保护后端Secure back end

此示例脚本通过相互证书身份验证保护后端。This sample script secures backend with mutual certificate authentication.

Note

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

如果选择在本地安装并使用 PowerShell,则本教程需要 Azure PowerShell 模块 1.0 或更高版本。If you choose to install and use the PowerShell locally, this tutorial requires the Azure PowerShell module version 1.0 or later. 运行 Get-Module -ListAvailable Az 即可查找版本。Run Get-Module -ListAvailable Az to find the version. 如果需要升级,请参阅安装 Azure PowerShell 模块If you need to upgrade, see Install Azure PowerShell module. 如果在本地运行 PowerShell,则还需运行 Connect-AzAccount 来创建与 Azure 的连接。If you are running PowerShell locally, you also need to run Connect-AzAccount to create a connection with Azure.

示例脚本Sample script

##########################################################
#  Script to setup backend mutual authentication using certificates
###########################################################


$random = (New-Guid).ToString().Substring(0,8)

#Azure specific details
$subscriptionId = "my-azure-subscription-id"

# Api Management service specific details
$apimServiceName = "apim-$random"
$resourceGroupName = "apim-rg-$random"
$location = "China East"
$organisation = "Contoso"
$adminEmail = "admin@contoso.com"

# Certificate needed for Custom Domain Setup
$certificateFilePath = "<Replace with path to the Certificate to be used for Mutual Authentication>"
$certificatePassword = '<Password used to secure the Certificate>'

# Set the context to the subscription Id where the cluster will be created
Select-AzureRmSubscription -SubscriptionId $subscriptionId

# Create a resource group.
New-AzureRmResourceGroup -Name $resourceGroupName -Location $location

# Create the Api Management service. Since the SKU is not specified, it creates a service with Developer SKU. 
New-AzureRmApiManagement -ResourceGroupName $resourceGroupName -Name $apimServiceName -Location $location -Organization $organisation -AdminEmail $adminEmail

# Create the api management context
$context = New-AzureRmApiManagementContext -ResourceGroupName $resourceGroupName -ServiceName $apimServiceName

# upload the certificate
$cert = New-AzureRmApiManagementCertificate -Context $context -PfxFilePath $certificateFilePath -PfxPassword $certificatePassword

# create an authentication-certificate policy with the thumbprint of the certificate
$apiPolicy = "<policies><inbound><base /><authentication-certificate thumbprint=""" + $cert.Thumbprint + """ /></inbound><backend><base /></backend><outbound><base /></outbound><on-error><base /></on-error></policies>"
$echoApi = Get-AzureRmApiManagementApi -Context $context -Name "Echo API"

# setup Policy at the Product Level. Policies can be applied at entire API Management Service Scope, Api Scope, Product Scope and Api Operation Scope
Set-AzureRmApiManagementPolicy -Context $context  -Policy $apiPolicy -ApiId $echoApi.ApiId

清理资源Clean up resources

如果不再需要资源组和所有相关资源,可以使用 Remove-AzResourceGroup 命令将其删除。When no longer needed, you can use the Remove-AzResourceGroup command to remove the resource group and all related resources.

Remove-AzResourceGroup -Name myResourceGroup

后续步骤Next steps

有关 Azure PowerShell 模块的详细信息,请参阅 Azure PowerShell 文档For more information on the Azure PowerShell module, see Azure PowerShell documentation.

可以在 PowerShell 示例中找到 Azure API 管理的其他 Azure Powershell 示例。Additional Azure Powershell samples for Azure API Management can be found in the PowerShell samples.