Cisco cAPIC / Native Azure API Management for serverless Architecture integration

In this post, I will show how to Integrate Cisco Cloud ACI Fabric with Native Azure APIM.

From cAPIC release 5.1.2 Native Azure Services are supported for cAPIC integration. Previous to this release EPGs were identified by label matching only (ip /region/custom label). For that reason, Native Azure Service support was not possible. This meant you could bring up an EPG, put some EPG selector labels on those and then spin up VMs /3rd party firewalls etc in Azure which had tradional nics, put matching labels on the nics and based on label match the Security Groups in Azure would get configured. This effectively pulled in your endpoint VMs into the correct EPG (security group for Azure). From there you could use all the bells and whistles of ACI and configure policies based on your requirements.

From release 5.1.2 cAPIC for Azure, a new concept of service EPGs has been introduced. Service EPGs match based on Services and some other fields (based on the service). Native Services in Azure do not have traditional endpoints (nics) like a Azure VM does. With Service EPGs, now you can match Azure Services and pull them into Service EPGs. From there you can again utilize the bells and whistles of ACI and create your required policy. This effectively gives you the capability of integrating Native Azure Services with cAPIC.

Below is a screenshot from the cAPIC UI showing the different Native Services that you can integrate.

Figure 1

What is Azure APIM ?

From Azure documentation you can read this:

Azure API Management is a fully managed service that enables customers to publish, secure, transform, maintain, and monitor APIs. With a few clicks in the Azure portal, you can create an API façade that acts as a “front door” through which external and internal applications can access data or business logic implemented by your custom-built backend services, running on Azure, for example on App Service or Azure Kubernetes Service, or hosted outside of Azure, in a private datacenter or on-premises. API Management handles all the tasks involved in mediating API calls, including request authentication and authorization, rate limit and quota enforcement, request and response transformation, logging and tracing, and API version management.

Figure 2

Limitations of APIM:

Before we get started, let’s also look at Azure documentation to make sure we know what limitations are present for Azure  APIM

Figure 3

The one I want to point out in particular is this one:

In my testing, I found that with VPC Peering enabled, and using APIM Internal Mode,  I can access the APIM APIs from westus when the APIM Service EPG and the APIM API backend is on eastus (in the tenant space).

However if I place the APIM Service EPG on HUB (eastus), and APIM backend API Server EPG on Tenant Space in eastus, I cannot access the APIM API service from consumer epg which is on westus.

High Level Overview of Integration:

The below diagrams shows a high level overview of the integration.   To keep this writeup consise and easily readiable, I will not go through the very basic configuration of Tenant/VRF, etc, etc. I’m assuming that you are already well familiar with that.   However, I will show in details all the items that are new that you will need to complete this task successfully.

Tasks Overview:
First we will create the objects as shown in the diagram below.

These are done from cAPIC

Figure 4

Next, we will go to Azure UI and create the below:

Figure 5

Finally we will Test it out with API calls from the  APIM consumer VM by using GET and POST api calls.

Figure 6

Details of Tasks:
Configuring the overlay-2 subnet for housing the APIM Service.  This is done from cAPIC in the cloud context profile.

Figure 7

Service EPGs have Several unique attributes.  The CCO document listed here lists them out very nicely and even gives you a table with different possible values.  A screenshot of that is shown below:

Next, create the Service EPG for housing the APIM
Notice, in this case we are using Service EPG / Cloud Native Managed/Private

Below may not be true all the time, but it helps me quickly remember without having to look at the document:
Cloud Native Managed is generally used when you have a Managed Service but you still need to attach the endpoint to the VRF from Azure (either UI or Azure CLI).  That is the case for APIM or AKS.
Let’s take the case of Storage,  In Storage there is no such concept of spinning up storage and attaching the storage endpoint to a vNET.  So, for storage we would have chosen Cloud Native.   When you use Cloud Native, you also use Private Link Labels to match the EPs into the EPG.

Figure 8

Make Sure to choose the EP Selector for the service EPG based on the subnet you added in overlay-2 for this purpose.

Figure 9

If you look at Microsoft Azure documentation, you will notice that there are tons of security rules you need to configure APIM.

Figure 10

You don’t need to worry about all that.  cAPIC knows that and will do that for you !

Below you will see that cAPIC has configured inbound rules for you on APIM Subnet.   Also note that from cAPIC release 5.1.x the rules are applied on subnet level (instead of epg level).

Figure 11

Below you will see that cAPIC has configured outbound rules for you on APIM Subnet.   Also note that from cAPIC release 5.1.x the rules are applied on subnet level (instead of epg level).

Figure 12

Please finish off the rest of the cAPIC related tasks that’s listed in Figure 4. (please do that by yourself, I will not guide you through that, as by now you should be well familiar with configuring those basic constructs from cAPIC).

For the VMs, please spin up Ubuntu VMs in Azure.

We Need Internet Connectivity to our VMs, so we can ssh to them.  We also need internet connectivity from our VMs so, we can install software.  We could bring up a L3Out in each Tenant, and make a any/any contract, consumer/provider and get this over with.  

However, let’s do an interesting exercise to prove a point.
You know from the previous write-ups that we could use a NLB in hub (infra) and NLB or ALB in Tenant Provider space to get in and out access to our tenant VMs.  Without the NLB in HUB, we can only get inbound access from Internet, so we can ssh in that way if we wanted to.   This method could be used for setting up jumpboxes/bastion hosts quickly (ofcourse in real life you will deploy that in combinations with firewalls.
Please see:
North/South Firewall Scaling
East/West Firwall Scaling

However, from Tenant space VMs, you cannot provide outbound connections (to Internet) using the HUB (all-internet) external EPG without using that HUB NLB.

Follow the diagram below to setup inbound connection from Internet to the Tenant VMs using the default HUB all-internet L3 out and local L3Outs for outbound connections. 

Figure 12a

For the backend API simulated server, I have a Flask container that you can deploy in about 5 minutes using the below instructions:

Steps:

ssh to your Ubuntu VM on backend APIM EPG
sudo -i
apt-get update && apt-get upgrade -y
echo net.ipv4.ip_forward=1 >> /etc/sysctl.conf
sysctl -p
sudo sysctl --system
exit
sudo apt install docker.io -y
sudo systemctl start docker
sudo systemctl enable docker
sudo groupadd docker
sudo usermod -aG docker $USER
exit # and ssh back in for this to work
docker --version
sudo apt install docker-compose -y
git clone https://github.com/soumukhe/apim-flask.git
cd cd apim-flask/
docker-compose up --build -d

(Note:  The Flask container is exposed on TCP port 4000, you can verify this by doing a “docker ps“.   main.py is at ~/docker-compose-flask/app/ )

Once done with all the cAPIC related tasks (figure 4), lets start on the Azure Related tasks as shown in Figure 5.

Bring up the APIM Service by following the diagram below:

Figure 13

Finish off the bringup of the APIM Service as shown below. (do not move away from the brower tab, open a new browser tab for your azure account if you want to see something there, else your timer will reset and you won’t know for sure how long it’s been)

Note:  Before starting on APIM creation, please create a public standard SKU IP that you will have to associate with the APIM. 

Figure 14

Next Associate your APIM with cAPIC created vNET and subnet as shown in diagram below. (do not move away from the brower tab, open a new browser tab for your azure account if you want to see something there, else your timer will reset and you won’t know for sure how long it’s been)

Figure 14b
Figure 15

Next, click and create a Blank API for APIM as shown below

Figure 16

Fill in the fields as shown below

Figure 17
Figure 17b

Now, on your APIM created base API, let’s create a GET request object.

Figure 18

Also, create a POST request as shown below.

Figure 19

Click on the GET request item to get the URL for the GET request as shown below

Figure 20

Similarly click on the POST request object to get the URL for POST as shown below

Figure 21

From Overview of APIM Service make a note of the private IP as shown below.  

Figure 22

Now SSH to your APIM Consumer VM and add a /etc/hosts entry based on the above information.  This is shown in the diagram below.

Figure 23

Testing:

Now, it’s time to test the service:

From ssh session on APIM-consumer VM send the below GET query:
curl http://apimhub.azure-api.net/myapiserver/accounts

The GET output should show as below:

Figure 24

From ssh session on APIM-consumer VM send the below POST call to insert data:
curl -X POST -H "Content-Type: application/json" -d '{"name" : "kiwi", "balance" : 0.02 }' http://apimhub.azure-api.net/myapiserver/addaccounts

The POST output should show as below:

Figure 25

Conclusion:  

This is yet another example of using Azure Native Service Integration with Cisco Cloud Fabric in Azure from cAPIC release 5.1.x.

References:

Cisco Cloud APIC for Azure Users Guide 


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.