Getting error while accessing Azure API developer portal while using Azure Application Gateway with Azure API Management service

Question

We have following setup in Azure configured using this guide (https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/apis/protect-apis)

App Gateway with Public IP calling ===> Azure APIM Service configured in Internal mode (development tier)

Details:

1. Both App Gateway and APIM are in same VNet but in separate subnets.
2. App Gateway has only public IP with Firewall disabled (for testing purpose).
3. APIM is configured in Internal mode.
4. Three listeners, one for API, one for developer portal and one for API management endpoint) are configured in App Gateway using custom domains and SSL certificates.
5. There is VM deployed and configure in same VNet.

APP Gateway Domains are: (Internet Accessible)

• dev.apiportal.xxxx.com ==> API Portal
• dev.api.xxxx.com ==> API Gateway
• dev.apimanagement.xxxx.com ==> API Management

APIM Service is using default domains: (Not accessible on internet. APIM is configured in Internal mode)

• dev-apim.developer.azure-api.net ==> API Portal
• dev-apim.azure-api.net ==> API Gateway
• dev-apim.management.azure-api.net ==> API Management

There probes defined on App GW for these endpoint mentioned above are healthy and in green status

Problem Statement:

1. API portal is accessible from VM mentioned in #5 above using default links. I am able to login using user added in portal. VM's host file has been modified with IP address and default host name of APIM service. Portal works fine when accessed from VM.
2. When I try to access portal from internet using custom domain (configured on listeners mentioned in #4 above of App GW) portal loads fine.
3. When I try to login using same user (mentioned in #1) doesn't work and error I get is "Please provide a valid email and password". This error appears after almost 15-20 seconds after clicking sign in button.
4. When I tried to check error in browser developer tools found that even though portal is accessed using internet facing URL one request for management Api is pointed to internal URL of Api management. .

Wanted to understand if we need to have custom domains for APIM service as well in order to get this setup working? Any pointer to fix this error?

Answer 1

• Thank you @Pankaj Kapare for your question and the subsequent resolution that you have provided in the comments section. I am posting the same comment of yours elaborately and some additional probable resolution as an answer.

Setting the APIM service’s URls with the custom domain that is mentioned in the application gateway while still the APIM service operational in internal mode helped login to the APIM developer portal successfully, i.e., setting the same custom domain that are defined in application gateway in the APIM’s endpoints.

• You can also resolve this DNS mapping issue by creating a CNAME record for the custom domain configured in application gateway and mentioning an alias to the default domain URL in the APIM service. Thus, by creating a CNAME DNS record for the default domain in the APIM service, you can redirect the requests for the application gateway’s custom domain URL to the default domain URL in the APIM service.

But for this also, you would need to create a private DNS zone in Azure and create the above said in it which will restrict the internet access to the APIM URLs and redirect the requests internally.