This architecture shows APIM with multi-region deployment. Multi-region deployment helps reduce front end latency perceived by geographically distributed API consumers and improves service availability if one region goes offline. Connection latency to backend APIs needs to be taken into consideration in the multi-region design. APIM in multi-region mode requires premium tier. Note that only the APIM gateway component of API Management is deployed to all regions. The developer portal is hosted in the Primary region only. Two DNS load balancing options are discussed here - one with the default multi-region deployment and one with Azure Traffic manager for more granular control over the routing.
Download Multi-tab Visio and PDF
-
Traffic Flows
- Cyan : Backend API Connections
- Green: Developer Portal and API Gateway Access for External Consumers
- Blue: API Gateway endpoint Access
- Orange: Default DNS load balancing option
- Purple: DNS Load balancing with Azure Traffic Manager (TM)
-
This architecture represents APIM in External Mode however, traffic manager can be deployed in front of the Application Gateway in internal mode.
-
Default option (Option#1) routes requests to the correspoding regional gateway based on the lowest latency.
-
Azure TM Option (Option#2) gives more granular control over routing and load balancing options
-
Failover Design considerations: Developer Portal is hosted in Primary region only. In case of Primary region outage access to the developer portal will be impacted until primary region comes back online. Secondary region will service the API traffic.
Using Azure documentation link here ensure that APIM is in External Mode.
Refer to common documentation link here for more details on prerequisites
- APIM is deployed in External Mode (Premium tier required)
- Products, APIs and subscriptions created
- VPN or Private Connectivity is optional in this design
- Internal and External APIs routable from APIM subnet
- Azure Provided default DNS resolution for API endpoints.
- Developer Portal Published
- Troubleshooting Notes - here.
In the default mode and routes request to a regional gateway based on lowest latency
East VM Resolves to East IP (Primary Region)
nehali@nn-linux-dev:~$ dig +short nnapi-premium.azure-api.net
apimgmttm1xwomm3ais1n8uk6p1nuaa6wso55smgryhomsg7qr.trafficmanager.net.
nnapi-premium-eastus-01.regional.azure-api.net.
apimgmthsajvdzotyzpmfmhrqfh7xjnq7k0gzo6cmn9u2d5s5l.cloudapp.net.
52.255.185.19
West VM resolves to west IP(Secondary Region)
nehali@nn-cyan-vm:~$ dig +short nnapi-premium.azure-api.net
apimgmttm1xwomm3ais1n8uk6p1nuaa6wso55smgryhomsg7qr.trafficmanager.net.
nnapi-premium-westus-01.regional.azure-api.net.
apimgmthsehik1fs6runeq18v2h5rptaznywntzbjw0kmleq8a.cloudapp.net.
40.86.168.240
Developer portal always resolves to primary region
nehali@nehali-laptop:~$ dig nnapi-premium.developer.azure-api.net +short
apimgmthsajvdzotyzpmfmhrqfh7xjnq7k0gzo6cmn9u2d5s5l.cloudapp.net.
52.255.185.19
Note the equal weight traffic manager routing method is resolving the EastUS and West US IPs
nehali@nehali-laptop:~$ dig +short apimtm.penguintrails.com
apim-premium.trafficmanager.net.
nnapi-premium-westus-01.regional.azure-api.net.
apimgmthsehik1fs6runeq18v2h5rptaznywntzbjw0kmleq8a.cloudapp.net.
40.86.168.240
nehali@nehali-laptop:~$ dig +short apimtm.penguintrails.com
apim-premium.trafficmanager.net.
nnapi-premium-eastus-01.regional.azure-api.net.
apimgmthsajvdzotyzpmfmhrqfh7xjnq7k0gzo6cmn9u2d5s5l.cloudapp.net.
52.255.185.19
Primary Region IP: API Call resulting in EastUS connection:
curl -v -I --location --request GET 'https://apimtm.penguintrails.com/echo/resource?param1=sample' --insecure
* Trying 52.255.185.19:443...
* TCP_NODELAY set
* Connected to apimtm.penguintrails.com (52.255.185.19) port 443 (#0)
* ALPN, offering h2
* <snip>
Secondary Region IP: API Call resulting in EastUS connection:
curl -v -I --location --request GET 'https://apimtm.penguintrails.com/echo/resource?param1=sample' --insecure
* Trying 40.86.168.240:443...
* TCP_NODELAY set
* Connected to apimtm.penguintrails.com (40.86.168.240) port 443 (#0)
* <snip>
- Add Diagram for Internal mode with App GW and Traffic Manager