We enabled Swagger on Azure Service Fabric application using below link.
Swagger for Azure Service Fabric Stateless Web API application
But, we are unable to secure the swagger UI using OAuth (Azure AAD application). Can anyone please provide some guidance on enabling security on Swagger UI for the application hosted on Service Fabric.
Many Thanks, Thirumalai M
There isn't any real difference to how a Service Fabric hosted Web Api would handle this compare to a "normal" App Service or IIS hosted Web Api.
The following article does a good job of describing how to secure a Swagger UI using OAuth2 and IdentityServer3:
http://knowyourtoolset.com/2015/09/secure-web-apis-with-swagger-swashbuckle-and-oauth2-part-4/
Related
I have been looking at various tutorials demoing how identity management works as well as API management in azure but I am not seeing an answer to my questions. I understand that managed identities can be used to authorize azure resource to resource communication but I am not seeing how this is done for a web application. Say for example I have an angular website being hosted on an nginx server in an AKS cluster. I understand that I could use Identity management to create Identity resources that make it so that the AKS and APIM are authorized to connect with one another but how would I do this for the angular running application? This application is running in the client's browser, so it seems like this identity management mechanism would not work. How does one secure an APIM so only a given web application can interact with it?
You could secure your API in APIM with the client certificate, then when the app access the API, validate the incoming certificate and check certificate properties against desired values using policy expressions.
For more details, see How to secure APIs using client certificate authentication in API Management.
I am having a Web API project in asp.net and this project is hosted on Azure web app services .Azure endpoint of the api works . How can i wrap this api under azure api management ?
Current setup
Asp.net web Api project > Hosted in azure web app services
I tried to add the api in API management via blank and open api specification.
I would expect the Azure API Management could connect to my web app service where my asp.net web api project is hosted.
Deploy your Web API to Azure App Service API App instead of App Service Web App. You will be able to import the API's directly from the UI. Here is the doc.
Alternative to Ketan's approach is to configure API manually using "Blank API" option. where you'll need to specify your App's base URL. You will be required later on to create all operations manually.
I have a design issue that I've been struggling with in Azure. I have created a .NET Core API and deployed it as an App Service in Azure. On top of that, I have an instance of Azure API Management with oAuth 2 securing it. I was able to achieve this by following this tutorial:
https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad
So, the API Management instance is secured with policies and rate limiting, but the back-end URL is wide open and requires no authentication. What is the best process to secure the back-end URL?
you can set APIM public IP in accessing whitelist of your App service to make sure only APIM requests will be able to access your App Service. For how to set IP restriction , you may refer to this doc : https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions#adding-and-editing-ip-restriction-rules-in-the-portal
I've created a web application API with a swagger interface that I've deployed as an API App to Azure.
When creating a Logic App I can find my API App but whenever I try to use it I get the following error:
Failed to fetch swagger. Ensure you have CORS enabled on the endpoint
and are calling an HTTPS endpoint.
I'm using the default https url for the API definition in the API App:
https://microsoft-SOME-LONG-MS-INTERNAL-ID.azurewebsites.net/swagger/docs/v1
The swagger docs have been provided in my C# web API application through Swashbuckle.
For CORS I've set a single * item.
This didn't seem sufficient for the Logic App to access the API App I then configured Authentication / Authorization for the API App to use Azure Active Directory (express), creating an AD Azure App.
I believe the issue will be one of configuring security which is all pretty new to me in Azure. I'd like to make the API App inaccessible externally, but available to Web Apps and Logic Apps within my Azure subscription.
I've not added any authentication mechanism to the ASP.NET web application itself as I figured the web application would effectively be sitting in a private network on Azure. Perhaps this is a bad assumption and I need to add authentication to allow Azure AD to work?
Any pointers / suggestions?
Turns out I needed to update the Azure SDK for Visual Studio. I had an older version that was deploying a preview Api App which resulted in a "Api app host" type being deployed rather that an "API app" type.
Everything works after the update and I've found some documentation for securing the API App and making it available in the Logic App - https://azure.microsoft.com/en-us/documentation/articles/app-service-logic-custom-hosted-api/
I have multiple Web APIs deployed in Azure without applying authentication, so anyone has access to internet has the access to the Web APIs.
Now I would like to apply authentications to the Web APIs, instead of implementing the same authentication logic in different Web APIs, I found Azure API gateway (API management) is a potential solution.
With Azure API management documentation, I learned I can apply policies like validate-jwt to authenticate requests to back end Web APIs. However, endpoints of the back end Web APIs are still available to users.
So, how should I hide them? Must I define a sub network or does Azure API management have a feature for this?
Recently I also had this same problem. Finally I found the solution by using 'IP Restrictions' function. See the following steps:
1) Go to your API management Overview page in Azure portal, copy the VIP.
2) In your Web APP > Networking
3) Paste in your VIP
Microsoft's Solution: How to secure back-end services using client certificate authentication in Azure API Management
Using this approach, any attempt to access a back-end service without the required certificate will result in a 403 - Forbidden response.
You can use a self-signed certificate as opposed to using a trusted CA signed certificate ($$). I chose to implement an Azure Key Vault where I generated a new certificate, downloaded it as a *.PFX file, and uploaded it into my API Management instance as described in the article.
Here is an answer from #PramodValavala-MSFT
https://github.com/MicrosoftDocs/azure-docs/issues/26312#issuecomment-470105156
Here are options:
IP restrictions (as described by #redman)
Function keys
Authentication/Authorization for Functions
Managed Identity for APIM
p.s. in my case I want with IP restrictions since it allows to keep all of the auth on the API Management Gateway.
Or you could use:
Basic auth
Mutual certificate auth
VPN
to secure Azure API Management service communication with your backend service.
Look into setting up TLS on Azure API Management so that all connections to your backend API must come through the API proxy.
Azure API management cannot modify your backend service. It's role is limited to being a proxy.
You will have to apply authentications to each Web API or configure your firewall to accept requests only from Azure APIM.
Is your backend app an Azure Function app or an App Service app?
If so, Managed Identity may be the simplest way to restrict access. No need to store client secrets/certificates in the API Management + not as flaky as IP whitelisting method.
Create an Azure Active Directory Application for the Function App.
Enable Authentication/Authorization module on the Function App and reference the AAD app from step 1.
Enable a Managed Identity on the APIM instance.
Add a <authentication-managed-identity> policy to the APIM and reference the AAD app from step 1.
I've blogged about this approach in more detail in Restrict Azure Functions to API Management with Terraform
Reference:
Use managed identities in Azure API Management
Configure your App Service or Azure Functions app to use Azure AD login