We will provision API Management with a self hosted gateway and create a new Container App with internal ingress. The self hosted gateway will be created as a new Container App apim and expose the API with external egress.
First API Management must be created using the Developer SKU (Consumption SKU doesn't support SHGW). This takes 30-45 minutes.
Azure CLI using Bash
az deployment group create -g $resourceGroup -f apim.bicep -p apiManagementName=${name}-apim
PowerShell
New-AzResourceGroupDeployment -ResourceGroupName $resourceGroup -Name 'apim_deployment' -TemplateFile .\apim.bicep -apiManagementName "$name-apim"
After the script has finished an API Management instance and a SHGW has been created.
Go to the API Management instance in Azure portal and click on Gateways in the menu. A gateway called gw-01 has been created. Click on the gateway name --> Deployment --> Copy everything in the field called Token and set the variable "gwtoken", the value must be inside "" double quotes.
Example: gwtoken="GatewayKey gw-01&202206230....."
Bash
gwtoken="[Paste value from the Token field]"
PowerShell
$gwtoken="[Paste value from the Token field]"
In the Azure portal, go to the resource group you have been working with and locate the name of the storageaccount that has been created. Set the storageaccount variable.
Bash
storageaccount=[Enter the name of the storageaccount]
PowerShell
$storageaccount="[Enter the name of the storageaccount]"
Deploy Container Apps and create API Management configuration.
Azure CLI using Bash
az deployment group create -g $resourceGroup -f v5_template.bicep -p apiManagementName=${name}-apim containerAppsEnvName=$containerAppEnv storageAccountName=$storageaccount selfHostedGatewayToken="$gwtoken" AppInsights_Name=$appInsights
PowerShell
New-AzResourceGroupDeployment -ResourceGroupName $resourceGroup -Name 'v5_deployment' -TemplateFile .\v5_template.bicep -apiManagementName "$name-apim" -containerAppsEnvName $containerAppEnv -storageAccountName $storageAccount -selfHostedGatewayToken ""$gwToken"" -AppInsights_Name=$appInsights
Now API Management SHGW has been deployed as a Container App inside of Container Apps and a new Container App called httpapi2 has been created with an internal ingress which means that is not exposed to the internet.
API Management has protected the API using an API key so this needs to be retrieved. Got to the Azure portal --> Subscriptions --> Choose the bottom row with the scope Service --> on the right click the three dots --> Show/hide keys --> Copy the Primary Key value
Bash
apikey=[Paste the value of the primary key]
PowerShell
$apikey="[Paste the value of the primary key]"
Retrieve the url of the SHGW in Container Apps.
Bash
apimURL=https://apim.$(az containerapp env show -g $resourceGroup -n ${name}-env --query 'properties.defaultDomain' -o tsv)/api/data
PowerShell
$apimURL="https://apim.$((Get-AzContainerAppManagedEnv -ResourceGroupName $resourceGroup -EnvName $containerAppEnv).DefaultDomain)/api/data"
Add a new order by using HTTP POST and add a header used for authenticate against API Management.
bash
curl -X POST -H "X-API-Key:$apikey" $apimURL?message=apimitem1
PowerShell
Invoke-RestMethod "$($apimURL)?message=apimitem1" -Method Post -Headers @{'X-API-Key' = $apikey}
Verify that it works in Log Analytics.
ContainerAppConsoleLogs_CL
| where ContainerAppName_s has "queuereader" and ContainerName_s has "queuereader"
| where Log_s has "Message"
| project TimeGenerated, Log_s
| order by TimeGenerated desc
You have now protected HTTP API Container App behind API Management.
Next step is to enhance security by protecting our Dashboard App with Microsoft Entra ID Authentication.
That will be covered in Challenge 7
- Challenge 1: Setup the environment
- Challenge 2: Deploy Container Apps Environment and troubleshoot Container Apps
- Challenge 3: Split traffic for controlled rollout
- Challenge 4: Scale Container Apps
- Challenge 5: Configure CI/CD for Container Apps
- Challenge 6: Protect Container App with API Management
- Challenge 7: Enable Container App authentication