This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Microsoft Azure Application Gateway API

Has anyone had luck using the API poller with the azure application gateway? It looks like api to access the azure gateway wants a bearer token, but one that expires hourly. There is a mention of OATH2, but it seems to relate more to overall permissions than general access. I have been able to monitor other Microsoft resources with Graph (and the appropriate permissions assigned to that application), but this one is not cooperating. 

THis blog seems to encapsulate the issue between graph and the management.azure api: Azure REST API: Please Sir, Can I Have Some Auth? • Andrew Best (andrew-best.com)

Here is the relevant MS page about the API that I am trying to use:

Application Gateways - Backend Health - REST API (Azure Application Gateway) | Microsoft Learn

If this is a simple answer and I am just not seeing it, please let me know. I suspect that I may need to create a token from my graph app, but I am not quite sure.

Thank you,

Marc

Parents
  • Hi Marc,

    I've literally just done this, or at least got some sense out it. It's an asynchronous action so you have to do the initial POST request with the bearer token, then the request is acknowledged and returns a status of 202 ('accepted'). In the response headers is a URI ('Location') that you then need to send GET requests to every few seconds until it returns the backend health you requested. Since the context of the call is in the Location URI you don't need to use the same bearer token, or at least my testing didn't. 

    The next question is how do we action that within the API poller..

    This is the sequence that worked for me:

    POST https://management.azure.com/subscriptions/{sub id}/resourceGroups/{rg name}/providers/Microsoft.Network/applicationGateways/{app gateway name}/backendhealth?api-version=2022-09-01.

    This returns 202 with the Location URI.I just then did a couple of GET requests to the URI and after a few secs it returned the correct backend health.

    Cheers.

Reply
  • Hi Marc,

    I've literally just done this, or at least got some sense out it. It's an asynchronous action so you have to do the initial POST request with the bearer token, then the request is acknowledged and returns a status of 202 ('accepted'). In the response headers is a URI ('Location') that you then need to send GET requests to every few seconds until it returns the backend health you requested. Since the context of the call is in the Location URI you don't need to use the same bearer token, or at least my testing didn't. 

    The next question is how do we action that within the API poller..

    This is the sequence that worked for me:

    POST https://management.azure.com/subscriptions/{sub id}/resourceGroups/{rg name}/providers/Microsoft.Network/applicationGateways/{app gateway name}/backendhealth?api-version=2022-09-01.

    This returns 202 with the Location URI.I just then did a couple of GET requests to the URI and after a few secs it returned the correct backend health.

    Cheers.

Children
  • Awesome, and you hit the issue on the head. How to do that with the api poller is the next question as you stated. I am able to test it with token also, but the token expires hourly - so another challenge there. 

  • I'm not a powershell expert at all, but my thinking is it'll be a SAM powershell script that gets called in a similar way to the GET-VBRJob status script for Veeam backups. That returns the requested job stats if successful or NOT DEFINED if unsuccessful.

    For this one it'd be POST then simple verification to check for an initial 202 status, if successful then loop sending GET requests to the locatioin URI every 5 or 10 secs until a response (and 303 status) is returned, or timeout and send NOT DEFINED after say 2 minutes. I'll have a look at that tomorrow.

    (I've not done any real programming since the 90s so this is all highly entertaining that I still need to do it in 2023. Some cobwebs are being cleared) 

  • I'd forgotten we had this thread too. I'll update here since it's more apt.

    Got it working fine on PS 5.1, I just had to do an invoke-webrequest for the initial POST instead of invoke-restmethod. I now have a dummy node reporting on an App Gateway backend, so before I add it to the API calls on here I'll try and test it against a couple of existing live gateways instead of just the test one I've been using up to now. One thing it doesn't yet do is rely on the 'retry-after' metric for the second GET call because I sleep for 5 secs and the data is always present afterwards.