4

I have a backend API that is hosted in Azure app service. I want to use Azure API management as the front end to this backend API and have successfully configured this in Azure. I have configured API management to use OAuth when accessing this backend API which works when clients access the API through the Azure API management endpoints, but how do I prevent people from accessing the backend API endpoints directly so that only calls from the API management endpoints are allowed?

Geekn
  • 2,650
  • 5
  • 40
  • 80

2 Answers2

4

There are a few options of various levels of security:

  1. Shared secret - set a certain header with a certain value in APIM and check that value at your backend.
  2. Managed identity - you can enable managed identity in APIM service and send its token to your backend where you'll be able to validate it.
  3. IP filter - check for APIM IP as a source at backend.
  4. Client certificate auth - upload a client cert auth to APIM and attach it to every request to backend. Check for that cert at backend.
  5. VNET - put APIM and your backend into same VNET and block access from outside to backend.
Vitaliy Kurokhtin
  • 7,205
  • 1
  • 19
  • 18
  • I wonder how come two solid options are not included here: 1- Pass the Barear token to the backend API and have the backend validate it. 2- Add OAuth to the backend and make API management pass through. – Allan Xu Nov 13 '18 at 16:58
  • 1
    As I understand @Geekn already made it so that APIM sends bearer token with every request. The question is about making it impossible to call backend API directly at all, and not just without a token. – Vitaliy Kurokhtin Nov 13 '18 at 22:44
  • Yeah, the thing is that APIM adds gateway restrictions, rate limits, caching, etc.. – Juan Carrey Nov 11 '21 at 09:17
1

I've personally used IP restrictions to great success. APIM is given a static IP, so you can setup an IP restriction in the "root API" that allows only the APIM calls. This results in a 403 if you call the root API directly.

If you don't want a 403 coming from the root API, you can use policies to change that, or you can setup authentication at the APIM level and you'll get a 401 before even hitting that 403.

ZE7EN
  • 83
  • 6