Azure API management with ASE v1

Question

I'm struggling with how to use Azure API management together with App Service Environment v1 (aka ASEv1), i.e. how to set the things via Azure portal.

I have ASE with one app service (target is several of them) and I have APIM gateway pointing to the public host name of the service.

What I have to do to make the app services in ASE VNet to be accessible only through the APIM gateway, to keep the back-end services hidden?

I need to be able to manage APIM from Azure portal and to be able to access the services directly via FTPS for deployment, collecting logs, etc.

--

I've created a new subnet for the APIM and put it in the ASE VNet , where already ASE subnet was. Now I probably have to set some NSG rules but I'm not sure how and if it is all I'm supposed to do.

The second thing I'm not sure is how to change the APIM API settings. It now points to a public URL of the service - I do not know if it will be available after NSG changes.

Vitaliy Kurokhtin Vitaliy Kurokhtin · Accepted Answer · 2018-10-24T23:59:05

There are a couple of options, depending on what you really want. If you're fine having your backend services visible by outside but not callable, you can employ any means of authentication between APIM and backend services:

Shared secret - header/query param
Client certificate authentication
IP filtering on the side of backend services

If you want to really hide backend services from outside, you'll have to put APIM and ASE into same VNET.

Azure API management with ASE v1

2 Answers