Starting from the sample of Paolo Salvatori this exercise introduces few additional objects:
- A simple API running on App Service (Web App for containers).
- Linux plan, pull image from GitHub, forward requests to external API, Application Insights integration.
- Private Link
- Azure Private Link allows you to privately access to services hosted on the Azure platform without requiring internet connection (via Azure backbone network).
- App Service Private Endpoint (Private IP to secure inbound traffic)
- Available in Premium v2 and v3
- App Service regional VNET integration (secure outbound traffic)
- To have all inbound and outbound traffic in the VNET, we need to use both Private Endpoint and Regional VNet Integration in two separate subnets.
- ACI VNET integration used as basic jumpbox (via azure portal)
- APIM Backends
- APIM Global policy for tracing
- APIM SubscriptionKey creation
- Edit the ARM template parameter file in the folder azuredeploy.parameters.json for a customized deployment
- Edit the bash script in the "scripts" folder to specify the target subscription-id and the resource-group.
- Run the command to deploy the sample.
Private endpoint DNS resolution
To postman echo backend
curl --location --request GET '' \
--header 'Ocp-Apim-Subscription-Key: super-secure' \
--header 'Content-Type: application/json'
To Web.Api health
curl --location --request GET '' \
--header 'Ocp-Apim-Subscription-Key: super-secure' \
--header 'Content-Type: application/json'
To Web.Api health and forwarded to external dependency
curl --location --request GET '' \
--header 'Ocp-Apim-Subscription-Key: super-secure' \
--header 'Content-Type: application/json'
Global policy error management
curl --location --request GET '' \
--header 'Ocp-Apim-Subscription-Key: super-secure' \
--header 'Content-Type: application/json'
Block SQL injection
curl --location --request GET '' \
--header 'Ocp-Apim-Trace: true' \
--header 'Ocp-Apim-Subscription-Key: super-secure'
LogAnalytics query (AFD firewall log)
| where ResourceType == "FRONTDOORS" and Category == "FrontdoorWebApplicationFirewallLog"
LogAnalytics (simple queries)
| where Category == "FrontdoorAccessLog"
and userAgent_s == "PostmanRuntime/7.26.8"
and TimeGenerated between (datetime("2021-01-22 11:58:00") .. datetime('2021-01-22 15:20:00'))
and requestUri_s contains "health"
| order by TimeGenerated desc
| where ResourceProvider == "MICROSOFT.APIMANAGEMENT"
and TimeGenerated between (datetime("2021-01-22 11:58:00") .. datetime('2021-01-22 15:20:00'))
and url_s contains "health"
| order by TimeGenerated desc
Request duration
Request duration in AFT, Api Management and Web App for containers in the last 10 minutes.
let startDatetime = now(-10m);
let endDatetime = now();
let interval = 1s;
| where Resource == 'MC-WEBFRONT-AFD'
and TimeGenerated between(startDatetime .. endDatetime)
| extend duration = toreal(timeTaken_s) * 1000,
service = "Front Door",
timestamp = TimeGenerated
| project service, duration, timestamp
| union (app("MC-WEBFRONT-APPINS").requests
| where url contains "-apim."
and name != "GET /"
and timestamp between(startDatetime .. endDatetime)
| extend service = "APIM"
| project service, duration, timestamp)
| union (app("MC-WEBFRONT-APPINS").requests
| where url contains "-app."
and name != "GET /"
and timestamp between(startDatetime .. endDatetime)
| extend service = "WebApp"
| project service, duration, timestamp)
| summarize ['Average Duration'] = avg(duration) by bin(timestamp, interval), service
| render timechart
AFD configured with prevention mode
Private Link with Azure DNS
Subresources to be used as groupIds can be found here:
DNS configuration for ACI can be added by put the following json in the properties of "Microsoft.ContainerInstance/containerGroups"
"dnsConfig": {
"nameServers": [ "", ""],
"options": "ndots:2"