Make back end APIs only accessible via Azure API management

Question

I have multiple Web APIs deployed in Azure without applying authentication, so anyone has access to internet has the access to the Web APIs.

Now I would like to apply authentications to the Web APIs, instead of implementing the same authentication logic in different Web APIs, I found Azure API gateway (API management) is a potential solution.

With Azure API management documentation, I learned I can apply policies like validate-jwt to authenticate requests to back end Web APIs. However, endpoints of the back end Web APIs are still available to users.

So, how should I hide them? Must I define a sub network or does Azure API management have a feature for this?

Answer 1

Recently I also had this same problem. Finally I found the solution by using 'IP Restrictions' function. See the following steps:

1) Go to your API management Overview page in Azure portal, copy the VIP.

2) In your Web APP > Networking

3) Paste in your VIP

Answer 2

Microsoft's Solution: How to secure back-end services using client certificate authentication in Azure API Management

Using this approach, any attempt to access a back-end service without the required certificate will result in a 403 - Forbidden response.

You can use a self-signed certificate as opposed to using a trusted CA signed certificate ($$). I chose to implement an Azure Key Vault where I generated a new certificate, downloaded it as a *.PFX file, and uploaded it into my API Management instance as described in the article.

Answer 3

Here is an answer from @PramodValavala-MSFT
https://github.com/MicrosoftDocs/azure-docs/issues/26312#issuecomment-470105156

Here are options:

• IP restrictions (as described by @redman)
• Function keys
• Authentication/Authorization for Functions
• Managed Identity for APIM

p.s. in my case I want with IP restrictions since it allows to keep all of the auth on the API Management Gateway.