I am starting with the Azure function in which I am creating API Function. After creating that function, I need to protect it.
Previously, I used the Microsoft.Identity.Platform to protect API's recourses, in which I created a registration in Azure AD for API, exposed the scopes, added the client apps in the list to provide access to the resources. Furthemore, it required to confirmation for 'API permission' in client app's Azure AD registration.
So, is there anything similar can I do, and do you think it would be a good option or if there are other options to pick from?
I read about the function key, but I read it is good for development not good for production.
I read about the function key, but I read it is good for development not good for production.
As you can see in this MS Doc, Microsoft mentioned that Authorization keys along with App Service Authentication is good for securing the HTTP Endpoints on all the stages like dev, testing and production environments in Azure Functions.
Also, there are multiple ways to secure your function API such as Authorization Keys, using APIM, (Front door + WAF) for restricting the incoming requests.
One of my workarounds 72633969 shows in securing the Azure functions in the context of restrict the function app from internet access and allow only from the APIM Instance.
The Steps I followed for the above solution in securing the Azure Function App APIs through APIM is:
Created a Http Trigger Function in the Function App.
Adding the allowed IP Addresses in the Access Restrictions of the Azure Function App Portal Menu > Networking Tab.
Set the Authorization Level of API to the "Function" Level or Custom key-value level that adds more security after adding to APIM Instance.
Added/Imported the Function API in APIM Instance and checked from the allowed IP addresses and also non-allowed IP address (System):
And more information on securing APIs using APIM Instance is given in the above Microsoft Documentation.
Authorization keys are a default security mechanism which is better if keys not published in public applications or publicly shared.
For better security mechanism, choose different options for the production environment. the other ways should be followed from the above-mentioned comment and refer to MS Q&A Forum 801055 provided the same by the user #LohithGN.
Related
So, I was following this tutorial and successfully published the web API to both Azure App Service and Azure API Management. Then (going beyond tutorial) I added a rate-limit policy to the API in API Management service.
I tested it successfully on API management Test tab. However, if I access the App Service route URL (https://***.azurewebsites.net/) it will not throttle.
What am I missing here?
How do I make the policy active for the App Service URL?
Markus Meyer did a good job explaining how it's supposed to be used.
I think that you might benefit from this diagram showing the differences between calling your service through APIM or directly.
"What am I missing here?"
I think you're missing that API Management is a service, totally separate from you App Service. You do not "extend" the features of the App Service with APIM, you instead put APIM infront of your App Service and call your API through APIM to gain the benefits (of rate limiting in this example).
Requests to https://***.azurewebsites.net/ belong to Azure App Service.
If you want to do requests to API Management, the default hostname is azure-api.net:
https://***.azure-api.net/
If you want to use throttling from API Management, you have to the API Management URL like you did in the test tab:
I am hosting my Azure Functions as containers in my AKS cluster. Some of my functions have HTTP Triggers, and I don't want them exposed publicly (although security is not a huge concern so I also don't want to roll my own token authentication in there). These functions have never been deployed to Azure App Services, so there is no "Function App" and no "Function Name" that I can use to get a token (other than the Function Name that I put in the attribute on the methods in my code).
How can you access authorization keys for Azure Functions that are hosted in AKS?
You should be able to do this by setting AzureWebJobsSecretStorageType=kubernetes and reference your custom key via secret AzureWebJobsKubernetesSecretName=my-key-secret. This was introduced by this PR which documents that quite well: https://github.com/Azure/azure-functions-host/pull/4462
I have following requirement.
Currently we have different back-end public facing API applications(Not in Azure) for each tenant. We are building a mobile application. for that we have come up with an integration layer where we invoke multiple API's from our Back-end API applications using Azure Logic Apps.
This Logic APP url's further will be integrated with API Management.
But we are looking for the possibility to reroute the request to relevant back-end api application based on tenant id which we pass as query string parameter.
Can any one please help me to understand whether Azure API gateway supports urls rerouting to external public facing applications (Backed applications are Not in Azure) ?
We are planning to move back-end applications to AZURE but not near by. Mean while we wanted to have a solution.
Currently we are storing the Host name and Tenant ID in Table storage. So based on tenant id we are fetching the host name and forming the URL with relevant host name.
Any other alternative ideas are also highly appreciable.If you need any other information please let me know?
I believe the approach you are taking is the right one. The same in APIM can be achieved by using the set-backend-service policy.
You could either fetch the hostname from table storage in APIM using the send-request policy (cache the result for better latency).
Or you can use Named Values to store the mappings and remove table storage altogether.
I have an Azure API Management service communicating with Azure functions runtime v1. Currently when i deploy a new version of the Function App (using CI/CD pipeline in Azure Devops, and using built-in microsoft tasks), the function keys (including master key) change. Consequently, the key that the API Management's api is injecting in the requests to the function is not longer valid, and i get a 401 - Unauthorized. So, i have at the moment a task in the pipeline to update these keys anytime i deploy the Function App. The API Management provides a feature to enable Managed Identity, but when i try to create a role assignment in the Function App to the API Management, under the System assigned managed identity, i don't have the option for API Management service. So i presume it is not possible to setup this role assignment between the two services, right? If not, then is there any suggestion for a workaround to avoid manage keys for the communication between API Management service and Azure Functions?
Thanks
UPDATE
Managed Identity can now be used by leveraging the authentication-managed-identity policy.
Yes. Managed Identity cannot be used here.
One alternative would be to protect your function app with an IP restriction using the APIM Instances IP which guaranteed to be static as long as it isn't recreated and setting the function to be an anonymous function.
Note that you might have problems accessing the function from the portal too for which you would have to allow the public IP of the computer you are using to access if required.
Another option would be to
Setup authentication for your function app
Have APIM get an access token with the Client Credentials Flow using the send-request policy
Set this access token in the header to call the anonymous function
You could probably try caching this access token using the cache policies.
I have created an Xamarin Android App with an Azure App Service back end. When I looked at securing the connection, I don't really care about individual users, but I want to make sure that only someone running my app can access the database. Is there a way to authenticate the app itself rather than individual users? What is the best practice in this scenario?
If you don't care about user, there are a few approaches and the security level may vary. If you want to simplify integration and deployment among Azure services, you should consider using Azure AD as an identity and access management in your entirely system. That said, your back-end and Xamarin app are authorized and authenticated via Azure AD. You need to register your native app in Azure AD which you can refer here https://learn.microsoft.com/en-us/azure/active-directory/active-directory-application-proxy-native-client
Another approach is to use certificate-based authorization against Azure Active Directory, which is more controlled and security rather than client secret. In this case, persons installing your app must also install certificate before sending request to Azure App Service and retrieve database from Azure SQL Database. The level of authorization is free of choice, but the first gateway is always Azure AD.