In this post, I will show how to Integrate Cisco Cloud ACI Fabric with Native Azure APIM.
From cAPIC release 5.1.2 Native Azure Services are supported for cAPIC integration. Previous to this release EPGs were identified by label matching only (ip /region/custom label). For that reason, Native Azure Service support was not possible. This meant you could bring up an EPG, put some EPG selector labels on those and then spin up VMs /3rd party firewalls etc in Azure which had tradional nics, put matching labels on the nics and based on label match the Security Groups in Azure would get configured. This effectively pulled in your endpoint VMs into the correct EPG (security group for Azure). From there you could use all the bells and whistles of ACI and configure policies based on your requirements.
From release 5.1.2 cAPIC for Azure, a new concept of service EPGs has been introduced. Service EPGs match based on Services and some other fields (based on the service). Native Services in Azure do not have traditional endpoints (nics) like a Azure VM does. With Service EPGs, now you can match Azure Services and pull them into Service EPGs. From there you can again utilize the bells and whistles of ACI and create your required policy. This effectively gives you the capability of integrating Native Azure Services with cAPIC.
Below is a screenshot from the cAPIC UI showing the different Native Services that you can integrate.
What is Azure APIM ?
From Azure documentation you can read this:
Azure API Management is a fully managed service that enables customers to publish, secure, transform, maintain, and monitor APIs. With a few clicks in the Azure portal, you can create an API façade that acts as a “front door” through which external and internal applications can access data or business logic implemented by your custom-built backend services, running on Azure, for example on App Service or Azure Kubernetes Service, or hosted outside of Azure, in a private datacenter or on-premises. API Management handles all the tasks involved in mediating API calls, including request authentication and authorization, rate limit and quota enforcement, request and response transformation, logging and tracing, and API version management.
Limitations of APIM:
Before we get started, let’s also look at Azure documentation to make sure we know what limitations are present for Azure APIM
The one I want to point out in particular is this one:
- Connectivity from a resource in a globally peered VNET in another region to API Management service in Internal mode will not work due to platform limitation. For more information, see Resources in one virtual network cannot communicate with Azure internal load balancer in peered virtual network
In my testing, I found that with VNET Peering enabled, and using APIM Internal Mode, I can access the APIM APIs from westus when the APIM Service EPG and the APIM API backend is on eastus (in the tenant space).
However if I place the APIM Service EPG on HUB (eastus), and APIM backend API Server EPG on Tenant Space in eastus, I cannot access the APIM API service from consumer epg which is on westus.
High Level Overview of Integration:
The below diagrams shows a high level overview of the integration. To keep this writeup consise and easily readiable, I will not go through the very basic configuration of Tenant/VRF, etc, etc. I’m assuming that you are already well familiar with that. However, I will show in details all the items that are new that you will need to complete this task successfully.
Tasks Overview:
First we will create the objects as shown in the diagram below.
These are done from cAPIC
Next, we will go to Azure UI and create the below:
Finally we will Test it out with API calls from the APIM consumer VM by using GET and POST api calls.
Details of Tasks:
Configuring the overlay-2 subnet for housing the APIM Service. This is done from cAPIC in the cloud context profile.
Service EPGs have Several unique attributes. The CCO document listed here lists them out very nicely and even gives you a table with different possible values. A screenshot of that is shown below:
Next, create the Service EPG for housing the APIM
Notice, in this case we are using Service EPG / Cloud Native Managed/Private
Below may not be true all the time, but it helps me quickly remember without having to look at the document:
Cloud Native Managed is generally used when you have a Managed Service but you still need to attach the endpoint to the VRF from Azure (either UI or Azure CLI). That is the case for APIM or AKS.
Let’s take the case of Storage, In Storage there is no such concept of spinning up storage and attaching the storage endpoint to a vNET. So, for storage we would have chosen Cloud Native. When you use Cloud Native, you also use Private Link Labels to match the EPs into the EPG.
Make Sure to choose the EP Selector for the service EPG based on the subnet you added in overlay-2 for this purpose.
If you look at Microsoft Azure documentation, you will notice that there are tons of security rules you need to configure APIM.
You don’t need to worry about all that. cAPIC knows that and will do that for you !
Below you will see that cAPIC has configured inbound rules for you on APIM Subnet. Also note that from cAPIC release 5.1.x the rules are applied on subnet level (instead of epg level).
Below you will see that cAPIC has configured outbound rules for you on APIM Subnet. Also note that from cAPIC release 5.1.x the rules are applied on subnet level (instead of epg level).
Please finish off the rest of the cAPIC related tasks that’s listed in Figure 4. (please do that by yourself, I will not guide you through that, as by now you should be well familiar with configuring those basic constructs from cAPIC).
For the VMs, please spin up Ubuntu VMs in Azure.
We Need Internet Connectivity to our VMs, so we can ssh to them. We also need internet connectivity from our VMs so, we can install software. We could bring up a L3Out in each Tenant, and make a any/any contract, consumer/provider and get this over with.
However, let’s do an interesting exercise to prove a point.
You know from the previous write-ups that we could use a NLB in hub (infra) and NLB or ALB in Tenant Provider space to get in and out access to our tenant VMs. What about Bastion hosts (jump boxes), that you place in the Tenant vNET that you just want to access? You can use a L3Out in the Tenant space or you can use the HUB Internet to do this. In the North/South Firewall writeup, we do this using the built in “all-internet” external EPG of HUB (please see the results in Figure 22 of that article).
Please see:
North/South Firewall Scaling
East/West Firwall Scaling
However, just for fun, let’s create the outbound connection (to Internet) using a L3 Out in Tenant VRF, while the inbound connection (from Internet), comes in via the HUB (using all-internet external EPG).
Follow the diagram below to setup inbound connection from Internet to the Tenant VMs using the default HUB all-internet L3 out and local L3Outs for outbound connections.
For the backend API simulated server, I have a Flask container that you can deploy in about 5 minutes using the below instructions:
Steps:
ssh to your Ubuntu VM on backend APIM EPG
sudo -i
apt-get update && apt-get upgrade -y
echo net.ipv4.ip_forward=1 >> /etc/sysctl.conf
sysctl -p
sudo sysctl --system
exit
sudo apt install docker.io -y
sudo systemctl start docker
sudo systemctl enable docker
sudo groupadd docker
sudo usermod -aG docker $USER
exit # and ssh back in for this to work
docker --version
sudo apt install docker-compose -y
git clone https://github.com/soumukhe/apim-flask.git
cd cd apim-flask/
docker-compose up --build -d
(Note: The Flask container is exposed on TCP port 4000, you can verify this by doing a “docker ps“. main.py is at ~/docker-compose-flask/app/ )
Once done with all the cAPIC related tasks (figure 4), lets start on the Azure Related tasks as shown in Figure 5.
Bring up the APIM Service by following the diagram below:
Finish off the bringup of the APIM Service as shown below. (do not move away from the brower tab, open a new browser tab for your azure account if you want to see something there, else your timer will reset and you won’t know for sure how long it’s been)
Note: Before starting on APIM creation, please create a public standard SKU IP that you will have to associate with the APIM.
Next Associate your APIM with cAPIC created vNET and subnet as shown in diagram below. (do not move away from the brower tab, open a new browser tab for your azure account if you want to see something there, else your timer will reset and you won’t know for sure how long it’s been)
Next, click and create a Blank API for APIM as shown below
Fill in the fields as shown below
Now, on your APIM created base API, let’s create a GET request object.
Also, create a POST request as shown below.
Click on the GET request item to get the URL for the GET request as shown below
Similarly click on the POST request object to get the URL for POST as shown below
From Overview of APIM Service make a note of the private IP as shown below.
Now SSH to your APIM Consumer VM and add a /etc/hosts entry based on the above information. This is shown in the diagram below.
Testing:
Now, it’s time to test the service:
From ssh session on APIM-consumer VM send the below GET query:curl http://apimhub.azure-api.net/myapiserver/accounts
The GET output should show as below:
From ssh session on APIM-consumer VM send the below POST call to insert data:curl -X POST -H "Content-Type: application/json" -d '{"name" : "kiwi", "balance" : 0.02 }' http://apimhub.azure-api.net/myapiserver/addaccounts
The POST output should show as below:
Conclusion:
This is yet another example of using Azure Native Service Integration with Cisco Cloud Fabric in Azure from cAPIC release 5.1.x.
References: