"
    $cerCertificateFilename = $PSScriptRoot + "\CerCert.cer" 

    #Output colors
    $foregroundColor = "green"
    $backgroundColor = "black"

    #Log 
    $ErrorActionPreference = "SilentlyContinue"
    Stop-Transcript | out-null
    $ErrorActionPreference = "Continue"
    $date = (get-date).tostring("MM-dd-yyyy-HH-mm-ss")
    $logFile = $PSScriptRoot + "\log\CreateApiManagementEnvLog-" + $date + ".txt"
    Start-Transcript -path $logFile
    $startTime = Get-Date
    Write-Host("Start Time: " + $startTime) 
    $azurePasswordSecureString = ConvertTo-SecureString $azurePassword -AsPlainText -Force
    $credentials = New-Object System.Management.Automation.PSCredential($azureAccountName, $azurePasswordSecureString)
    $colors = "-foregroundcolor $foregroundColor -backgroundcolor $backgroundcolor"

    #Step 01
    Login-AzureRmAccount -Credential $credentials
    Write-Host("Step 01 [Login-AzureRmAccount] completed") $colors

    #Step 02
    Get-AzureRmSubscription -Subscriptionid $subscriptionId | Select-AzureRmSubscription
    Write-Host("Step 02 [Get-AzureRmSubscription] completed") $colors

    #Step 03
    New-AzureRmResourceGroup -Name $resourceGroupName -Location $location
    Write-Host("Step 03 [New-AzureRmResourceGroup] completed") $colors

    #Step 04
    $appgatewaysubnet = New-AzureRmVirtualNetworkSubnetConfig -Name apim01 -AddressPrefix $gatewaySubnetAddressPrefix
    Write-Host("Step 04 [New-AzureRmVirtualNetworkSubnetConfig] completed") $colors

    #Step 05
    $apimsubnet = New-AzureRmVirtualNetworkSubnetConfig -Name apim02 -AddressPrefix $apiManagementSubnetAddressPrefix
    Write-Host("Step 05 [New-AzureRmVirtualNetworkSubnetConfig] completed") $colors

    #Step 06
    $vnet = New-AzureRmVirtualNetwork -Name appgwvnet -ResourceGroupName $resourceGroupName -Location $location -AddressPrefix $virtualNetworkAddressPrefix -Subnet $appgatewaysubnet,$apimsubnet
    Write-Host("Step 06 [New-AzureRmVirtualNetwork] completed") $colors

    #Step 07
    $appgatewaysubnetdata=$vnet.Subnets[0]
    Write-Host("Step 07 [$appgatewaysubnetdata] completed") $colors

    #Step 08
    $apimsubnetdata=$vnet.Subnets[1]
    Write-Host("Step 08 [$apimsubnetdata] completed") $colors

    #Step 10
    $apimVirtualNetwork = New-AzureRmApiManagementVirtualNetwork -Location $location -SubnetResourceId $apimsubnetdata.Id
    Write-Host("Step 09 [New-AzureRmApiManagementVirtualNetwork] completed") $colors

    #Step 11
    $apimService = New-AzureRmApiManagement -ResourceGroupName "$resourceGroupName" -Location $location -Name $apiManagementServiceName -Organization $organizationName -AdminEmail $apiManagementAdminEmail -VirtualNetwork $apimVirtualNetwork -VpnType "Internal" -Sku "Premium"
    Write-Host("Step 10 [New-AzureRmApiManagement] completed") $colors

    #Step 12
    $certUploadResult = Import-AzureRmApiManagementHostnameCertificate -ResourceGroupName "$resourceGroupName" -Name $apiManagementServiceName -HostnameType "Proxy" -PfxPath $pfxCertificateFilename -PfxPassword $pfxCertificatePassword -PassThru
    Write-Host("Step 11 [Import-AzureRmApiManagementHostnameCertificate] completed") $colors

    #Step 13
    $proxyHostnameConfig = New-AzureRmApiManagementHostnameConfiguration -CertificateThumbprint $certificateThumbprint -Hostname "$apiHostname"
    Write-Host("Step 12 [New-AzureRmApiManagementHostnameConfiguration] completed") $colors

    $portalHostnameConfig = New-AzureRmApiManagementHostnameConfiguration -CertificateThumbprint $certificateThumbprint -Hostname "$portalHostname"
    Write-Host("Step 12 [New-AzureRmApiManagementHostnameConfiguration] completed") $colors

    #Step 14
    $result = Set-AzureRmApiManagementHostnames -Name $apiManagementServiceName -ResourceGroupName "$resourceGroupName" –PortalHostnameConfiguration $portalHostnameConfig -ProxyHostnameConfiguration $proxyHostnameConfig
    Write-Host("Step 13 [Set-AzureRmApiManagementHostnames] completed") $colors

    #Step 15
    $publicip = New-AzureRmPublicIpAddress -ResourceGroupName $resourceGroupName -name publicIP01 -location $location -AllocationMethod Dynamic
    Write-Host("Step 14 [New-AzureRmPublicIpAddress] completed") $colors

    #Step 16
    $gipconfig = New-AzureRmApplicationGatewayIPConfiguration -Name gatewayIP01 -Subnet $appgatewaysubnetdata
    Write-Host("Step 15 [New-AzureRmApplicationGatewayIPConfiguration] completed") $colors

    #Step 17
    $fp01 = New-AzureRmApplicationGatewayFrontendPort -Name 'port01' -Port $sslPort
    Write-Host("Step 16 [New-AzureRmApplicationGatewayFrontendPort] completed") $colors

    #Step 18
    $fipconfig01 = New-AzureRmApplicationGatewayFrontendIPConfig -Name "frontend1" -PublicIPAddress $publicip
    Write-Host("Step 17 [New-AzureRmApplicationGatewayFrontendIPConfig] completed") $colors

    #Step 19
    $cert = New-AzureRmApplicationGatewaySslCertificate -Name cert01 -CertificateFile $pfxCertificateFilename -Password $pfxCertificatePassword
    Write-Host("Step 18 [New-AzureRmApplicationGatewaySslCertificate] completed") $colors

    #Step 20
    $apimlistener = New-AzureRmApplicationGatewayHttpListener -Name listener01 -Protocol Https -FrontendIPConfiguration $fipconfig01 -FrontendPort $fp01 -SslCertificate $cert -HostName $appGatewayHostname
    Write-Host("Step 19 [New-AzureRmApplicationGatewayHttpListener] completed") $colors

    $apimportallistener = New-AzureRmApplicationGatewayHttpListener -Name listener02 -Protocol Https -FrontendIPConfiguration $fipconfig01 -FrontendPort $fp01 -SslCertificate $cert -HostName $apiPortalHostname
    Write-Host("Step 19 [New-AzureRmApplicationGatewayHttpListener] completed") $colors

    #Step 21
    $apimprobe = New-AzureRmApplicationGatewayProbeConfig -Name apimproxyprobe -Protocol Https -HostName $appGatewayHostname -Path "/status-0123456789abcdef" -Interval 30 -Timeout 120 -UnhealthyThreshold 8
    Write-Host("Step 20 [New-AzureRmApplicationGatewayProbeConfig] completed") $colors

    $apimportalprobe = New-AzureRmApplicationGatewayProbeConfig -Name apimportalprobe -Protocol Https -HostName $apiPortalHostname -Path "/status-0123456789abcdef" -Interval 30 -Timeout 120 -UnhealthyThreshold 8
    Write-Host("Step 20 [New-AzureRmApplicationGatewayProbeConfig] completed") $colors

    #Step 22
    $authcert = New-AzureRmApplicationGatewayAuthenticationCertificate -Name 'whitelistcert1' -CertificateFile $cerCertificateFilename
    Write-Host("Step 21 [New-AzureRmApplicationGatewayAuthenticationCertificate] completed") $colors

    #Step 23
    $apimPoolSetting = New-AzureRmApplicationGatewayBackendHttpSettings -Name "apimPoolSetting" -Port $sslPort -Protocol Https -CookieBasedAffinity Disabled -Probe $apimprobe -AuthenticationCertificates $authcert -RequestTimeout 180
    Write-Host("Step 22 [New-AzureRmApplicationGatewayBackendHttpSettings] completed") $colors

    $apimPoolPortalSetting = New-AzureRmApplicationGatewayBackendHttpSettings -Name "apimPoolPortalSetting" -Port $sslPort -Protocol Https -CookieBasedAffinity Disabled -Probe $apimportalprobe -AuthenticationCertificates $authcert -RequestTimeout 180
    Write-Host("Step 22 [New-AzureRmApplicationGatewayBackendHttpSettings] completed") $colors

    #Step 24
    $apimProxyBackendPool = New-AzureRmApplicationGatewayBackendAddressPool -Name apimbackend -BackendIPAddresses $apimService.StaticIPs[0]
    Write-Host("Step 23 [New-AzureRmApplicationGatewayBackendAddressPool] completed") $colors


    #Step 25
    $rule01 = New-AzureRmApplicationGatewayRequestRoutingRule -Name "rule1" -RuleType Basic -HttpListener $apimlistener 
    Write-Host("Step 26 [New-AzureRmApplicationGatewayRequestRoutingRule] completed") $colors

    $rule02 = New-AzureRmApplicationGatewayRequestRoutingRule -Name "rule2" -RuleType Basic -HttpListener $apimportallistener
    Write-Host("Step 26 [New-AzureRmApplicationGatewayRequestRoutingRule] completed") $colors

    #Step 26
    $sku = New-AzureRmApplicationGatewaySku -Name Standard_Medium -Tier Standard -Capacity 2
    Write-Host("Step 27 [New-AzureRmApplicationGatewaySku] completed") $colors

    #Step 27
    $appgw = New-AzureRmApplicationGateway -Name appgwtest -ResourceGroupName $resourceGroupName -Location $location -BackendAddressPools $apimProxyBackendPool -BackendHttpSettingsCollection $apimPoolSetting, $apimPoolPortalSetting -FrontendIpConfigurations $fipconfig01 -GatewayIpConfigurations $gipconfig -FrontendPorts $fp01 -HttpListeners $apimlistener, $apimportallistener -RequestRoutingRules $rule01, $rule02 -Sku $sku -SslCertificates $cert -AuthenticationCertificates $authcert -Probes $apimprobe, $apimportalprobe
    Write-Host("Step 29 [New-AzureRmApplicationGateway] completed") $colors

    #Step 28
    Get-AzureRmPublicIpAddress -ResourceGroupName $resourceGroupName -Name publicIP01
    Write-Host("Step 30 [Get-AzureRmPublicIpAddress] completed") $colors

    #Step 29
    Write-Host("Step 31 You need to create CNAME record for custom api domain(see DnsSettingsText -> fqdn)") $colors

    #Done
    Write-Host("Done") $colors
    $endTime = Get-Date
    $elapsedTime = New-Timespan –Start $startTime –End $endTime

    Write-Host("End Time: " + $endTime) $colors
    Write-Host("Elapsed Time: " + $elapsedTime) $colors
    Write-Host "Press any key to continue ..." $colors

    $x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")

    Stop-Transcript