## Description The architecture deploys a complete API Management environment, protected by an Application Gateway with Web Application Firewall (WAF), hosted in a virtual network for enhanced security, and exposes three interfaces: gateway (API), management, and developer portal. **N.B:** - The Terraform code is automatically generated with best practices and contains variables that you can customize to fir your needs. - You have full control to change, add, delete resources or their configuration. The newly generated code will reflect these changes. - You can replace some resources with Terraform modules. > terraform apply status: successful > ## Architecture components | **Component** | **Description** | |--------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------| | **Resource Group** | Container for all deployed resources, providing a logical boundary for management and billing purposes. | | **Virtual Network (VNet)** | Primary network infrastructure that isolates and secures all components with address space 10.0.0.0/16. | | **Subnets** | Dedicated subnets for Application Gateway (10.0.0.0/24) and API Management (10.0.1.0/24), enabling proper network segmentation. | | **Application Gateway** | Acts as the secure entry point for API traffic with SSL/TLS termination, load balancing, and routing to the appropriate APIM endpoints. | | **Web Application Firewall (WAF)** | Integrated with Application Gateway to protect APIs against known vulnerabilities using OWASP 3.2 ruleset and custom rules blocking SQL injection attacks. | | **API Management** | Core API platform deployed in internal VNet mode, providing API gateway, developer portal, and management capabilities with custom domain support. | | **Azure Key Vault** | Securely stores SSL certificates and secrets, accessed via managed identities to eliminate credential storage in configuration. | | **User-Assigned Managed Identity** | Grants Application Gateway and APIM secure, role-based access to Key Vault without exposing credentials. | | **Private DNS Zone** | Provides internal name resolution for API Management endpoints, keeping traffic within the virtual network. | | **Network Security Groups (NSGs)** | Enforce traffic rules on subnets, allowing only necessary communication between Application Gateway and APIM while blocking other inbound traffic. | | **Public IPs** | Standard SKU public IP addresses with DNS labels for public access to Application Gateway and APIM endpoints. | | **Log Analytics Workspaces** | Dedicated workspaces for Application Gateway and APIM, collecting diagnostic logs and metrics for monitoring and troubleshooting. | | **Custom Domains** | Branded domain names for API gateway, developer portal, and management endpoints using certificates from Key Vault. | ## Requirements | Name | Configuration | | --- | --- | | Terraform | all versions | | Provider | AZURE| | Provider version | >= 4.17 | | Access | Admin access | ## How to use the architecture Clone the architecture and modify the following variables according to your needs: # Azure API Management with Application Gateway - Variables | **Variable** | **Description** | **Example Value** | |--------------|-----------------|-------------------| | **agw_identity_name** | Name of the user-assigned managed identity for Application Gateway | `"agw-user-identity"` | | **api_record** | DNS record name for the API endpoint in private DNS zone | `"api"` | | **apim_management_host_name** | Custom hostname for APIM management endpoint | `"management.contoso.com"` | | **apim_name** | Name of the API Management service instance | `"apim-contoso-dev-bb2"` | | **apim_portal_host_name** | Custom hostname for APIM developer portal | `"portal.contoso.com"` | | **apim_private_ip** | Static private IP address for the APIM instance | `"10.0.1.4"` | | **apim_proxy_host_name** | Custom hostname for APIM gateway/proxy endpoint | `"api.contoso.com"` | | **apim_public_ip_dns_label** | DNS label for APIM public IP address | `"apim-contoso-terraform"` | | **apim_public_ip_name** | Name of the public IP resource for APIM | `"pip-apim"` | | **apim_sku_name** | SKU/tier for the APIM instance | `"Developer_1"` | | **apim_subnet_address_prefix** | CIDR range for the APIM subnet | `"10.0.1.0/24"` | | **apim_subnet_name** | Name of the subnet dedicated to APIM | `"apimSubnet"` | | **app_gateway_name** | Name of the Application Gateway instance | `"agw-contoso-terraform"` | | **app_gateway_private_ip_address** | Static private IP address for App Gateway | `"10.0.0.100"` | | **app_gateway_public_ip_dns_label** | DNS label for App Gateway public IP | `"apim-contoso-dev-terraform"` | | **app_gateway_public_ip_name** | Name of the public IP resource for App Gateway | `"pip-agw"` | | **app_gateway_subnet_address_prefix** | CIDR range for the App Gateway subnet | `"10.0.0.0/24"` | | **app_gateway_subnet_name** | Name of the subnet dedicated to Application Gateway | `"appGatewaySubnet"` | | **key_vault_name** | Name of the Key Vault resource | `"kv-contoso-dev-terraform"` | | **location** | Azure region for resource deployment | `"eastus"` | | **log_analytics_workspace_name** | Name of Log Analytics workspace for App Gateway | `"lg-agw-demo"` | | **log_analytics_workspace_name_apim** | Name of Log Analytics workspace for APIM | `"lg-apim-demo"` | | **management_record** | DNS record for management endpoint in private DNS | `"management"` | | **nsg_agw_name** | Name of Network Security Group for App Gateway | `"nsg-agw"` | | **nsg_apim_name** | Name of Network Security Group for APIM | `"nsg-apim"` | | **portal_record** | DNS record for portal endpoint in private DNS | `"portal"` | | **private_dns_zone_name** | Name of the private DNS zone | `"contoso.com"` | | **publisher_email** | Email address of the APIM publisher | `"samir.belkessa@gmail.com"` | | **publisher_name** | Name of the APIM publisher | `"contoso"` | | **resource_group_name** | Name of the resource group | `"rg-cc-agw-apim-demo-terraform"` | | **tags** | Resource tags for organization | `{ archuuid = "02e682b1-9d45-4fd4-9e82-6fcaf04b80d5", env = "Development" }` | | **virtual_network_link** | Name of the link between private DNS and VNet | `"mylink"` | | **vnet_address_space** | CIDR range for the virtual network | `"10.0.0.0/16"` | | **vnet_name** | Name of the virtual network | `"vnet-contoso"` | | **waf_enabled** | Flag to enable/disable WAF | `"true"` | | **waf_firewall_mode** | WAF operation mode (Prevention/Detection) | `"Prevention"` | | **waf_rule_set_version** | Version of WAF ruleset to use | `"3.2"` | | **wildcard_certificate_name** | Name of the wildcard certificate in Key Vault | `"allowlistcert1"` | | **wildcard_certificate_password** | Password for the certificate PFX file | `"Exploitation01"` | | **wildcard_certificate_path** | Path to the certificate PFX file | `"allowlistcert1.pfx"` | **N.B:** - Feel free to remove the resources that are not relevant to your use-case. - Some variables have default values, please change it if it doesn't fit your deployment. ## Maintainer(s) You can reach out to these maintainers if you need help or assistance: - [Brainboard team](mailto:support@brainboard.co)