Securing WebApi in Azure Api Management

Question

I have deployed my webapi on Azure Websites and exposing it through Azure Api Management Portal. I want to block access on azurewebsites url so that a user can only access my api through azure aoi management proxy through security key. Can you please shed some light on how can this be done. I have heard Mutual Certificates can be used but not finding any article online which describes the process of creating such certificates and configuring web api to effectively use them. My Second question is , Is there a mechanism to get Api Primary key based on UserName / Password and Product name. What would be the best approach regarding keep that api access key. Should client app store it in some config file and this should be obtained programatically at run time?

Many thanks

Answer 1

There are multiple ways to protect your backend:

1. Use basic authentication
2. Use mutual cert authentication https://azure.microsoft.com/en-us/documentation/articles/api-management-howto-mutual-certificates
3. IP-whitelisting. If you have a standard or premium instance, the IP address of the proxy will stay the same.
4. Use OAuth. An example can be found here:https://channel9.msdn.com/Blogs/AzureApiMgmt/Protecting-Web-API-Backend-with-Azure-Active-Directory-and-API-Management Hope that helps.