In Nginx, we can set up basic auth by adding annotation in the ingress.
nginx.ingress.kubernetes.io/auth-realm: Authentication Required
nginx.ingress.kubernetes.io/auth-secret: basic-auth
nginx.ingress.kubernetes.io/auth-type: basic
But if we are using azure application gateway instead of Nginx how can we set up basic auth.
Unfortunately Azure Application Gateway doesn't support basic auth and I would say using an ingress controller like nginx-ingress is the proper choice in a scenario where you need this feature. The lack of support for authentication in Azure Application Gateway was already reported in this thread.
Related
How do i use Application gateway with API in Backend pool. Please note we do not want to use API Gateway due to cost and very few APIs.
I know how to configure Application gateway with WebApp but not sure how I can use it with an Api. Please give me some links/ references where similar design is available.
Many thanks
When we deploy API in Web App Service then apiname.azurewebsites.net does not work give any probes to application gateway and treat unhealthy. API works like xxx.azurewebsites.net/api/values and Application Gateway treat xxx.azurewebsites.net as unhealthy. We have to put /api/values in override backend path of http settings. Same have to do in health probes.
For more details, you could refer to this similar SO thread.
I have Azure API Management, configured internally and exposed to the public through Azure application Gateway. My API is secured for client certificates, it working perfectly when I test it internally. When I test it externally, I am getting an invalid certificate error. Does Azure Application Gateway block client certificates? How to allow them?
An answer from Microsoft:
We do have option for mutual authentication on Application Gateway
which can allow the mutual authentication between client and
Application Gateway:
https://learn.microsoft.com/en-us/azure/application-gateway/mutual-authentication-overview
However this is still in preview version, which is not included in
SLA. As the mutual authentication between AppGW and the APIM we
double confirmed with the backend engineers, unfortunately the answer
is no we do not support such a function.
I suspect this is not yet possible with Application Gateway: https://feedback.azure.com/forums/217313-networking/suggestions/9379902-allow-mutual-ssl-auth-on-application-gateway
Our platform has an Azure Application Gateway configured with a number of back services hosted in an AKS cluster using the Azure Application Gateway ingress controller. One of the services is our core identity service eg https://login.mydomain.com.
I can browse directly to this url and the login page is served fine. Due to having strict data sovereignty requirements, another service provides is a regional authentication service eg https://login-region.mydomain.com
We use an OIDC back channel flow to redirect the user from the global service to the relevant region to enter their user credentials. This also works correctly to authenticate the user.
The issue arises when the regional identity server redirects back to the core identity service with the authentication token.
A nginx 502 Bad Gateway message is displayed.
As a side note, we have test environment configured that does not use Application Gateway, rather Kubernetes nginx Ingress controller for SSL Termination. During the configuration of this environment we had a similar issue and increasing the nginx proxy-buffer-size be increased 16k resolved the issue.
There is no limit set in the docs for Application Gateway: https://github.com/MicrosoftDocs/azure-docs/blob/master/includes/application-gateway-limits.md
I'm not sure If I'm looking in the correct place or if this is completely unrelated.
I have a design issue that I've been struggling with in Azure. I have created a .NET Core API and deployed it as an App Service in Azure. On top of that, I have an instance of Azure API Management with oAuth 2 securing it. I was able to achieve this by following this tutorial:
https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad
So, the API Management instance is secured with policies and rate limiting, but the back-end URL is wide open and requires no authentication. What is the best process to secure the back-end URL?
you can set APIM public IP in accessing whitelist of your App service to make sure only APIM requests will be able to access your App Service. For how to set IP restriction , you may refer to this doc : https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions#adding-and-editing-ip-restriction-rules-in-the-portal
I have multiple Web APIs deployed in Azure without applying authentication, so anyone has access to internet has the access to the Web APIs.
Now I would like to apply authentications to the Web APIs, instead of implementing the same authentication logic in different Web APIs, I found Azure API gateway (API management) is a potential solution.
With Azure API management documentation, I learned I can apply policies like validate-jwt to authenticate requests to back end Web APIs. However, endpoints of the back end Web APIs are still available to users.
So, how should I hide them? Must I define a sub network or does Azure API management have a feature for this?
Recently I also had this same problem. Finally I found the solution by using 'IP Restrictions' function. See the following steps:
1) Go to your API management Overview page in Azure portal, copy the VIP.
2) In your Web APP > Networking
3) Paste in your VIP
Microsoft's Solution: How to secure back-end services using client certificate authentication in Azure API Management
Using this approach, any attempt to access a back-end service without the required certificate will result in a 403 - Forbidden response.
You can use a self-signed certificate as opposed to using a trusted CA signed certificate ($$). I chose to implement an Azure Key Vault where I generated a new certificate, downloaded it as a *.PFX file, and uploaded it into my API Management instance as described in the article.
Here is an answer from #PramodValavala-MSFT
https://github.com/MicrosoftDocs/azure-docs/issues/26312#issuecomment-470105156
Here are options:
IP restrictions (as described by #redman)
Function keys
Authentication/Authorization for Functions
Managed Identity for APIM
p.s. in my case I want with IP restrictions since it allows to keep all of the auth on the API Management Gateway.
Or you could use:
Basic auth
Mutual certificate auth
VPN
to secure Azure API Management service communication with your backend service.
Look into setting up TLS on Azure API Management so that all connections to your backend API must come through the API proxy.
Azure API management cannot modify your backend service. It's role is limited to being a proxy.
You will have to apply authentications to each Web API or configure your firewall to accept requests only from Azure APIM.
Is your backend app an Azure Function app or an App Service app?
If so, Managed Identity may be the simplest way to restrict access. No need to store client secrets/certificates in the API Management + not as flaky as IP whitelisting method.
Create an Azure Active Directory Application for the Function App.
Enable Authentication/Authorization module on the Function App and reference the AAD app from step 1.
Enable a Managed Identity on the APIM instance.
Add a <authentication-managed-identity> policy to the APIM and reference the AAD app from step 1.
I've blogged about this approach in more detail in Restrict Azure Functions to API Management with Terraform
Reference:
Use managed identities in Azure API Management
Configure your App Service or Azure Functions app to use Azure AD login