Giter VIP home page Giter VIP logo

front-door-apim-appservice's Introduction

Introduction

Starting from the sample of Paolo Salvatori https://github.com/paolosalvatori/front-door-apim this exercise introduces few additional objects:

  • A simple API running on App Service (Web App for containers).
    • Linux plan, pull image from GitHub, forward requests to external API, Application Insights integration.
  • Private Link
  • App Service Private Endpoint (Private IP to secure inbound traffic)
  • App Service regional VNET integration (secure outbound traffic)
    • To have all inbound and outbound traffic in the VNET, we need to use both Private Endpoint and Regional VNet Integration in two separate subnets.
  • ACI VNET integration used as basic jumpbox (via azure portal)
  • APIM Backends
  • APIM Global policy for tracing
  • APIM SubscriptionKey creation

Architecture

Architecture

Deployment

  • Edit the ARM template parameter file in the folder azuredeploy.parameters.json for a customized deployment
  • Edit the bash script in the "scripts" folder to specify the target subscription-id and the resource-group.
  • Run the deploy.sh command to deploy the sample.

Resource Created

Testing

Private endpoint DNS resolution nslookup

Test internal endpoint Test internal endpoint

To postman echo backend

curl --location --request GET 'https://mc-webfront-afd.azurefd.net/front-echo/get' \
--header 'Ocp-Apim-Subscription-Key: super-secure' \
--header 'Content-Type: application/json'

To Web.Api health

curl --location --request GET 'https://mc-webfront-afd.azurefd.net/front-echo/health' \
--header 'Ocp-Apim-Subscription-Key: super-secure' \
--header 'Content-Type: application/json'

To Web.Api health and forwarded to external dependency

curl --location --request GET 'https://mc-webfront-afd.azurefd.net/front-echo/health?type=1' \
--header 'Ocp-Apim-Subscription-Key: super-secure' \
--header 'Content-Type: application/json'

Global policy error management

curl --location --request GET 'https://mc-webfront-afd.azurefd.net/front-echo/health?type=1error' \
--header 'Ocp-Apim-Subscription-Key: super-secure' \
--header 'Content-Type: application/json'

Block SQL injection

curl --location --request GET 'https://mc-webfront-afd.azurefd.net/front-echo/health?id=SELECT+name+FROM+users' \
--header 'Ocp-Apim-Trace: true' \
--header 'Ocp-Apim-Subscription-Key: super-secure'

LogAnalytics query (AFD firewall log)

AzureDiagnostics
| where ResourceType == "FRONTDOORS" and Category == "FrontdoorWebApplicationFirewallLog"
and trackingReference_s == "0AEMdYAAAAAArn0ERVmUgRLSMY7tO4IrQQlJVMzBFREdFMDQxMQAwNjI4MDRiNS0xYzViLTRhYmYtYTBiMS05MmNhZmNiOWIxM2U="

afd firewall logs

LogAnalytics (simple queries)

AzureDiagnostics
| where Category == "FrontdoorAccessLog" 
and userAgent_s  == "PostmanRuntime/7.26.8"
and TimeGenerated between (datetime("2021-01-22 11:58:00") .. datetime('2021-01-22 15:20:00'))
and requestUri_s contains "health"
| order by TimeGenerated desc 


AzureDiagnostics
| where ResourceProvider == "MICROSOFT.APIMANAGEMENT"
and TimeGenerated between (datetime("2021-01-22 11:58:00") .. datetime('2021-01-22 15:20:00'))
and url_s contains "health"
| order by TimeGenerated desc

Request duration

Request duration in AFT, Api Management and Web App for containers in the last 10 minutes.

durations

Query

let startDatetime = now(-10m);
let endDatetime = now();
let interval = 1s;
AzureDiagnostics
| where Resource == 'MC-WEBFRONT-AFD'
  and TimeGenerated  between(startDatetime .. endDatetime)
| extend duration = toreal(timeTaken_s) * 1000,
         service = "Front Door",
         timestamp = TimeGenerated
| project service, duration, timestamp

| union (app("MC-WEBFRONT-APPINS").requests
| where url contains "-apim."  
  and name != "GET /"
  and timestamp between(startDatetime .. endDatetime)
| extend service = "APIM"
| project service, duration, timestamp)


| union (app("MC-WEBFRONT-APPINS").requests
| where url contains "-app."  
  and name != "GET /"
  and timestamp between(startDatetime .. endDatetime)
| extend service = "WebApp"
| project service, duration, timestamp)

| summarize ['Average Duration'] = avg(duration) by bin(timestamp, interval), service
| render timechart 

AFD configured with prevention mode

Notes

"dnsConfig": {
    "nameServers": [ "192.168.0.150", "192.168.8.150"],
    "options": "ndots:2"
}

front-door-apim-appservice's People

Contributors

massimoc avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.