You are designing a microservices architecture that will be hosted in an Azure Kubernetes Service (AKS) cluster. Apps that will consume the microservices will be hosted on Azure virtual machines. The virtual machines and the AKS cluster will reside on the same virtual network.
You need to design a solution to expose the microservices to the consumer apps. The solution must meet the following requirements:
-> Ingress access to the microservices must be restricted to a single private IP address and protected by using mutual TLS authentication.
-> The number of incoming microservice calls must be rate-limited.
-> Costs must be minimized.
What should you include in the solution?
Click on the arrows to vote for the correct answer
A. B. C. D.B
One option is to deploy APIM (API Management) inside the cluster VNet.
The AKS cluster and the applications that consume the microservices might reside within the same VNet, hence there is no reason to expose the cluster publicly as all API traffic will remain within the VNet. For these scenarios, you can deploy API Management into the cluster VNet. API Management Premium tier supports
VNet deployment.
https://docs.microsoft.com/en-us/azure/api-management/api-management-kubernetesFor this scenario, the most appropriate solution to expose microservices to consumer apps would be using Azure API Management (APIM) Premium tier with a virtual network (VNet) connection. The detailed explanation for each option is as follows:
A. Azure App Gateway with Azure Web Application Firewall (WAF) Azure App Gateway with WAF is used to route traffic to backend services such as web apps and APIs. It provides layer 7 load balancing and SSL termination, as well as web application firewall features. However, it does not have the capability to restrict access to a single private IP address or provide mutual TLS authentication.
B. Azure API Management Premium tier with virtual network connection Azure API Management is a full-featured API management solution that provides a centralized way to manage APIs, enforce policies, and monitor usage. The Premium tier allows you to deploy APIM inside a VNet, providing private access to APIs and microservices. This solution can meet all the requirements listed in the scenario by restricting access to a single private IP address, protecting with mutual TLS authentication, and enabling rate limiting. Additionally, APIM provides developer portal capabilities and advanced analytics, which can further simplify the management and monitoring of APIs.
C. Azure API Management Standard tier with a service endpoint The Standard tier of Azure API Management provides a basic set of features to manage APIs and expose them to consumers. It does not support deployment inside a VNet, which means that it cannot provide private access to APIs or microservices. However, it can be integrated with Azure Private Link to expose APIs via a private endpoint. This option can meet the requirement for restricting access to a single private IP address, but it does not provide mutual TLS authentication or rate limiting.
D. Azure Front Door with Azure Web Application Firewall (WAF) Azure Front Door is a global load balancer and application delivery network that provides routing and load balancing capabilities. It can be used to distribute traffic across multiple regions or backends, but it does not provide the capability to restrict access to a single private IP address or provide mutual TLS authentication. Additionally, Azure Front Door does not have built-in rate limiting capabilities.
In summary, the best solution for this scenario would be to use Azure API Management Premium tier with a virtual network connection to provide private access to microservices while restricting access to a single private IP address and protecting with mutual TLS authentication. This option can also meet the requirement for rate limiting and provides additional capabilities such as developer portal and analytics.