在包含应用程序网关的内部 VNET 中集成 API 管理Integrate API Management in an internal VNET with Application Gateway

概述 Overview

可在内部模式下的虚拟网络中配置 API 管理服务,以便只能从该虚拟网络内部访问该服务。The API Management service can be configured in a Virtual Network in internal mode, which makes it accessible only from within the Virtual Network. Azure 应用程序网关是一种 PAAS 服务,提供第 7 层负载均衡器。Azure Application Gateway is a PAAS Service, which provides a Layer-7 load balancer. 它充当反向代理服务,并提供 Web 应用程序防火墙 (WAF) 及其他产品/服务。It acts as a reverse-proxy service and provides among its offering a Web Application Firewall (WAF).

将内部 VNET 中预配的 API 管理与应用程序网关前端相结合可实现以下方案:Combining API Management provisioned in an internal VNET with the Application Gateway frontend enables the following scenarios:

  • 使用同时供内部使用者和外部使用者使用的相同 API 管理资源。Use the same API Management resource for consumption by both internal consumers and external consumers.
  • 使用单个 API 管理资源,并向外部使用者提供在 API 管理中定义的一部分 API。Use a single API Management resource and have a subset of APIs defined in API Management available for external consumers.
  • 提供配套的方式让客户启用和禁用通过公共 Internet 对 API 管理的访问。Provide a turn-key way to switch access to API Management from the public Internet on and off.

可用性Availability

Important

此功能在 API 管理的“高级”和“开发人员”层中可用。This feature is available in the Premium and Developer tiers of API Management.

先决条件Prerequisites

Note

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

要执行本文中所述的步骤,必须具有:To follow the steps described in this article, you must have:

  • 一个有效的 Azure 订阅。An active Azure subscription.

    如果没有 Azure 订阅,可在开始前创建一个试用帐户If you don't have an Azure subscription, create a trial account before you begin.

  • 证书 - pfx 和 cer 用于 API 主机名,pfx 用于开发人员门户主机名。Certificates - pfx and cer for the API hostname and pfx for the developer portal's hostname.

方案 Scenario

本文介绍如何对内部和外部使用者使用单个 API 管理服务,并使其充当本地和云 API 的单一前端。This article covers how to use a single API Management service for both internal and external consumers and make it act as a single frontend for both on premises and cloud APIs. 另外,它还介绍了如何使用应用程序网关中提供的路由功能,仅公开一部分 API(在示例中以绿色突出显示)供外部使用。You will also see how to expose only a subset of your APIs (in the example they are highlighted in green) for External Consumption using routing functionality available in Application Gateway.

在第一个设置示例中,只能从虚拟网络内部管理所有 API。In the first setup example all your APIs are managed only from within your Virtual Network. 内部使用者(以橙色突出显示)可以访问所有内部和外部 API。Internal consumers (highlighted in orange) can access all your internal and external APIs. 流量永远不会外发到 Internet。Traffic never goes out to the internet. 将通过 Express Route 线路提供高性能连接。High performance connectivity is delivered via Express Route circuits.

url 路由

开始之前 Before you begin

在 API 管理与应用程序网关之间创建集成需要做好哪些准备?What is required to create an integration between API Management and Application Gateway?

  • 后端服务器池: 这是 API 管理服务的内部虚拟 IP 地址。Back-end server pool: This is the internal virtual IP address of the API Management service.
  • 后端服务器池设置: 每个池具有端口、协议和基于 Cookie 的相关性等设置。Back-end server pool settings: Every pool has settings like port, protocol, and cookie-based affinity. 这些设置将应用到池中的所有服务器。These settings are applied to all servers within the pool.
  • 前端端口: 此端口是应用程序网关上打开的公共端口。Front-end port: This is the public port that is opened on the application gateway. 抵达此端口的流量将重定向到后端服务器之一。Traffic hitting it gets redirected to one of the back-end servers.
  • 侦听器: 侦听器具有前端端口、协议(Http 或 Https,这些值区分大小写)和 TLS/SSL 证书名称(如果配置 TLS 卸载)。Listener: The listener has a front-end port, a protocol (Http or Https, these values are case-sensitive), and the TLS/SSL certificate name (if configuring TLS offload).
  • 规则: 规则将侦听器绑定到后端服务器池。Rule: The rule binds a listener to a back-end server pool.
  • 自定义运行状况探测: 默认情况下,应用程序网关使用基于 IP 地址的探测来判断 BackendAddressPool 中的哪些服务器处于活动状态。Custom Health Probe: Application Gateway, by default, uses IP address based probes to figure out which servers in the BackendAddressPool are active. API 管理服务只响应包含正确主机标头的请求,因此默认的探测会失败。The API Management service only responds to requests with the correct host header, hence the default probes fail. 需要定义一个自定义运行状况探测,帮助应用程序网关确定服务处于活动状态,应该转发该请求。A custom health probe needs to be defined to help application gateway determine that the service is alive and it should forward requests.
  • 自定义域证书: 若要从 Internet 访问 API 管理,需要创建从服务主机名到应用程序网关前端 DNS 名称的 CNAME 映射。Custom domain certificates: To access API Management from the internet, you need to create a CNAME mapping of its hostname to the Application Gateway front-end DNS name. 这可以确保发送到应用程序网关,并转发到 API 管理的主机名标头和证书是 APIM 可以识别为有效的对象。This ensures that the hostname header and certificate sent to Application Gateway that is forwarded to API Management is one APIM can recognize as valid. 在此示例中,我们将使用两个证书 - 用于后端和开发人员门户。In this example, we will use two certificates - for the backend and for the developer portal.

集成 API 管理和应用程序网关所需执行的步骤 Steps required for integrating API Management and Application Gateway

  1. 创建 Resource Manager 的资源组。Create a resource group for Resource Manager.
  2. 创建应用程序网关的虚拟网络、子网和公共 IP。Create a Virtual Network, subnet, and public IP for the Application Gateway. 为 API 管理创建另一个子网。Create another subnet for API Management.
  3. 在前面创建的 VNET 子网中创建一个 API 管理服务,并确保使用“内部”模式。Create an API Management service inside the VNET subnet created above and ensure you use the Internal mode.
  4. 在 API 管理服务中设置自定义域名。Set up a custom domain name in the API Management service.
  5. 创建应用程序网关配置对象。Create an Application Gateway configuration object.
  6. 创建应用程序网关资源。Create an Application Gateway resource.
  7. 创建从应用程序网关公共 DNS 名称到 API 管理代理主机名的 CNAME 映射。Create a CNAME from the public DNS name of the Application Gateway to the API Management proxy hostname.

通过公开应用程序网关向外部公开开发人员门户Exposing the developer portal externally through Application Gateway

在本指南中,我们还将通过应用程序网关向外部用户公开开发人员门户 。In this guide we will also expose the developer portal to external audiences through the Application Gateway. 创建开发人员门户的侦听器、探测、设置和规则需要其他步骤。It requires additional steps to create developer portal's listener, probe, settings and rules. 相应步骤中提供了所有详细信息。All details are provided in respective steps.

Warning

如果使用 Azure AD 或第三方身份验证,请在应用程序网关中启用基于 cookie 的会话相关性功能。If you use Azure AD or third party authentication, please enable cookie-based session affinity feature in Application Gateway.

Warning

为了防止应用程序网关 WAF 中断在开发人员门户中 OpenAPI 规范的下载,需要禁用防火墙规则 942200 - "Detects MySQL comment-/space-obfuscated injections and backtick termination"To prevent Application Gateway WAF from breaking the download of OpenAPI specification in the developer portal, you need to disable the firewall rule 942200 - "Detects MySQL comment-/space-obfuscated injections and backtick termination".

创建 Resource Manager 的资源组Create a resource group for Resource Manager

步骤 1Step 1

登录 AzureLog in to Azure

Connect-AzAccount -Environment AzureChinaCloud

使用凭据进行身份验证。Authenticate with your credentials.

步骤 2Step 2

选择所需的订阅。Select the desired subscription.

$subscriptionId = "00000000-0000-0000-0000-000000000000" # GUID of your Azure subscription
Get-AzSubscription -Subscriptionid $subscriptionId | Select-AzSubscription

步骤 3Step 3

创建资源组(如果要使用现有的资源组,请跳过此步骤)。Create a resource group (skip this step if you're using an existing resource group).

$resGroupName = "apim-appGw-RG" # resource group name
$location = "China North"           # Azure region
New-AzResourceGroup -Name $resGroupName -Location $location

Azure Resource Manager 要求所有资源组指定一个位置。Azure Resource Manager requires that all resource groups specify a location. 此位置用作该资源组中的资源的默认位置。This is used as the default location for resources in that resource group. 请确保用于创建应用程序网关的所有命令都使用相同的资源组。Make sure that all commands to create an application gateway use the same resource group.

为应用程序网关创建虚拟网络和子网Create a Virtual Network and a subnet for the application gateway

以下示例演示如何使用资源管理器创建虚拟网络。The following example shows how to create a Virtual Network using Resource Manager.

步骤 1Step 1

将地址范围 10.0.0.0/24 分配到创建虚拟网络时用于应用程序网关的子网变量。Assign the address range 10.0.0.0/24 to the subnet variable to be used for Application Gateway while creating a Virtual Network.

$appgatewaysubnet = New-AzVirtualNetworkSubnetConfig -Name "apim01" -AddressPrefix "10.0.0.0/24"

步骤 2Step 2

将地址范围 10.0.1.0/24 分配到创建虚拟网络时用于 API 管理的子网变量。Assign the address range 10.0.1.0/24 to the subnet variable to be used for API Management while creating a Virtual Network.

$apimsubnet = New-AzVirtualNetworkSubnetConfig -Name "apim02" -AddressPrefix "10.0.1.0/24"

步骤 3Step 3

在“中国北部”区域的资源组“apim-appGw-RG”中创建名为“appgwvnet”的虚拟网络 。Create a Virtual Network named appgwvnet in resource group apim-appGw-RG for the China North region. 使用前缀 10.0.0.0/16 以及子网 10.0.0.0/24 和 10.0.1.0/24。Use the prefix 10.0.0.0/16 with subnets 10.0.0.0/24 and 10.0.1.0/24.

$vnet = New-AzVirtualNetwork -Name "appgwvnet" -ResourceGroupName $resGroupName -Location $location -AddressPrefix "10.0.0.0/16" -Subnet $appgatewaysubnet,$apimsubnet

步骤 4Step 4

分配一个子网变量供后续步骤使用Assign a subnet variable for the next steps

$appgatewaysubnetdata = $vnet.Subnets[0]
$apimsubnetdata = $vnet.Subnets[1]

在以内部模式配置的 VNET 中创建 API 管理服务Create an API Management service inside a VNET configured in internal mode

以下示例演示如何在配置为仅供内部访问的 VNET 中创建 API 管理服务。The following example shows how to create an API Management service in a VNET configured for internal access only.

步骤 1Step 1

使用前面创建的子网 $apimsubnetdata 创建一个 API 管理虚拟网络对象。Create an API Management Virtual Network object using the subnet $apimsubnetdata created above.

$apimVirtualNetwork = New-AzApiManagementVirtualNetwork -SubnetResourceId $apimsubnetdata.Id

步骤 2Step 2

在虚拟网络中创建一个 API 管理服务。Create an API Management service inside the Virtual Network.

$apimServiceName = "ContosoApi"       # API Management service instance name
$apimOrganization = "Contoso"         # organization name
$apimAdminEmail = "admin@contoso.com" # administrator's email address
$apimService = New-AzApiManagement -ResourceGroupName $resGroupName -Location $location -Name $apimServiceName -Organization $apimOrganization -AdminEmail $apimAdminEmail -VirtualNetwork $apimVirtualNetwork -VpnType "Internal" -Sku "Developer"

上述命令成功后,请参阅访问内部 VNET API 管理服务所需完成的 DNS 配置访问该服务。After the above command succeeds refer to DNS Configuration required to access internal VNET API Management service to access it. 此步骤可能需要半个多小时。This step may take more than half an hour.

在 API 管理中设置自定义域名Set-up a custom domain name in API Management

Important

除了以下步骤之外,新开发人员门户还需要能够连接到 API 管理的管理终结点。The new developer portal also requires enabling connectivity to the API Management's management endpoint in addition to the steps below.

步骤 1Step 1

使用带有域私钥的证书的详细信息初始化以下变量。Initialize the following variables with the details of the certificates with private keys for the domains. 本示例将使用 api.contoso.netportal.contoso.netIn this example, we will use api.contoso.net and portal.contoso.net.

$gatewayHostname = "api.contoso.net"                 # API gateway host
$portalHostname = "portal.contoso.net"               # API developer portal host
$gatewayCertCerPath = "C:\Users\Contoso\gateway.cer" # full path to api.contoso.net .cer file
$gatewayCertPfxPath = "C:\Users\Contoso\gateway.pfx" # full path to api.contoso.net .pfx file
$portalCertPfxPath = "C:\Users\Contoso\portal.pfx"   # full path to portal.contoso.net .pfx file
$gatewayCertPfxPassword = "certificatePassword123"   # password for api.contoso.net pfx certificate
$portalCertPfxPassword = "certificatePassword123"    # password for portal.contoso.net pfx certificate

$certPwd = ConvertTo-SecureString -String $gatewayCertPfxPassword -AsPlainText -Force
$certPortalPwd = ConvertTo-SecureString -String $portalCertPfxPassword -AsPlainText -Force

步骤 2Step 2

为代理和门户创建和设置主机名配置对象。Create and set the hostname configuration objects for the proxy and for the portal.

$proxyHostnameConfig = New-AzApiManagementCustomHostnameConfiguration -Hostname $gatewayHostname -HostnameType Proxy -PfxPath $gatewayCertPfxPath -PfxPassword $certPwd
$portalHostnameConfig = New-AzApiManagementCustomHostnameConfiguration -Hostname $portalHostname -HostnameType DeveloperPortal -PfxPath $portalCertPfxPath -PfxPassword $certPortalPwd

$apimService.ProxyCustomHostnameConfiguration = $proxyHostnameConfig
$apimService.PortalCustomHostnameConfiguration = $portalHostnameConfig
Set-AzApiManagement -InputObject $apimService

Note

若要配置旧开发人员门户连接,需要将 -HostnameType DeveloperPortal 替换为 -HostnameType PortalTo configure the legacy developer portal connectivity you need to replace -HostnameType DeveloperPortal with -HostnameType Portal.

创建前端配置的公共 IP 地址Create a public IP address for the front-end configuration

在资源组中,创建公共 IP 资源 publicIP01 。Create a public IP resource publicIP01 in the resource group.

$publicip = New-AzPublicIpAddress -ResourceGroupName $resGroupName -name "publicIP01" -location $location -AllocationMethod Dynamic

服务启动时,会将一个 IP 地址分配到应用程序网关。An IP address is assigned to the application gateway when the service starts.

创建应用程序网关配置Create application gateway configuration

在创建应用程序网关之前,必须设置所有配置项目。All configuration items must be set up before creating the application gateway. 以下步骤会创建应用程序网关资源所需的配置项目。The following steps create the configuration items that are needed for an application gateway resource.

步骤 1Step 1

创建名为“gatewayIP01” 的应用程序网关 IP 配置。Create an application gateway IP configuration named gatewayIP01. 当应用程序网关启动时,它会从配置的子网获取 IP 地址,再将网络流量路由到后端 IP 池中的 IP 地址。When Application Gateway starts, it picks up an IP address from the subnet configured and route network traffic to the IP addresses in the back-end IP pool. 请记住,每个实例需要一个 IP 地址。Keep in mind that each instance takes one IP address.

$gipconfig = New-AzApplicationGatewayIPConfiguration -Name "gatewayIP01" -Subnet $appgatewaysubnetdata

步骤 2Step 2

配置公共 IP 终结点的前端 IP 端口。Configure the front-end IP port for the public IP endpoint. 此端口是最终用户连接到的端口。This port is the port that end users connect to.

$fp01 = New-AzApplicationGatewayFrontendPort -Name "port01"  -Port 443

步骤 3Step 3

使用公共 IP 终结点配置前端 IP。Configure the front-end IP with public IP endpoint.

$fipconfig01 = New-AzApplicationGatewayFrontendIPConfig -Name "frontend1" -PublicIPAddress $publicip

步骤 4Step 4

为应用程序网关配置用于解密和重新加密所传递流量的证书。Configure the certificates for the Application Gateway, which will be used to decrypt and re-encrypt the traffic passing through.

$cert = New-AzApplicationGatewaySslCertificate -Name "cert01" -CertificateFile $gatewayCertPfxPath -Password $certPwd
$certPortal = New-AzApplicationGatewaySslCertificate -Name "cert02" -CertificateFile $portalCertPfxPath -Password $certPortalPwd

步骤 5Step 5

为应用程序网关创建 HTTP 侦听器。Create the HTTP listeners for the Application Gateway. 为其分配前端 IP 配置、端口和 TLS/SSL 证书。Assign the front-end IP configuration, port, and TLS/SSL certificates to them.

$listener = New-AzApplicationGatewayHttpListener -Name "listener01" -Protocol "Https" -FrontendIPConfiguration $fipconfig01 -FrontendPort $fp01 -SslCertificate $cert -HostName $gatewayHostname -RequireServerNameIndication true
$portalListener = New-AzApplicationGatewayHttpListener -Name "listener02" -Protocol "Https" -FrontendIPConfiguration $fipconfig01 -FrontendPort $fp01 -SslCertificate $certPortal -HostName $portalHostname -RequireServerNameIndication true

步骤 6Step 6

为 API 管理服务的 ContosoApi 代理域断点创建自定义探测。Create custom probes to the API Management service ContosoApi proxy domain endpoint. 路径 /status-0123456789abcdef 是所有 API 管理服务中托管的默认运行状况终结点。The path /status-0123456789abcdef is a default health endpoint hosted on all the API Management services. api.contoso.net 设置为自定义探测主机名,以便使用 TLS/SSL 证书保护它。Set api.contoso.net as a custom probe hostname to secure it with the TLS/SSL certificate.

Note

主机名 contosoapi.azure-api.net 是在公共 Azure 中创建名为 contosoapi 的服务时配置的默认代理主机名。The hostname contosoapi.azure-api.net is the default proxy hostname configured when a service named contosoapi is created in public Azure.

$apimprobe = New-AzApplicationGatewayProbeConfig -Name "apimproxyprobe" -Protocol "Https" -HostName $gatewayHostname -Path "/status-0123456789abcdef" -Interval 30 -Timeout 120 -UnhealthyThreshold 8
$apimPortalProbe = New-AzApplicationGatewayProbeConfig -Name "apimportalprobe" -Protocol "Https" -HostName $portalHostname -Path "/signin" -Interval 60 -Timeout 300 -UnhealthyThreshold 8

步骤 7Step 7

上传要在已启用 TLS 的后端池资源上使用的证书。Upload the certificate to be used on the TLS-enabled backend pool resources. 该证书与上述步骤 4 中所提供的证书相同。This is the same certificate which you provided in Step 4 above.

$authcert = New-AzApplicationGatewayAuthenticationCertificate -Name "whitelistcert1" -CertificateFile $gatewayCertCerPath

步骤 8Step 8

为应用程序网关配置 HTTP 后端设置。Configure HTTP backend settings for the Application Gateway. 这包括为后端请求设置超时限制,超过该限制将取消请求。This includes setting a time-out limit for backend request, after which they're canceled. 此值不同于探测超时。This value is different from the probe time-out.

$apimPoolSetting = New-AzApplicationGatewayBackendHttpSettings -Name "apimPoolSetting" -Port 443 -Protocol "Https" -CookieBasedAffinity "Disabled" -Probe $apimprobe -AuthenticationCertificates $authcert -RequestTimeout 180
$apimPoolPortalSetting = New-AzApplicationGatewayBackendHttpSettings -Name "apimPoolPortalSetting" -Port 443 -Protocol "Https" -CookieBasedAffinity "Disabled" -Probe $apimPortalProbe -AuthenticationCertificates $authcert -RequestTimeout 180

步骤 9Step 9

使用前面创建的 API 管理服务的内部虚拟 IP 地址配置名为 apimbackend 的后端 IP 地址池。Configure a back-end IP address pool named apimbackend with the internal virtual IP address of the API Management service created above.

$apimProxyBackendPool = New-AzApplicationGatewayBackendAddressPool -Name "apimbackend" -BackendIPAddresses $apimService.PrivateIPAddresses[0]

步骤 10Step 10

为应用程序网关创建规则和基本路由。Create rules for the Application Gateway to use basic routing.

$rule01 = New-AzApplicationGatewayRequestRoutingRule -Name "rule1" -RuleType Basic -HttpListener $listener -BackendAddressPool $apimProxyBackendPool -BackendHttpSettings $apimPoolSetting
$rule02 = New-AzApplicationGatewayRequestRoutingRule -Name "rule2" -RuleType Basic -HttpListener $portalListener -BackendAddressPool $apimProxyBackendPool -BackendHttpSettings $apimPoolPortalSetting

Tip

更改 -RuleType 和路由,以限制对开发人员门户的特定页面的访问。Change the -RuleType and routing, to restrict access to certain pages of the developer portal.

步骤 11Step 11

配置实例数目和应用程序网关的大小。Configure the number of instances and size for the Application Gateway. 本示例将使用 WAF SKU 来提高 API 管理资源的安全性。In this example, we are using the WAF SKU for increased security of the API Management resource.

$sku = New-AzApplicationGatewaySku -Name "WAF_Medium" -Tier "WAF" -Capacity 2

步骤 12Step 12

将 WAF 配置为“防护”模式。Configure WAF to be in "Prevention" mode.

$config = New-AzApplicationGatewayWebApplicationFirewallConfiguration -Enabled $true -FirewallMode "Prevention"

创建应用程序网关Create Application Gateway

创建包含前述步骤中所有配置对象的应用程序网关。Create an Application Gateway with all the configuration objects from the preceding steps.

$appgwName = "apim-app-gw"
$appgw = New-AzApplicationGateway -Name $appgwName -ResourceGroupName $resGroupName -Location $location -BackendAddressPools $apimProxyBackendPool -BackendHttpSettingsCollection $apimPoolSetting, $apimPoolPortalSetting  -FrontendIpConfigurations $fipconfig01 -GatewayIpConfigurations $gipconfig -FrontendPorts $fp01 -HttpListeners $listener, $portalListener -RequestRoutingRules $rule01, $rule02 -Sku $sku -WebApplicationFirewallConfig $config -SslCertificates $cert, $certPortal -AuthenticationCertificates $authcert -Probes $apimprobe, $apimPortalProbe

创建从 API 管理代理主机名到应用程序网关资源公共 DNS 名称的 CNAME 映射CNAME the API Management proxy hostname to the public DNS name of the Application Gateway resource

创建网关后,下一步是配置用于通信的前端。Once the gateway is created, the next step is to configure the front end for communication. 使用公共 IP 时,应用程序网关需要动态分配的 DNS 名称,因此可能不易于使用。When using a public IP, Application Gateway requires a dynamically assigned DNS name, which may not be easy to use.

应使用应用程序网关的 DNS 名称来创建 CNAME 记录,使 APIM 代理主机名(例如,上面示例中的 api.contoso.net)指向此 DNS 名称。The Application Gateway's DNS name should be used to create a CNAME record which points the APIM proxy host name (e.g. api.contoso.net in the examples above) to this DNS name. 若要配置前端 IP CNAME 记录,可使用 PublicIPAddress 元素检索应用程序网关及其关联的 IP/DNS 名称的详细信息。To configure the frontend IP CNAME record, retrieve the details of the Application Gateway and its associated IP/DNS name using the PublicIPAddress element. 不建议使用 A 记录,因为重新启动网关后 VIP 可能会变化。The use of A-records is not recommended since the VIP may change on restart of gateway.

Get-AzPublicIpAddress -ResourceGroupName $resGroupName -Name "publicIP01"

摘要 Summary

VNET 中配置的 Azure API 管理为配置的所有 API 提供单个网关接口,无论这些 API 是托管在本地还是云中。Azure API Management configured in a VNET provides a single gateway interface for all configured APIs, whether they are hosted on premises or in the cloud. 将应用程序网关与 API 管理集成可以灵活地、有选择性地允许从 Internet 上访问特定 API,以及向 API 管理实例提供 Web 应用程序防火墙作为前端。Integrating Application Gateway with API Management provides the flexibility of selectively enabling particular APIs to be accessible on the Internet, as well as providing a Web Application Firewall as a frontend to your API Management instance.

后续步骤 Next steps