Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Make back end APIs only accessible via Azure API management

I have multiple Web APIs deployed in Azure without applying authentication, so anyone has access to internet has the access to the Web APIs.

Now I would like to apply authentications to the Web APIs, instead of implementing the same authentication logic in different Web APIs, I found Azure API gateway (API management) is a potential solution.

With Azure API management documentation, I learned I can apply policies like validate-jwt to authenticate requests to back end Web APIs. However, endpoints of the back end Web APIs are still available to users.

So, how should I hide them? Must I define a sub network or does Azure API management have a feature for this?

like image 213
Shuping Avatar asked Apr 21 '16 08:04

Shuping


3 Answers

Recently I also had this same problem. Finally I found the solution by using 'IP Restrictions' function. See the following steps:

1) Go to your API management Overview page in Azure portal, copy the VIP. API management Overview page

2) In your Web APP > Networking networking

3) Paste in your VIP paste vip

like image 111
Redman Avatar answered Dec 31 '22 15:12

Redman


Microsoft's Solution: How to secure back-end services using client certificate authentication in Azure API Management

Using this approach, any attempt to access a back-end service without the required certificate will result in a 403 - Forbidden response.

You can use a self-signed certificate as opposed to using a trusted CA signed certificate ($$). I chose to implement an Azure Key Vault where I generated a new certificate, downloaded it as a *.PFX file, and uploaded it into my API Management instance as described in the article.

like image 36
PoorInRichfield Avatar answered Dec 31 '22 15:12

PoorInRichfield


Here is an answer from @PramodValavala-MSFT
https://github.com/MicrosoftDocs/azure-docs/issues/26312#issuecomment-470105156

Here are options:

  • IP restrictions (as described by @redman)
  • Function keys
  • Authentication/Authorization for Functions
  • Managed Identity for APIM

p.s. in my case I want with IP restrictions since it allows to keep all of the auth on the API Management Gateway.

like image 22
Neil Avatar answered Dec 31 '22 15:12

Neil