Make back end APIs only accessible via Azure API management - azure

I have multiple Web APIs deployed in Azure without applying authentication, so anyone has access to internet has the access to the Web APIs.
Now I would like to apply authentications to the Web APIs, instead of implementing the same authentication logic in different Web APIs, I found Azure API gateway (API management) is a potential solution.
With Azure API management documentation, I learned I can apply policies like validate-jwt to authenticate requests to back end Web APIs. However, endpoints of the back end Web APIs are still available to users.
So, how should I hide them? Must I define a sub network or does Azure API management have a feature for this?

Recently I also had this same problem. Finally I found the solution by using 'IP Restrictions' function. See the following steps:
1) Go to your API management Overview page in Azure portal, copy the VIP.
2) In your Web APP > Networking
3) Paste in your VIP

Microsoft's Solution: How to secure back-end services using client certificate authentication in Azure API Management
Using this approach, any attempt to access a back-end service without the required certificate will result in a 403 - Forbidden response.
You can use a self-signed certificate as opposed to using a trusted CA signed certificate ($$). I chose to implement an Azure Key Vault where I generated a new certificate, downloaded it as a *.PFX file, and uploaded it into my API Management instance as described in the article.

Here is an answer from #PramodValavala-MSFT
https://github.com/MicrosoftDocs/azure-docs/issues/26312#issuecomment-470105156
Here are options:
IP restrictions (as described by #redman)
Function keys
Authentication/Authorization for Functions
Managed Identity for APIM
p.s. in my case I want with IP restrictions since it allows to keep all of the auth on the API Management Gateway.

Or you could use:
Basic auth
Mutual certificate auth
VPN
to secure Azure API Management service communication with your backend service.

Look into setting up TLS on Azure API Management so that all connections to your backend API must come through the API proxy.

Azure API management cannot modify your backend service. It's role is limited to being a proxy.
You will have to apply authentications to each Web API or configure your firewall to accept requests only from Azure APIM.

Is your backend app an Azure Function app or an App Service app?
If so, Managed Identity may be the simplest way to restrict access. No need to store client secrets/certificates in the API Management + not as flaky as IP whitelisting method.
Create an Azure Active Directory Application for the Function App.
Enable Authentication/Authorization module on the Function App and reference the AAD app from step 1.
Enable a Managed Identity on the APIM instance.
Add a <authentication-managed-identity> policy to the APIM and reference the AAD app from step 1.
I've blogged about this approach in more detail in Restrict Azure Functions to API Management with Terraform
Reference:
Use managed identities in Azure API Management
Configure your App Service or Azure Functions app to use Azure AD login

Related

How to lock an API in APIM in azure to a hosted web application in azure?

I have been looking at various tutorials demoing how identity management works as well as API management in azure but I am not seeing an answer to my questions. I understand that managed identities can be used to authorize azure resource to resource communication but I am not seeing how this is done for a web application. Say for example I have an angular website being hosted on an nginx server in an AKS cluster. I understand that I could use Identity management to create Identity resources that make it so that the AKS and APIM are authorized to connect with one another but how would I do this for the angular running application? This application is running in the client's browser, so it seems like this identity management mechanism would not work. How does one secure an APIM so only a given web application can interact with it?
You could secure your API in APIM with the client certificate, then when the app access the API, validate the incoming certificate and check certificate properties against desired values using policy expressions.
For more details, see How to secure APIs using client certificate authentication in API Management.

Provide App service security in Azure solutions

I have a click once windows application which already has authentication n Authorization built in. Earlier i used to deploy it on physical server n share the location with users so that they can install it n use it. But now we have decided to deploy it on azure PAAS service (App service ). But currently url is geting access by anyone which i want to restrict. Currently my organization AD is not synced with Azure AD. So not able to use Azure AD for authentication.
Kindly provide some better solutions other than restricting users based on IP.
If it's a file download you can put it on Azure Blob storage for download and generate short-time SAS tokens.
While IP address restrictions and Azure AD authentication would be one-efficient approach for your scenario. Since you do not want to go that route (due to environment limitations), If you wish you could authenticate users with the specified provider (Microsoft Account, Facebook, Google, Twitter or Any OpenID Connect provider). App Service provides built-in authentication and authorization support, so you can sign in users and access data by writing minimal or no code.
App Service uses federated identity, in which a third-party identity provider manages the user identities and authentication flow for you. You can also use multiple sign-in providers.
So the simple process could be:
The option is Log in with . App Service redirects all anonymous requests to /.auth/login/<provider> for the provider you choose. If the anonymous request comes from a native mobile app, the returned response is an HTTP 401 Unauthorized.
Kindly checkout step-step instructions on the process/workflow:
Configure your App Service or Azure Functions app to use Microsoft Account login
If your WebApp is on VNet, you can have service endpoints enabled for Microsoft.Web, through access restrictions.
See- Advanced usage of authentication and authorization in Azure App Service

Securing API App Service sitting behind Azure API Management

I have a design issue that I've been struggling with in Azure. I have created a .NET Core API and deployed it as an App Service in Azure. On top of that, I have an instance of Azure API Management with oAuth 2 securing it. I was able to achieve this by following this tutorial:
https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad
So, the API Management instance is secured with policies and rate limiting, but the back-end URL is wide open and requires no authentication. What is the best process to secure the back-end URL?
you can set APIM public IP in accessing whitelist of your App service to make sure only APIM requests will be able to access your App Service. For how to set IP restriction , you may refer to this doc : https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions#adding-and-editing-ip-restriction-rules-in-the-portal

Azure Function connectivity with app service which has windows authentication

We have a scenario where we need to invoke, a restful API through azure functions. The restful API is hosted in MS azure under app services. Both web application and API are windows authentication enabled.
Azure function runs server less and it cannot pass windows authentication. Using certificate, I need to establish the connectivity with the endpoint. I need your inputs to understand, how we can establish the connectivity between Azure function and rest API which is Windows authentication enabled.
Azure Functions does not support Windows Authentication. If you need a function to be able to call into an external REST API, then you'll need to use a different authentication protocol, such as Azure Active Directory.

Securing Azure API

I have an Azure WebAPI and I have added it to Azure API Management.
As well as accessing the API through an API Management URI I note that I can still directly access the Azure API using the URI to the API.
In order to secure the raw API should I:
add code to the API in order to secure it (by treating the API as the ASP.Net application it is and using a certificate)
or
Use some facility of Azure to secure the API
Your choice.
Upload a certificate to API Management, and verify it in your API
Enable basic auth security in API Management and in your backend API
Add a secret to a custom header in API Management and check it in your API.
Check the inbound IP address in your API as an API Management instance will keep the same IP for as long as it is provisioned
Add your API to an Azure VNet and use a network security group to only allow the API Management IP address access to the VNet

Resources