How to protect the Backend API against calls other than Azure API Management

Question

I have an ASP.NET Core REST API Service hosted on an Azure Web App. I own its source code and I can change it if required.

I am planning to publish REST API Service with Azure API Management.

I am adding Azure AD authentication to the Azure API Management front. So, the API management front is secured. All the steps are is described here.

All good so far. Here is the question (or challange?) :

Considering that my backend REST API Service is hosted on Azure and publicly accessible, how do I protect it against the request calls other than the API Management Calls?

How the backend service knows the identity and AAD group claims of the incoming call and access to its claims?

A link to a code sample or online documentation would be a great help.

Update

While there are some overlaps with the follwoing question:

How to prevent direct access to API hosted in Azure app service

... part of this question is still outstanding:

How the backend service knows the identity and AAD group claims of the incoming call and access to its claims?

Answer 1

You can enable static IP restriction on your WebApp to only allow incoming traffic from the VIP of your APIM Service facing ( keep in mind in some specific scenarios , the VIP may change and will be required to update the whitelist again).

Clients ==> AAD==> VIP APIM Service <==> (VIP APIM allowed) Web App

https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions