5

I have a design issue that I've been struggling with in Azure. I have created a .NET Core API and deployed it as an App Service in Azure. On top of that, I have an instance of Azure API Management with oAuth 2 securing it. I was able to achieve this by following this tutorial:

https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad

So, the API Management instance is secured with policies and rate limiting, but the back-end URL is wide open and requires no authentication. What is the best process to secure the back-end URL?

Colbs
  • 587
  • 10
  • 25

2 Answers2

6

you can set APIM public IP in accessing whitelist of your App service to make sure only APIM requests will be able to access your App Service. For how to set IP restriction , you may refer to this doc : https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions#adding-and-editing-ip-restriction-rules-in-the-portal

Stanley Gong
  • 11,522
  • 1
  • 8
  • 16
  • Does this mean third party apps will have to consume the API through the APIM instance and not the back-end url? – Colbs Oct 29 '18 at 17:52
  • Yep, third party apps will unable to access your App service anymore but through APIM . – Stanley Gong Oct 31 '18 at 08:05
  • 3
    The Consumption tier of APIM does not have a static IP unfortunately. Is there another way to ensure access? – aaroncatlin Mar 05 '21 at 12:14
  • @aaroncatlin were you able to solve the dynamic IP issue of the consumption tier? – Manish Rawat Mar 10 '21 at 16:46
  • 1
    @ManishRawat Yes and no. In the App Service > Networking > Access Restrictions area you can now whitelist a Service Tag (currently in Preview). APIM traffic originates from the AzureCloud Service Tag, so you can easily whitelist those IPs. This does mean, however, that your App Service is open to traffic from all Azure Cloud sources, so additional security is recommended to ensure the traffic originates from trusted sources. – aaroncatlin Mar 11 '21 at 00:01
  • 1
    @aaroncatlin thanks for the info.. it's in preview mode so I will keep my self away. I couldn't understand why they don't Azure simply allow us to restrict through managed identity. – Manish Rawat Mar 11 '21 at 00:45
0

Another way would be to enable Private Endpoint on your App Service. This way, APIM can connect privately to the App Service without the need for public internet connectivity.

See more:

https://learn.microsoft.com/en-us/azure/app-service/networking/private-endpoint

Sven
  • 2,345
  • 2
  • 21
  • 43