Cisco cAPIC / Native Azure API Management for serverless Architecture integration

In this post, I will show how to Integrate Cisco Cloud ACI Fabric with Native Azure APIM.

From cAPIC release 5.1.2 Native Azure Services are supported for cAPIC integration. Previous to this release EPGs were identified by label matching only (ip /region/custom label). For that reason, Native Azure Service support was not possible. This meant you could bring up an EPG, put some EPG selector labels on those and then spin up VMs /3rd party firewalls etc in Azure which had tradional nics, put matching labels on the nics and based on label match the Security Groups in Azure would get configured. This effectively pulled in your endpoint VMs into the correct EPG (security group for Azure). From there you could use all the bells and whistles of ACI and configure policies based on your requirements.

From release 5.1.2 cAPIC for Azure, a new concept of service EPGs has been introduced. Service EPGs match based on Services and some other fields (based on the service). Native Services in Azure do not have traditional endpoints (nics) like a Azure VM does. With Service EPGs, now you can match Azure Services and pull them into Service EPGs. From there you can again utilize the bells and whistles of ACI and create your required policy. This effectively gives you the capability of integrating Native Azure Services with cAPIC.

Below is a screenshot from the cAPIC UI showing the different Native Services that you can integrate.

Figure 1

What is Azure APIM ?

From Azure documentation you can read this:

Azure API Management is a fully managed service that enables customers to publish, secure, transform, maintain, and monitor APIs. With a few clicks in the Azure portal, you can create an API façade that acts as a “front door” through which external and internal applications can access data or business logic implemented by your custom-built backend services, running on Azure, for example on App Service or Azure Kubernetes Service, or hosted outside of Azure, in a private datacenter or on-premises. API Management handles all the tasks involved in mediating API calls, including request authentication and authorization, rate limit and quota enforcement, request and response transformation, logging and tracing, and API version management.

Figure 2

Limitations of APIM:

Before we get started, let’s also look at Azure documentation to make sure we know what limitations are present for Azure  APIM

Figure 3

The one I want to point out in particular is this one:

In my testing, I found that with VPC Peering enabled, and using APIM Internal Mode,  I can access the APIM APIs from westus when the APIM Service EPG and the APIM API backend is on eastus (in the tenant space).

However if I place the APIM Service EPG on HUB (eastus), and APIM backend API Server EPG on Tenant Space in eastus, I cannot access the APIM API service from consumer epg which is on westus.

High Level Overview of Integration:

The below diagrams shows a high level overview of the integration.   To keep this writeup consise and easily readiable, I will not go through the very basic configuration of Tenant/VRF, etc, etc. I’m assuming that you are already well familiar with that.   However, I will show in details all the items that are new that you will need to complete this task successfully.

First we will create the objects as shown in the diagram below.

These are done from cAPIC

Figure 4

Next, we will go to Azure UI and create the below:

Figure 5

Finally we will Test it out with API calls from the  APIM consumer VM by using GET and POST api calls.

Figure 6

Configuring the overlay-2 subnet for housing the APIM Service.  This is done from cAPIC in the cloud context profile.

Figure 7

Next, create the Service EPG for housing the APIM

Figure 8

Make Sure to choose the EP Selector for the service EPG based on the subnet you added in overlay-2 for this purpose.

Figure 9

If you look at Microsoft Azure documentation, you will notice that there are tons of security rules you need to configure APIM.

Figure 10

You don’t need to worry about all that.  cAPIC knows that and will do that for you !

Below you will see that cAPIC has configured inbound rules for you on APIM Subnet.   Also note that from cAPIC release 5.1.x the rules are applied on subnet level (instead of epg level).

Figure 11

Below you will see that cAPIC has configured outbound rules for you on APIM Subnet.   Also note that from cAPIC release 5.1.x the rules are applied on subnet level (instead of epg level).

Figure 12

Please finish off the rest of the cAPIC related tasks that’s listed in Figure 4. (please do that by yourself, I will not guide you through that, as by now you should be well familiar with configuring those basic constructs from cAPIC)

For the backend API simulated server, I have a Flask container that you can deploy in about 5 minutes using the below instructions:

Steps:

ssh to your Ubuntu VM on backend APIM EPG
sudo -i
apt-get update && apt-get upgrade -y
echo net.ipv4.ip_forward=1 >> /etc/sysctl.conf
sysctl -p
exit # twice, to completecly get out, then ssh back in
sudo apt install docker.io -y
sudo systemctl start docker
sudo systemctl enable docker
sudo groupadd docker
sudo usermod -aG docker $USER
exit # and ssh back in for this to work
docker --version
sudo apt install docker-compose -y
git clone https://github.com/soumukhe/docker-compose-flask.git
cd docker-compose-flask/

docker-compose up --build -d

(Note:  The Flask container is exposed on TCP port 4000, you can verify this by doing a “docker ps“.   main.py is at ~/docker-compose-flask/app/ )

Once done with all the cAPIC related tasks (figure 4), lets start on the Azure Related tasks as shown in Figure 5.

Bring up the APIM Service by following the diagram below:

Figure 13

Finish off the bringup of the APIM Service as shown below.

Figure 14

Next Associate your APIM with cAPIC created vNET and subnet as shown in diagram below.

Figure 15

Next, click and create a Blank API for APIM as shown below

Figure 16

Fill in the fields as shown below

Figure 17

Now, on your APIM created base API, let’s create a GET request object.

Figure 18

Also, create a POST request as shown below.

Figure 19

Click on the GET request item to get the URL for the GET request as shown below

Figure 20

Similarly click on the POST request object to get the URL for POST as shown below

Figure 21

From Overview of APIM Service make a note of the private IP as shown below.

Figure 22

Now SSH to your APIM Consumer VM and add a /etc/hosts entry based on the above information.  This is shown in the diagram below.

Figure 23

Testing:

Now, it’s time to test the service:

From ssh session on APIM-consumer VM send the below GET query:
curl http://apimhub.azure-api.net/myapiserver/accounts

The GET output should show as below:

Figure 24

From ssh session on APIM-consumer VM send the below POST call to insert data:
curl -X POST -H "Content-Type: application/json" -d '{"name" : "kiwi", "balance" : 0.02 }' http://apimhub.azure-api.net/myapiserver/addaccounts

The POST output should show as below:

Figure 25

Conclusion:  

This is yet another example of using Azure Native Service Integration with Cisco Cloud Fabric in Azure from cAPIC release 5.1.x.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.