NSG for Azure API管理外部访问
我创建了一个没有路由的API管理实例,并且将NSG应用于API管理子网,一切正常.我能够从Internet和Azure门户访问API管理门户,并测试了包括内部和Internet的后端API.
I created an API management instance without route and NSG applied to API management subnet, everything worked well. I was able to access the API management portal from internet and Azure portal, and tested backend APIs including internal and internet.
但是,出于安全考虑,我想使用NSG来控制Internet访问,以便仅允许特定的公共IP地址访问.所以我遵循了https://docs.microsoft.com/en-us/azure/api-management/api-management-using-with-vnet并创建了 NSG并将其应用于API管理子网,然后单击应用网络配置". API管理实例.虽然我可以从互联网访问API管理门户,但是所有针对API的测试均失败,如下所示"
However, due to security concerns, i wanted to use NSG to control the internet access so that only a specific public ip address is allowed to access. So I followed https://docs.microsoft.com/en-us/azure/api-management/api-management-using-with-vnet and created a NSG and applied it to API management subnet, and click "Apply Network Configuration" to the API management instance. Though i am able to access the API management portal from internet, but all tests for APIs failed showing as below"
HTTP/1.1 401未经授权
HTTP/1.1 401 Unauthorized
日期:格林尼治标准时间2018年11月28日星期三
www-authenticate:AzureApiManagementKey realm =" https://itspapim1.azure-api.net/test6,名称= "Ocp-Apim-Subscription-Key",type ="header"
变化:起源
内容类型:application/json
内容长度:152
{
"statusCode":401,
"statusCode": 401,
消息":由于缺少订阅密钥,访问被拒绝.向API发出请求时,请确保包括订阅密钥."
"message": "Access denied due to missing subscription key. Make sure to include subscription key when making requests to an API."
}
使用外部模式添加到VNET时,NSG应该可以工作.
The NSG should work when added to a VNET using External mode.
该错误消息表明未通过订阅密钥.您的请求应具有"Ocp-Apim-Subscription-Key"带有适当密钥的标题.你能通过传递来确认是否得到了吗?
The error message suggests that the Subscription Key was not passed. Your request should have the "Ocp-Apim-Subscription-Key" header with the appropriate key. Could you confirm if you get this even by passing it?
要使Internet API正常工作,您的NSG应该允许对此类API的出站请求.
您内部的API无法获得授权是什么意思?是与上述消息相同还是来自API本身的消息?
For Internet APIs to work, your NSG should allow outbound requests to such APIs.
What do you mean by the internal APIs can't get authorization? Is is the same message as above or one from the API themselves?
Also, depending on your use case, you might also want to check out this doc. This involves having your APIM inside a VNET and internet access is controlled via an Application Gateway.