i have api management with in internal network with URL - "apimgmnt.azure-api.net" and having API :- apimgmnt.azure-api.net/hello"
also configured application gateway with url - "appgateway.cloudapp.azure.com" and access the API as appgateway.cloudapp.azure.com/hello
now i want to access this url by using "hello.appgateway.cloudapp.azure.com" which should be redirect to apimgmnt.azure-api.net/hello
what changes and transformation policy should i apply on api management level and application gateway url
As of now, URL rewriting is not supported in application gateway. So, you will not be able to rewrite and access apimgmnt.azure-api.net/hello.
There is already a feature request on UserVoice for this, which is being worked on. Feel free to upvote this to gain more traction.
Related
Hello I am trying to deploy my Azure Machine Learning pipeline with a REST endpoint. My problem is that I was able to generate an endpoint but has some sensitive information in it (ex: subscription id, resource group, etc). How can I generate a URL that forwards the request body to my Azure ML REST endpoint?
also, here is an approach I've done:
Used Application Gateway Redirect (this approach didn't forward the request body. It instead turned my POST request into a GET request when it redirected to the correct URL.)
The issue is raised because of some of the default security headers dependent on REST API and web based. Need to set the REST API CSP HEADER. Check the request and response headers in config file of the web application.
Currently doing some research to setup an (azure) api gateway with oauth (jwt token) security.
an external partner/app sends a request to an api endpoint published on the gateway including a valid JWT-token in the header that gets validated by the gateway against AzureAD for example. When validated the request is routed to the backend service. No problems here.
My question is, what is best practice for the external app to obtain that JWT-token (to use for the api call) ?
Obviously, It could send a request to AzureAD with a clientid+secret to obtain a valid JWT token. But to do so it has to call my internal AzureAD directly ? Is this the way to do it ?
or should I expose a 'get-jwt-token' api on my api gateway and route that request to AD ? How should I secure that API ? with basic auth ?
or am I missing something, and is there a much better best/proven practice ?
HOSTING BEST PRACTICE
A reverse proxy or API gateway is placed in front of both APIs and the Authorization Server (AS). This ensures that an attacker who somehow gains access to the back end entry point cannot access data sources.
OAUTH REQUESTS TO GET TOKENS
OAuth requests are typically proxied straight through the reverse proxy / API gateway to the AS with no extra logic. All credentials, auditing of login attempts etc remain in the AS.
MANAGED SERVICES
If using Azure AD as a cloud managed AS, this is a special case: the system is already hardened for internet clients, so most companies don't add their own proxying - though it is possible to do so.
FURTHER INFO
The first of these covers the infra setup and the second gives you an idea of extensibility options once a reverse proxy / gateway is in place.
IAM Primer
API Gateway Guides
I want to force HTTPS on the gateway url of the Azure API Management services but there are no configuration settings for that.
By default, HTTPS is used by the browser but when I change it manually in the URL and switch to HTTP, I don't have a redirection to HTTPS which is what I'm looking for.
I see this as a feedback request : https://feedback.azure.com/forums/248703-api-management/suggestions/37192618-block-http-and-or-force-https .
You may want to vote for it if it aligns with your requirement.
However, it is under review now and as workaround it is mentioned to use a policy at the global scope to check protocol and return a redirect if it’s http.
I am working on web application that has angular 4 on frontend and WEB API on backend. This application is hosted on MS Azure and until now we didn't have any issues.
Currently we need to integrate with one payment provider. During payment user is redirected to his payment page, and if everything goes well user is redirected back to our web site. Beside the browser redirect (which may fail) payment provider supports server to server call (HTTP GET). In this way they make sure we get information about the transaction. The problem here is that instead of one call to our Web API backend we get always two calls. After checking the request origin IP addresses I concluded that there is two origins (one is payment provider address and another is IP located in USA, which I assume belongs to MS). This looks to me like a routing problem, but I am not very experienced at this.
Did anybody have similar problem on Azure while hosting web application ?
According to your decription, it seems that fails for cross domain request. Azure website is supposed to manage CORS for you.
I think you missed a handy Azure website blade: Specify the origins that should be allowed to make cross-origin calls (for example: http://example.com:12345). To allow all, use "*" and remove all other origins from the list. Slashes are not allowed as part of domain or after TLD.
Cross-Origin Resource Sharing (CORS) allows JavaScript code running in a browser on an external host to interact with your backend. Specify the origins that should be allowed to make cross-origin calls (for example: http://example.com:12345). To allow all, use "*" and remove all other origins from the list. Slashes are not allowed as part of domain or after TLD.
I am trying to create a simple, parameterless, web api endpoint managed by Azure API Management. My question is I when I add a paramaterless operation, what in the world is the URL template supposed to be? My endpoint is http://airport-api2.azurewebsites.net/api/airport. There are no parameters, the service works fine outside of API Management. I created an API Management and want to add this GET to my azurewebsites endpoint. What is the mandatory URL Template value I need to enter into the API Management portal to get this thing to work. The built in echo service uses /resource. I cannot find an example. thanks in advance
Create the API with these parameters
WebService URL : http://airport-api2.azurewebsites.net/api
WebAPi suffix url : whatyouwant
then configure the operation with
operation : /airport
Enjoy!