I have a backend API that is hosted in Azure app service. I want to use Azure API management as the front end to this backend API and have successfully configured this in Azure. I have configured API management to use OAuth when accessing this backend API which works when clients access the API through the Azure API management endpoints, but how do I prevent people from accessing the backend API endpoints directly so that only calls from the API management endpoints are allowed?
There are a few options of various levels of security:
- Shared secret - set a certain header with a certain value in APIM and check that value at your backend.
- IP filter - check for APIM IP as a source at backend.
- Client certificate auth - upload a client cert auth to APIM and attach it to every request to backend. Check for that cert at backend.
- VNET - put APIM and your backend into same VNET and block access from outside to backend.
I've personally used IP restrictions to great success. APIM is given a static IP, so you can setup an IP restriction in the "root API" that allows only the APIM calls. This results in a 403 if you call the root API directly.
If you don't want a 403 coming from the root API, you can use policies to change that, or you can setup authentication at the APIM level and you'll get a 401 before even hitting that 403.
来源:https://stackoverflow.com/questions/52173908/how-to-prevent-direct-access-to-api-hosted-in-azure-app-service