We have a simple asp.net core service. We would like to expose that for subscribers with some kind of key protection. But how do we protect the asp.net core api service from being used directly? How do you normally make sure only the API management can call the service and subscribers only through the API management?
Asked
Active
Viewed 288 times
1 Answers
0
I assume that you have understood Protect a web API backend in Azure API Management by using OAuth 2.0 authorization with Azure AD.
What you want is to restrict users to only access your API through APIM.
There are a few options:
- Set a certain header/value in APIM and check it at your backend API.
- Configure IP restrictions in your web API and set it as your VIP of APIM.
See a similar post here.
UPDATE:
Add the other two methods based on this answer:
- Secure back-end services using client certificate authentication in Azure API Management
- Put APIM and backend API in the same VNET (stop access from outside) to protect the API.
Allen Wu
- 15,529
- 1
- 9
- 20