Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

API security in Azure best practice

Tags:

asp.net-web-api

api

azure

azure-api-apps

azure-api-management

I'm developing a web API that will be called by other web apps in the same Azure host and also other 3rd party services/ app. I'm currently looking into API Apps and API management, but there are several things unclear for me regarding security implementation:

  1. Does API App need to have authentication when implemented with API management? If yes, what are the options? This link http://www.kefalidis.me/2015/06/taking-advantage-of-api-management-for-api-apps/ mentions "Keep in mind that it’s not necessary to have authentication on the API App, as you can enable authentication on API Management and let it handle all the details." So that means having the API App authentication to public anonymous? But then someone who knows the direct URL of the API App can access it directly.
  2. What is the best way to implement API Management security? The one mentioned in the tutorial (Having a raw subscription key passed in the header) seems to be prone to man in the middle attack
  3. What advantages does API App add instead of implementing with normal Web API project?

Thanks in advance.

like image 577
adelb Avatar asked Oct 20 '22 03:10

adelb

1 Answers

I can answer from API Management perspective. To secure the connection between API Mgmt and your backend (sometimes called last-mile security), there are a few options:

  1. Basic Authentication: this is the simplest solution
  2. Mutual certificate authentication: https://azure.microsoft.com/en-us/documentation/articles/api-management-howto-mutual-certificates/ - this is the most common approach.
  3. IP Whitelisting: if you have a Standard or Premium tier APIM instance, the IP address of the proxy will remain constant. Thus you can configure firewall rules to block unknown IP addresses.
  4. JWT token: if your backend has the capability to validate JWT tokens, you can block any callers without a valid JWT.

This video might also be helpful: https://channel9.msdn.com/Blogs/AzureApiMgmt/Last-mile-Security

I think the document meant you can do the JWT token validation in APIM. However, to prevent someone calling your backend directly, you'll have to implement one of the options mentioned above in your Api Apps

like image 105
Miao Jiang Avatar answered Oct 22 '22 02:10

Miao Jiang
Sign in to Comment

Related questions

Cannot debug Vine and Twitter api via charles debug proxy while facebook, flickr and any other API can be
How to make a Secure API without using OAuth?
Ruby - iterate over parsed JSON

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!