How can we secure API to serve only whitelisted clients? Communication between Azure function and Web API

Question

I am using the below design to secure communication between Azure Function and Web API

• Step 1 - Request token from AD
• Step 2 - Use token to request web api

Code to call the API

   public static async Task<IActionResult> Run(HttpRequest req, ILogger log)
   {
     log.LogInformation("C# HTTP trigger function processed a request.");
     var endpoint = Environment.GetEnvironmentVariable("IDENTITY_ENDPOINT");
     var identity_header = Environment.GetEnvironmentVariable("IDENTITY_HEADER");
 
     var resource = "4df52c7e-3d6f-4865-a499-cebbb2f79d26"; //how to secure this ID
     var requestURL = endpoint + "?resource=" + resource + "&api-version=2019-08-01";

     HttpClient httpClient = new HttpClient();
     httpClient.DefaultRequestHeaders.Add("X-IDENTITY-HEADER", identity_header);
     HttpResponseMessage response = await httpClient.GetAsync(requestURL);
     response.EnsureSuccessStatusCode();

     string responseBody = await response.Content.ReadAsStringAsync();
     var access_token = JsonConvert.DeserializeObject<TokenResp>(responseBody).access_token;


     var APIURL = "https://frankapp.azurewebsites.net";
     HttpClient callAPI = new HttpClient();
     callAPI.DefaultRequestHeaders.Add("Authorization","Bearer "+ access_token);
     HttpResponseMessage APIResponse = await callAPI.GetAsync(APIURL);
     return new OkObjectResult(APIResponse.StatusCode);
   }

Question

The solution works as planned, However, I see a security loophole here. That is, any azure function that has the above code or resource id can call this API!!!

How can I solve this security issue? How can I make only listed azure functions to call the API?

Answer 1

There are several solutions to secure the API App, as mentioned in the comment, you could validate the token via the claims, use the access restriction rules, etc.

From your code, it uses the MSI(managed identity) to get the token for the AD App of the API App, then uses the token to call the API. In this case, I recommend you to use User assignment required setting to restrict the access of the API App, after doing the steps below, just the MSI of the function can get the token for the API App, no need to do anything else.

1.Navigate to the AD App of your API App in the Azure Active Directory in the portal -> click the Managed application in local directory -> Properties -> set the User assignment required to Yes.

2.Create a security group in AAD and add the MSI service principal as a member to it, then add the group to the Users and groups, then the MSI will also be able to call the function.(For the user, it can be added directly, MSI is different, you need to use this nested way, or leverage the App role)

After the steps above, just the MSI added to the Users and groups can get the token successfully and call the API, there are two similar issues I have answered, here and here. In the two posts, they want to secure the function app, in your case, it is the same logic.

Answer 2

Security between Azure Function and API app using AAD can be done in multiple ways:

1. Claims in access token
2. Whitelist all the IP range where azure function is hosted, deny others.
3. Users and group policy in AAD as security group.
4. Put App service and AF in a single VNET (though that restricts multi-region)
5. Object ID verification

Read more: https://www.tech-findings.com/2020/01/securing-function-app-with-azure-active-directory.html