Configuring a new APIM instance and applying a custom domain to it

[Mortana89]

Hi,

With Azure app service I was able to create a new app service, configure a hostname, apply managed certificate and configure the SNI bindings.
For APIM I'm having difficulties understanding how I can apply the same?
More specifically, I don't see how I can get the customDomainVerificationId property so that I can, using BICEP, apply a CNAME to our public DNS zone so that I can enable a managed cerrtificate.
On top of that I'm a bit confused with the stv1 vs stv2 platform. I understood from googling that, if you don't provide a public IP during provisioning, it will use stv1, so I provided a public IP, and first I was on the path of adding an A record to our DNS to that IP but that would yield me the issue that I would need to manage our own certificates, so I'd like to use the managed certificate on APIM.

My code:
`
resource apiManagementIP 'Microsoft.Network/publicIPAddresses@2023-06-01' = {
name: '${env}-${locationCap}-heat-apim-pip'
location: location
sku: {
name: 'Standard'
tier: 'Global'
}
properties: {
publicIPAllocationMethod: 'Static'
}

}

resource apiManagementService 'Microsoft.ApiManagement/service@2023-03-01-preview' = {
name: '${env}-${locationCap}-heat-apim'
location: location
sku: {
capacity: env == 'p' ? 1 : 1
name: env == 'p' ? 'StandardV2' : 'Developer'
}
properties: {
publisherEmail: 'xxx'
publisherName: 'xxx'
virtualNetworkConfiguration: {
subnetResourceId: subnetResourceId
}
virtualNetworkType: 'External'
publicIpAddressId: apiManagementIP.id
hostnameConfigurations:[
{
type:'Proxy'
hostName: '${env}-${locationCap}-heat-apim.azure-api.net'
negotiateClientCertificate:false
defaultSslBinding:false
certificateSource:'BuiltIn'
}]
}
}

module dns 'apim-dns.bicep' = {
name: 'apim-dns'
scope : resourceGroup('6a132517-09dd-44e5-a91e-7b73130ad2f0', 'i-dns')
params: {
cname: apiManagementService.properties.hostnameConfigurations[0].hostName
subdomain: transformedSubdomain
thumbprint: apiManagementService.properties.customDomainVerificationId => WHERE
domain: 'xxx'
}
}`

`param domain string // e.g. domain.com
param subdomain string // e.g. xyz (in xyz.domain.com)
param cname string // e.g. xyz-my-domain.azurewebsites.net
param thumbprint string

resource dnsZone 'Microsoft.Network/dnsZones@2018-05-01' existing = {
name: domain
}

resource cnameRecord 'Microsoft.Network/dnsZones/CNAME@2018-05-01' = {
parent: dnsZone
name: subdomain
properties: {
TTL: 3600
CNAMERecord: {
cname: cname
}
}
}

resource txtRecord 'Microsoft.Network/dnsZones/TXT@2018-05-01' = {
parent: dnsZone
name: 'asuid.${subdomain}'
properties: {
TTL: 3600
TXTRecords: [
{
value: [
thumbprint
]
}
]
}
}
`

[wsucoug69]

APIM CustomDomains are handled different from AppService SNI bindings. You will need to add the host.domain.com entry when you create the API service itself 'note: customDomains are part of the properties of the APIM not a seperate resource'.

Below is an example.

resource apim 'Microsoft.ApiManagement/service@2024-05-01' = {
name: name
location: location
identity: {
type: 'SystemAssigned'
}
sku: {
capacity: 1
name: sku
}
properties: {
apiVersionConstraint: {
minApiVersion: '2022-08-01'
}
hostnameConfigurations: {
keyVaultId: 'keyVaulturl/secret/secretname' url to the certificate note: queried as a secret'
hostName: host.domain.com
type: proxy
defaultSslBinding: true
}]
publicIpAddressId: publicIp
publisherName: publisherName
publisherEmail: publisherEmail
}