0

I currently have the following setup in Azure:

  1. An Azure API Management API that maps to
  2. an Azure Function App with multiple functions that accept data and store it in
  3. an Azure Storage Account.
  4. A private (no public access) Azure SQL database.

Now I want to add a few more API endpoints and Azure functions that provide access to some data from the SQL database. I am now facing the problem that my Function App and API Management are public and therefore cannot connect to resources within my VNet (i.e. the database).

Is there a way to have functions connect to the private database without making the functions private, too? And if I have to make the functions private I would also have to make the API Management private, right? Which would make the whole API unavailable from the internet.

The plans for API Management and Function App that support VNet integration are way more powerful and expensive. I don't need so much power, just the VNet integration. Does anyone know how to solve this issue?

WolfgangM
  • 243
  • 2
  • 14

2 Answers2

2

Before deploying APIM myself, I did some research on how to create a similar setup, where most of our backend services (azure functions, app services etc.) live inside a virtual network. Note that we are still using the developer SKU for API Management, it has almost the same features as the premium SKU (source). For our use case, developer tier has enough bandwidth and the premium SKU is pretty darn expensive. The developer tier is not backed by a Microsoft SLA, so be careful using this in production environments. Below, I'll start with a short summary and describe the scenario's at the end.

Summary

I hope this overview highlights some of our concerns, which may help you to decide the best fit for your scenario. In the end, we choose scenario two, which provides the necessary security we needed. It reduces the attack surface because all backends are private. The main reason is that we wanted to use consumption plan logic apps. Standard logic apps are expensive and not really user-friendly in terms of deployment. With an additional Front Door in place, it also enables us to easily move to solution three at a later point in time. Since you don’t have to move around with custom domains and certificates when putting APIM private, Front Door still remains your main entry point.

1) Scenario one

  • APIM without vnet integration (public)
  • Azure Function with Vnet integration
  • Azure SQL and Storage with private endpoints

Pros: In this scenario your are able to choose APIM standard or basic sku. These are a lot cheaper than the premium sku.

Cons: The Azure function is exposed to the public internet, so be careful and protect it with AAD authentication. When you would deploy multiple azure functions like this, it increases the attack surface.

2) Scenario two

  • APIM with vnet integration (external mode)
  • Azure Function with private endpoint
  • Azure SQL and Storage with private endpoints

Pros: Setup is not that difficult if you follow the APIM vnet documentation (source). May be useful if you want to expose your APIs to external parties as well. Everything behind APIM resides securly within a virtual network.

Cons: Only developer and premium tiers are available for this setup. APIM is reachable over the public internet, so make sure you put in the necessary policies that always checks the JWT. You could even put in a policy that check's the IP address, basically a poor man's firewall solution.

1) Scenario three

  • APIM with vnet integration (internal mode)
  • Azure function with private endpoint
  • Azure SQL and Storage with private endpoints
  • Optional: Application gateway with or without Front Door to safely expose certain routes to the outside world.

Pros: Most secure solution, since everything is shielded from the public internet. I would call this the preferred enterprise setup. If needed, you could even extend this setup with an application gateway with or without Front Door to control who has access to certain API’s from outside the virtual network.

Cons: This is the most extensive setup, meaning that it takes a lot more time to deploy. You have to take into account all the necessary routes, NSGs, private DNS entries, etc. Advisable to be familiar with azure policies as well to do some of this automatically.

Note: APIM is going to support private endpoints as well in the near future, which is a bit confusing. I would say the two vnet modes are already comparable to how you would use vnet integration and private endpoints for azure functions and app services.

Cloudkollektiv
  • 11,852
  • 3
  • 44
  • 71
  • Actually, option 1 sounds promising but how do you connect the public APIM with the private Azure Functions? I don't see how this is possible. – WolfgangM May 30 '22 at 07:18
  • 1
    @WolfgangM you could use vnet integration on your azure function. Meaning that they are not really private anymore. – Cloudkollektiv May 30 '22 at 07:59
  • So when I activate VNet integration for my Functions they can still serve as backend for my public API Management? – WolfgangM May 30 '22 at 08:43
  • 1
    @WolfgangM that is correct! They will be visible on the public internet through the Azure DNS. Make sure that they are AAD protected and only accessible through APIM, not directly. – Cloudkollektiv May 30 '22 at 09:40
  • 1
    Alright, now I get it! Thanks for the explanation! – WolfgangM May 30 '22 at 12:01
  • @WolfgangM curious, did you manage to get it working like you did wanted to? :-) – Cloudkollektiv Mar 11 '23 at 01:23
  • 1
    yes, absolutely! Scenario 1 still works like a charm! – WolfgangM Mar 13 '23 at 13:08
  • Cool, always good to hear that things are working as expected :) For us it was a pain in the ass to put azure frontdoor on top of APIM. Especially the stuff with custom domains and certificates, got it working in the end as well. – Cloudkollektiv Mar 13 '23 at 13:46
1

You can achieve this with a VPN Gateway

This means the VPN Gateway provides a public IP to your VPN!
So the public Azure Functions can access the VPN resources.
Tutorial: Create and manage a VPN gateway using the Azure portal

A better approach is, to use the internal mode of API Management:
Connect to a virtual network in internal mode using Azure API Management

With Azure virtual networks (VNets), Azure API Management can manage internet-inaccessible APIs using several VPN technologies to make the connection. For VNet connectivity options, requirements, and considerations, see Using a virtual network with Azure API Management.

Markus Meyer
  • 3,327
  • 10
  • 22
  • 35
  • Thanks for your answer Markus. Could you elaborate on the VPN Gateway solution? The documentation says _VPN Gateway sends encrypted traffic between an Azure virtual network and an on-premises location over the public Internet. You can also use VPN Gateway to send encrypted traffic between Azure virtual networks over the Microsoft network._ How can this be used to enable my functions to access my private database? Regarding the internal mode of API Management: this would make it necessary for the functions to be private too, right? – WolfgangM May 24 '22 at 08:19
  • "...Azure virtual network and an on-premises location over the public Internet. " The VPN Gateway has a public IP, so it can be reached from OnPremise and Internet. I prefer the APIM internal mode solution. It's much more secure. You have to set up an Azure Function which - is in the same VPN as the SQL Server - the only purpose is to provide CRUD operation for the database - this Azure Function in connected internally to your APIM. This means, APIM is in front of any request for getting database data. **Your VPN does not contain a public IP!** – Markus Meyer May 24 '22 at 08:44
  • But that is exactly what I mentioned in my initial question: according to https://docs.microsoft.com/en-us/azure/api-management/api-management-using-with-internal-vnet?tabs=stv2#availability the VNet integration for APIM is only available for Developer and Premium plans. So far we're on Consumption plan (we have about 5000 requests/day) and pay very little. Developer plan has no SLA, so we would need the Premium plan for more than 2500$ per month. The same holds true for Azure functions. We already have a VPN Gateway to connect to on premises. Would it be sufficient to add another connection? – WolfgangM May 24 '22 at 09:22
  • Does your existing VPN Gateway have a public IP? If not, it will not be possible to connect to the VPN. Maybe you can modify the existing VPN Gateway; otherwise adding an additional VPN Gateway with a public IP will help. But this public endpoint needs additional security like firewalls. – Markus Meyer May 24 '22 at 09:42
  • The existing VPN Gateway has a public IP attached. A VPN Gateway doesn't do anything before adding a connection to it, right? I can add an additional connection but it must either be a VNet-to-VNet or a Site-to-Site connection. Both of them need a second VNet Gateway (or Local Network Gateway) which I don't have and also doesn't make sense. Am I missing something here? – WolfgangM May 24 '22 at 12:39