Deploys an Azure API Management service and an Application Gateway with a Web Application Firewall (WAF) to show how to mask query parameters in logging.
Relevant logs:
-
Application Gateway - Access Log: IMPORTANT: The subscription key is logged in the Application Gateway Access Log and I haven't found a way to mask it.
-
Application Gateway - Firewall Log: See the
logScrubbingsetting of the resourcewafPolicyin application-gateway.bicep for how to mask thesubscription-keyquery parameter in the Application Gateway Firewall Log. -
API Management - Requests: See the
dataMaskingsettings of theapimInsightsDiagnosticsresource in api-management.bicep for how to mask thesubscription-keyquery parameter in the request logs. -
API Management - Gateway Log: No query parameters are logged in the gateway log. So, no masking is required.
By default, a Consumption tier API Management instance is deployed to reduce cost. This tier doesn't support logging to the API Management Gateway Log, even though you can deploy the diagnostics settings. If you want to have the API Management Gateway Log, deploy a different tier:
- Open the main.bicep.
- Locate the
apiManagementSettingsvariable. - Set the
skuto e.g.BasicV2.
If you use a V2 tier, make sure that you select a supported region during deployment.
Before you can deploy this template, make sure you have the following tools installed and the necessary permissions:
- Azure Developer CLI (azd)
- Installing
azdalso installs the following tools:
- Installing
This templates uses a hook to permanently delete the Log Analytics Workspace. If you do not have the following tools installed, remove the hook from azure.yaml. See this section for more information.
Once the prerequisites are installed on your machine, you can deploy this template using the following steps:
-
Run the
azd initcommand in an empty directory with the--templateparameter to clone this template into the current directory.azd init --template ronaldbosma/mask-query-parameters-in-apim-and-agw
When prompted, specify the name of the environment, for example,
maskqueryparams. The maximum length is 32 characters. -
Run the
azd auth logincommand to authenticate to your Azure subscription using the Azure Developer CLI (if you haven't already).azd auth login
-
Run the
az logincommand to authenticate to your Azure subscription using the Azure CLI (if you haven't already). This is required for the hooks to function properly. Make sure to log into the same tenant as the Azure Developer CLI.az login
-
Run the
azd upcommand to provision the resources in your Azure subscription.azd up
See Troubleshooting if you encounter any issues during deployment.
-
Once the deployment is complete, you can locally modify the application or infrastructure and run
azd upagain to update the resources in Azure.
See the Demo Guide for a step-by-step walkthrough on how to check and demonstrate the masking of query parameters.
Once you're done and want to clean up, run the azd down command. By including the --purge parameter, you ensure that the API Management service doesn't remain in a soft-deleted state, which could block future deployments of the same environment.
azd down --purgeThe repository consists of the following files and directories:
├── demos [ Demo guide(s) ]
├── hooks [ AZD hooks ]
├── images [ Images used in the README ]
├── infra [ Infrastructure As Code files ]
│ ├── functions [ Bicep user-defined functions ]
│ ├── modules
│ │ ├── application [ Modules for application infrastructure resources ]
│ │ └── services [ Modules for all Azure services ]
│ ├── types [ Bicep user-defined types ]
│ ├── main.bicep [ Main infrastructure file ]
│ └── main.parameters.json [ Parameters file ]
├── tests [ Test files and scripts ]
├── azure.yaml [ Describes the apps and types of Azure resources ]
└── bicepconfig.json [ Bicep configuration file ]
This template has hooks that are executed at different stages of the deployment process. The following hooks are included:
- predown-remove-law.ps1: This PowerShell script is executed before the resources are removed. It permanently deletes the Log Analytics workspace to prevent issues with future deployments. Sometimes the requests and traces don't show up in Application Insights & Log Analytics when removing and deploying the template multiple times.
If you've previously deployed this template and deleted the resources, you may encounter the following error when redeploying the template. This error occurs because the API Management service is in a soft-deleted state and needs to be purged before you can create a new service with the same name.
{
"code": "DeploymentFailed",
"target": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-maskqueryparams-nwe-kt2tx/providers/Microsoft.Resources/deployments/apiManagement",
"message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.",
"details": [
{
"code": "ServiceAlreadyExistsInSoftDeletedState",
"message": "Api service apim-maskqueryparams-nwe-kt2tx was soft-deleted. In order to create the new service with the same name, you have to either undelete the service or purge it. See https://aka.ms/apimsoftdelete."
}
]
}Use the az apim deletedservice list Azure CLI command to list all deleted API Management services in your subscription. Locate the service that is in a soft-deleted state and purge it using the purge command. See the following example:
az apim deletedservice purge --location "norwayeast" --service-name "apim-maskqueryparams-nwe-kt2tx"