We have a API-based microservice system, where a public API gateway (.NET Nancy API running on Azure Website) calls into microserviced API's (various technologies) to return data.
Currently, the microserviced API's are either Azure WebSites, or Azure Functions (HTTP trigger), so that means they have a public endpoint, with HTTP exposed to the public. (e.g https://my-microservice.azurewebsites.net)
Is there any way to lock this down so that only the API gateway can call into it?
I've read about DIPR but that seems to be based on a public IPv4 address (i don't think we can get a static IP for the API gateway?).
Currently we make the microserviced API's require authentication via bearer tokens (using IdSrv auth server), but ideally i'd like to secure the API's at the network level, then remove the token/IdSrv dependency. Can we leverage VNET's?
How do other people solve this? As in, how can we lock down an Azure Website from public access?
TIA.
You should use Azure Virtual Network and create rules for inbound/outbound traffic (valid for Standard / Premium App Service Plans): https://learn.microsoft.com/en-us/azure/app-service-web/web-sites-integrate-with-vnet
There's also Azure App Service environment for that, however it requires a Premium App Service Plan: https://learn.microsoft.com/en-us/azure/app-service-web/app-service-app-service-environment-intro
Related
I have an Azure Static Web App developed using Angular (let's say my company homepage) which needs to be publicly accessible w/o authentication. If I wanted some dynamic content on the home page which comes from a database (i.e. news items or a product list), are there any ways to "secure" an Azure Function endpoint that supplies this data to the front end.
"secure" == I'd like to limit access of the endpoint to just my Azure Static Web App.
I'd also like to set up a function that listens for IPN requests from PayPal and so I'd like to configure that function to only be accessible from PayPal.
I see that I can configure CORS to only allow specific domains access to a function -- is this my best option?
There are two ways to look at it,
(i) Azure has APIM Service which allows to secure certain endpoints and is probably the best way how to handle Azure Functions endpoints for public.
(ii) You can also secure the functions by adding application gateway and whitelist the IP address of the Application gateway in the function or you can build functions inside a vnet using the azure environment service.
You can read more about Securing Azure Functions here
I have Azure app service (Web API) and have restricted access to everyone and allowed access by Ipaddress using access restrictions (https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions)
I want to allow a particular domain/endpoint access to the API doesn't matter which IP address they are coming from. Is there any way possible to do it.
Unfortunately, It's impossible to whitelist a particular domain/endpoint to the Azure app service using access restrictions as essentially the domain name will be resolved to a real IP address via DNS when the client access the web API in the Azure app service.
Not sure why you want to only allow a particular domain. Perhaps, you just want to map a custom domain to Azure App Service. Then you can access the web API using your multiple custom domain URLs.
Furthermore, optionally, you could apply an Application gateway in front of your web API, then you could access your backend web API using a custom domain URL or Application gateway URL. Application Gateway can make routing decisions based on additional attributes of an HTTP request, for example, URI path or host headers. Also, you could whitelist the Application gateway frontends in your app service access restrictions. See Configure App Service with Application Gateway for more details.
I hope it's helpful for you.
I have a design issue that I've been struggling with in Azure. I have created a .NET Core API and deployed it as an App Service in Azure. On top of that, I have an instance of Azure API Management with oAuth 2 securing it. I was able to achieve this by following this tutorial:
https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad
So, the API Management instance is secured with policies and rate limiting, but the back-end URL is wide open and requires no authentication. What is the best process to secure the back-end URL?
you can set APIM public IP in accessing whitelist of your App service to make sure only APIM requests will be able to access your App Service. For how to set IP restriction , you may refer to this doc : https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions#adding-and-editing-ip-restriction-rules-in-the-portal
In a typical 3-Tier web app, you run web servers in public subnet, while app tier lives in private subnet. Is it possible to run similar architecture with Azure Web apps and Api apps?
I guess you can run Asp.NET Core Web App in Azure Web App and Deploy AspNet Core Web Api to Azure Api App, then make Api end point private so only Web app can talk to it? I see options like Google, Facebook et. as auth providers. Is that what you have to do to make API private?
D.
If you want that level of isolation, one (although expensive) option is an App Service Environment (ASE). Link to docs: https://learn.microsoft.com/en-us/azure/app-service-web/app-service-app-service-environment-intro
App Service Environments are ideal for application workloads requiring:
Very high scale
Isolation and secure network access
The public environment where you deploy by default is public. Your endpoints will be accessible to anyone anywhere, and it is up to your app to do the filtering. This can be done, e.g. through static IP address security settings in Web.config. The problem with that is that even then you can't know for sure what IP address your front-end will use for communication. There are multiple possible addresses it may use for outbound traffic, and those are subject to possible change.
You can see an example of IP restrictions here: restricting IP security
Of course you should also have authentication set up on your API. Documentation links:
https://learn.microsoft.com/en-us/azure/app-service/app-service-authentication-overview
https://learn.microsoft.com/en-us/azure/app-service-api/app-service-api-authentication
In line with what #juunas said above and a slight variant is to introduce Azure API Management Gateway in between Azure web app and Azure Api app. In standard tier API Gateway the IP address is fixed and doesn't change and you can use the API Gateway address in Azure API App web.config to whitelist.
I have a .NET Web Api project with several REST endpoints that I only want accessed by resources from within an Azure virtual network I have created. Resources such as Azure Functions and Azure Web Roles will access these endpoints only. In other words, I do not want the endpoints publicly available.
So, I configured the Web Api application with my virtual network but apparently I also need to add the Web Api application to an Application Service Environment (which are quite costly from what I have read). To quote the Azure documentation:
VNET Integration gives your web app access to resources in your virtual network but does not grant private access to your web app from the virtual network.
Do I indeed need to use an Application Service Environment and just deal with the costs or is there another way I can achieve what I want?
I do not want the endpoints publicly available.
Until now, Azure web app only supports for using an internal load balancer with the app service environment feature. If you want to make your Web API can only be accessed internally. An app service environment is required.
If you don't want to move your Web API to app service environment and your Azure function and web role have fixed ip addresses, you could configure the IP whitelist using ipSecurity configuration in your web API. For more information of ipSecurity, link below is for your reference.
IP and Domain Restrictions for Windows Azure Web Sites