I have an Azure WebAPI and I have added it to Azure API Management.
As well as accessing the API through an API Management URI I note that I can still directly access the Azure API using the URI to the API.
In order to secure the raw API should I:
add code to the API in order to secure it (by treating the API as the ASP.Net application it is and using a certificate)
or
Use some facility of Azure to secure the API
Your choice.
Upload a certificate to API Management, and verify it in your API
Enable basic auth security in API Management and in your backend API
Add a secret to a custom header in API Management and check it in your API.
Check the inbound IP address in your API as an API Management instance will keep the same IP for as long as it is provisioned
Add your API to an Azure VNet and use a network security group to only allow the API Management IP address access to the VNet
Related
I have a gateway assigned to my API called "Managed".
What is a gateway and how does it affect this API?
Does it have anything to do with the Gateways page in APIM? There is no "Managed" gateway listed:
What is a gateway and how does it affect this API?
The API gateway is the endpoint that:
- Accepts API calls and routes them to your backends.
- Verifies API keys, JWT tokens, certificates, and other credentials.
- Enforces usage quotas and rate limits.
- Transforms your API on the fly without code modifications.
- Caches backend responses where set up.
- Logs call metadata for analytics purposes.
Does it have anything to do with the Gateways page in APIM? There is
no "Managed" gateway listed:
The Gateways Page in APIM is to create Self-hosted gateways which enable you to efficiently and securely manage APIs hosted on-premises and across clouds from a single API Management service in Azure.
For more information, you can refer this Azure API Management documentation.
I am working on Azure in which I had to setup an API Management service in consumption tier. I need to secure the backend API's (App service) so that it can only be accessed via API Management service.
In APIM developer plan I used, I configured securing backend API by whitelisting IP of APIM in app service, but in consumption plan, this will not work as APIM in consumption plan will not have public IP.
I want to secure backend API's (App service) behind API Management service (consumption plan).
I tried:
IP whitelisting but it worked in developer plan in APIM and not in consumption plan.
Azure active directory and VNet is not supported in consumption plan.
I visited this link and then How-to-guides->Secure your back-end link.
One of the options in the above link is to secure backend API's through Azure Active Directory and also through connecting to an internal virtual network. Unfortunately, these two features are also not supported in consumption tier.
You can use client certificate authentication to secure you backend service. Besides, please note that to receive and verify client certificates in the Consumption tier you must first turn on "Request client certificate" setting on the "Custom domains" blade as shown below.
For more details, please refer to How to secure back-end services using client certificate authentication in Azure API Management and How to secure APIs using client certificate authentication in API Management.
I have a design issue that I've been struggling with in Azure. I have created a .NET Core API and deployed it as an App Service in Azure. On top of that, I have an instance of Azure API Management with oAuth 2 securing it. I was able to achieve this by following this tutorial:
https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad
So, the API Management instance is secured with policies and rate limiting, but the back-end URL is wide open and requires no authentication. What is the best process to secure the back-end URL?
you can set APIM public IP in accessing whitelist of your App service to make sure only APIM requests will be able to access your App Service. For how to set IP restriction , you may refer to this doc : https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions#adding-and-editing-ip-restriction-rules-in-the-portal
I have a backend API that is hosted in Azure app service. I want to use Azure API management as the front end to this backend API and have successfully configured this in Azure. I have configured API management to use OAuth when accessing this backend API which works when clients access the API through the Azure API management endpoints, but how do I prevent people from accessing the backend API endpoints directly so that only calls from the API management endpoints are allowed?
There are a few options of various levels of security:
Shared secret - set a certain header with a certain value in APIM and check that value at your backend.
Managed identity - you can enable managed identity in APIM service and send its token to your backend where you'll be able to validate it.
IP filter - check for APIM IP as a source at backend.
Client certificate auth - upload a client cert auth to APIM and attach it to every request to backend. Check for that cert at backend.
VNET - put APIM and your backend into same VNET and block access from outside to backend.
I've personally used IP restrictions to great success. APIM is given a static IP, so you can setup an IP restriction in the "root API" that allows only the APIM calls. This results in a 403 if you call the root API directly.
If you don't want a 403 coming from the root API, you can use policies to change that, or you can setup authentication at the APIM level and you'll get a 401 before even hitting that 403.
I have multiple Web APIs deployed in Azure without applying authentication, so anyone has access to internet has the access to the Web APIs.
Now I would like to apply authentications to the Web APIs, instead of implementing the same authentication logic in different Web APIs, I found Azure API gateway (API management) is a potential solution.
With Azure API management documentation, I learned I can apply policies like validate-jwt to authenticate requests to back end Web APIs. However, endpoints of the back end Web APIs are still available to users.
So, how should I hide them? Must I define a sub network or does Azure API management have a feature for this?
Recently I also had this same problem. Finally I found the solution by using 'IP Restrictions' function. See the following steps:
1) Go to your API management Overview page in Azure portal, copy the VIP.
2) In your Web APP > Networking
3) Paste in your VIP
Microsoft's Solution: How to secure back-end services using client certificate authentication in Azure API Management
Using this approach, any attempt to access a back-end service without the required certificate will result in a 403 - Forbidden response.
You can use a self-signed certificate as opposed to using a trusted CA signed certificate ($$). I chose to implement an Azure Key Vault where I generated a new certificate, downloaded it as a *.PFX file, and uploaded it into my API Management instance as described in the article.
Here is an answer from #PramodValavala-MSFT
https://github.com/MicrosoftDocs/azure-docs/issues/26312#issuecomment-470105156
Here are options:
IP restrictions (as described by #redman)
Function keys
Authentication/Authorization for Functions
Managed Identity for APIM
p.s. in my case I want with IP restrictions since it allows to keep all of the auth on the API Management Gateway.
Or you could use:
Basic auth
Mutual certificate auth
VPN
to secure Azure API Management service communication with your backend service.
Look into setting up TLS on Azure API Management so that all connections to your backend API must come through the API proxy.
Azure API management cannot modify your backend service. It's role is limited to being a proxy.
You will have to apply authentications to each Web API or configure your firewall to accept requests only from Azure APIM.
Is your backend app an Azure Function app or an App Service app?
If so, Managed Identity may be the simplest way to restrict access. No need to store client secrets/certificates in the API Management + not as flaky as IP whitelisting method.
Create an Azure Active Directory Application for the Function App.
Enable Authentication/Authorization module on the Function App and reference the AAD app from step 1.
Enable a Managed Identity on the APIM instance.
Add a <authentication-managed-identity> policy to the APIM and reference the AAD app from step 1.
I've blogged about this approach in more detail in Restrict Azure Functions to API Management with Terraform
Reference:
Use managed identities in Azure API Management
Configure your App Service or Azure Functions app to use Azure AD login