We have API exposed to our customers through API Management. The security is handled using subscription key which is expected in "Ocp-Apim-Subscription-Key" header.
One of our methods supports polling trigger specifications, with "Location" and "Retry-After" header in response. For one of our customers we want to create Logic Apps, that would fire some actions on this trigger.
We set up HTTP trigger where we provided "Ocp-Apim-Subscription-Key" header in inputs parameters.
Here is the problem. The header is added only to the first request. Subsequent requests using "Location" url don't have this "Ocp-Apim-Subscription-Key" header, so they are rejected by API Management proxy.
I verified that header is in fact missing with some mock API, so it's definitely on Logic Apps end.
Does anyone have any idea how to resolve it?
Related
I am trying to call the Azure-hosted API endpoint using a 3rd party application. Application sends the HTTP request with the header values ContentType = "*/*";
Azure Application Gateway WAF blocks the request showing the below diagnostics logs.
I am aware that, I can add an exclusion in the Web Application Firewall settings, however, I am not able to extract the Request Header Name since the logs do not show the value due to the wildcard(ContentType = "*/*";) content type sent by the 3rd party app.
I added the below rule, but it is still blocking the request.
How can I allow the request via the AGW?
Please find the logs below.
Thanks in advance.
Hello I am trying to deploy my Azure Machine Learning pipeline with a REST endpoint. My problem is that I was able to generate an endpoint but has some sensitive information in it (ex: subscription id, resource group, etc). How can I generate a URL that forwards the request body to my Azure ML REST endpoint?
also, here is an approach I've done:
Used Application Gateway Redirect (this approach didn't forward the request body. It instead turned my POST request into a GET request when it redirected to the correct URL.)
The issue is raised because of some of the default security headers dependent on REST API and web based. Need to set the REST API CSP HEADER. Check the request and response headers in config file of the web application.
So, I have an API in Azure-API-Management, which is attached to a function. I want to expose one the method in API as Web-hook for another application CRM. It will be an inbound web-hook.
Is it possible ?
A webhook endpoint is like any other HTTP endpoint that usually expects a POST request from an external system. So, yes.
Depending on the CRM Application, you could leverage APIMs built-in security features to authenticate the webhook call without having to validate credentials in your function as a bonus for using APIM.
We are using Azure Logic Apps with webhooks.
The webhooks are calling some APIs (service fabric backend - but this shoudn't matter) via Azure APIM.
On completing the specific job, the APIs call the Logic App's webhook callback - just by the book.
On the other hand, there is an IP range limitation setup on LA's trigers.
Everything was working fine until recently - for just some of our environments, sometimes the callback call from the APIs fail - apparently because the IP is not recognized by the Logic App.
First question: why (is) the restriction applied also for callbacks - those are not actual triggers?
Second question: how is it possible that the callbacks still work in some of our environments, having the same restrictions applied.
As for the IP Restrictions, the gateway through which all incoming requests are processed is the same for both the Request Connector and the HTTP WebHook Connector. While you may be using the action here, there is a WebHook Trigger that works in a similar fashion but as a trigger instead.
As for why you are getting failures at times would depend on how requests are being routed from your APIs to Logic Apps. One way to ensure access just from a single IP is to route these callbacks to APIM and let APIM forward the request to your Logic Apps. This way, all requests to your Logic Apps would be coming from APIM.
To route the callback requests through APIM, you will need a special API/Operation in APIM that will forward requests to the URL passed in the header or a query parameter.
So instead of directly calling the callback URL, you will call this APIM endpoint with the callback URL in a custom header or as a query parameter. The APIM policy for this operation will use the set-backend-service and rewrite-uri policies to forward this call to the logic apps endpoint.
I am working on Logic apps with HTTP Listener and tried with the below option rather creating API Controller. Referring below URLs
https://azure.microsoft.com/en-us/documentation/articles/app-service-logic-http-endpoint/
I created a Logic App with "HTTP Request" and do the processing and send the response back to caller. It is working as expected.
but one thing i just wanted to know is , when i create HTTP Request, it provides default URL like below,
https://prod-****.logic.azure.com:443/workflows/*******69a5b764/triggers/request/run?api-version=2015-08-01-preview&sp=%2Ftriggers%2Frequest%2Frun&sv=1.0&sig=*****2MCOoTKZU
Shall we define Custom URL instead default one, like below
Please advise.
There are two different approaches you can hide the original Logic App URL:
Using Azure API Management (APIM)
Using Azure Functions Proxy (AFP)
Through APIM or AFP, you can hide the SAS token part of querystring, sp, sv andd sig, as well as the api-version parameter. Those parameters can be passed through the request header.
By doing so, you can use your own custom URL and hide the SAS token. I've written a blog post about this: https://blog.mexia.com.au/securing-sas-token-from-azure-logic-apps