Azure app service only accessible behind API Management - azure

I'm looking for a way to host a Azure app service behind the Azure API Management without exposing a public url to the app service it self.
The API Management is going to do AD Auth so unauthorized requests are not reaching the app service and waist resources. Same goes for DDos Attacks. Must be terminated by the API Management.
How can I do this? Is the expensive Azure app service environment the only solution?

You could limit the access to your App service to the ip/hostname of the API Management instance. See https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions
Ddos is hard because what is desired behavior and what is not proberbly depends if the structure of you APIs. But you could limit each subscription key with a limit. See https://learn.microsoft.com/en-us/azure/api-management/transform-api#protect-an-api-by-adding-rate-limit-policy-throttling

Related

Securing backend API in APIM (Azure API Management ) in Consumption Plan

I am working on Azure in which I had to setup an API Management service in consumption tier. I need to secure the backend API's (App service) so that it can only be accessed via API Management service.
In APIM developer plan I used, I configured securing backend API by whitelisting IP of APIM in app service, but in consumption plan, this will not work as APIM in consumption plan will not have public IP.
I want to secure backend API's (App service) behind API Management service (consumption plan).
I tried:
IP whitelisting but it worked in developer plan in APIM and not in consumption plan.
Azure active directory and VNet is not supported in consumption plan.
I visited this link and then How-to-guides->Secure your back-end link.
One of the options in the above link is to secure backend API's through Azure Active Directory and also through connecting to an internal virtual network. Unfortunately, these two features are also not supported in consumption tier.
You can use client certificate authentication to secure you backend service. Besides, please note that to receive and verify client certificates in the Consumption tier you must first turn on "Request client certificate" setting on the "Custom domains" blade as shown below.
For more details, please refer to How to secure back-end services using client certificate authentication in Azure API Management and How to secure APIs using client certificate authentication in API Management.

Securing API App Service sitting behind Azure API Management

I have a design issue that I've been struggling with in Azure. I have created a .NET Core API and deployed it as an App Service in Azure. On top of that, I have an instance of Azure API Management with oAuth 2 securing it. I was able to achieve this by following this tutorial:
https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad
So, the API Management instance is secured with policies and rate limiting, but the back-end URL is wide open and requires no authentication. What is the best process to secure the back-end URL?
you can set APIM public IP in accessing whitelist of your App service to make sure only APIM requests will be able to access your App Service. For how to set IP restriction , you may refer to this doc : https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions#adding-and-editing-ip-restriction-rules-in-the-portal

Azure API Management To VNet

I am using Microsoft Azure. Specifcially I have API Management Set up as a public gateway. Internally we have a VNet (Its actualy hosting in Azure Environment Service, so its basicallyan isolated App Service inside). I want to connect to the App Service inside the VNet from my API Management service (i.e. route calls from Api Management to backend services in my App Services in the VNet).
I know i can use the network connection to connect as an external API Management to my VNet , but this requires the Premium service level of API Management which is super expensive. Is there a way to route traffic from API management standard Version (which does have a Static IP) through to a service inside a VNet/Subnet though some configuration (other than network connection from the API Management blade).
Thanks in advance.
If you want to use API Management in the VNET then you are limited to Premium or Developer. However, the App Service Environment can have an external interface and API Management can talk to that.
You would need to add some additional security to your external interface to ensure only API Management has access. This could just be an IP filter rule.

3-Tier Web App in Azure Web Apps

In a typical 3-Tier web app, you run web servers in public subnet, while app tier lives in private subnet. Is it possible to run similar architecture with Azure Web apps and Api apps?
I guess you can run Asp.NET Core Web App in Azure Web App and Deploy AspNet Core Web Api to Azure Api App, then make Api end point private so only Web app can talk to it? I see options like Google, Facebook et. as auth providers. Is that what you have to do to make API private?
D.
If you want that level of isolation, one (although expensive) option is an App Service Environment (ASE). Link to docs: https://learn.microsoft.com/en-us/azure/app-service-web/app-service-app-service-environment-intro
App Service Environments are ideal for application workloads requiring:
Very high scale
Isolation and secure network access
The public environment where you deploy by default is public. Your endpoints will be accessible to anyone anywhere, and it is up to your app to do the filtering. This can be done, e.g. through static IP address security settings in Web.config. The problem with that is that even then you can't know for sure what IP address your front-end will use for communication. There are multiple possible addresses it may use for outbound traffic, and those are subject to possible change.
You can see an example of IP restrictions here: restricting IP security
Of course you should also have authentication set up on your API. Documentation links:
https://learn.microsoft.com/en-us/azure/app-service/app-service-authentication-overview
https://learn.microsoft.com/en-us/azure/app-service-api/app-service-api-authentication
In line with what #juunas said above and a slight variant is to introduce Azure API Management Gateway in between Azure web app and Azure Api app. In standard tier API Gateway the IP address is fixed and doesn't change and you can use the API Gateway address in Azure API App web.config to whitelist.

Make back end APIs only accessible via Azure API management

I have multiple Web APIs deployed in Azure without applying authentication, so anyone has access to internet has the access to the Web APIs.
Now I would like to apply authentications to the Web APIs, instead of implementing the same authentication logic in different Web APIs, I found Azure API gateway (API management) is a potential solution.
With Azure API management documentation, I learned I can apply policies like validate-jwt to authenticate requests to back end Web APIs. However, endpoints of the back end Web APIs are still available to users.
So, how should I hide them? Must I define a sub network or does Azure API management have a feature for this?
Recently I also had this same problem. Finally I found the solution by using 'IP Restrictions' function. See the following steps:
1) Go to your API management Overview page in Azure portal, copy the VIP.
2) In your Web APP > Networking
3) Paste in your VIP
Microsoft's Solution: How to secure back-end services using client certificate authentication in Azure API Management
Using this approach, any attempt to access a back-end service without the required certificate will result in a 403 - Forbidden response.
You can use a self-signed certificate as opposed to using a trusted CA signed certificate ($$). I chose to implement an Azure Key Vault where I generated a new certificate, downloaded it as a *.PFX file, and uploaded it into my API Management instance as described in the article.
Here is an answer from #PramodValavala-MSFT
https://github.com/MicrosoftDocs/azure-docs/issues/26312#issuecomment-470105156
Here are options:
IP restrictions (as described by #redman)
Function keys
Authentication/Authorization for Functions
Managed Identity for APIM
p.s. in my case I want with IP restrictions since it allows to keep all of the auth on the API Management Gateway.
Or you could use:
Basic auth
Mutual certificate auth
VPN
to secure Azure API Management service communication with your backend service.
Look into setting up TLS on Azure API Management so that all connections to your backend API must come through the API proxy.
Azure API management cannot modify your backend service. It's role is limited to being a proxy.
You will have to apply authentications to each Web API or configure your firewall to accept requests only from Azure APIM.
Is your backend app an Azure Function app or an App Service app?
If so, Managed Identity may be the simplest way to restrict access. No need to store client secrets/certificates in the API Management + not as flaky as IP whitelisting method.
Create an Azure Active Directory Application for the Function App.
Enable Authentication/Authorization module on the Function App and reference the AAD app from step 1.
Enable a Managed Identity on the APIM instance.
Add a <authentication-managed-identity> policy to the APIM and reference the AAD app from step 1.
I've blogged about this approach in more detail in Restrict Azure Functions to API Management with Terraform
Reference:
Use managed identities in Azure API Management
Configure your App Service or Azure Functions app to use Azure AD login

Resources