问题
I have multiple Web APIs deployed in Azure without applying authentication, so anyone has access to internet has the access to the Web APIs.
Now I would like to apply authentications to the Web APIs, instead of implementing the same authentication logic in different Web APIs, I found Azure API gateway (API management) is a potential solution.
With Azure API management documentation, I learned I can apply policies like validate-jwt to authenticate requests to back end Web APIs. However, endpoints of the back end Web APIs are still available to users.
So, how should I hide them? Must I define a sub network or does Azure API management have a feature for this?
回答1:
Recently I also had this same problem. Finally I found the solution by using 'IP Restrictions' function. See the following steps:
1) Go to your API management Overview page in Azure portal, copy the VIP.
2) In your Web APP > Networking
3) Paste in your VIP
回答2:
Microsoft's Solution: How to secure back-end services using client certificate authentication in Azure API Management
Using this approach, any attempt to access a back-end service without the required certificate will result in a 403 - Forbidden response.
You can use a self-signed certificate as opposed to using a trusted CA signed certificate ($$). I chose to implement an Azure Key Vault where I generated a new certificate, downloaded it as a *.PFX file, and uploaded it into my API Management instance as described in the article.
回答3:
Here is an answer from @PramodValavala-MSFT
https://github.com/MicrosoftDocs/azure-docs/issues/26312#issuecomment-470105156
Here are options:
- IP restrictions (as described by @redman)
- Function keys
- Authentication/Authorization for Functions
- Managed Identity for APIM
p.s. in my case I want with IP restrictions since it allows to keep all of the auth on the API Management Gateway.
回答4:
Or you could use:
- Basic auth
- Mutual certificate auth
- VPN
to secure Azure API Management service communication with your backend service.
回答5:
Look into setting up TLS on Azure API Management so that all connections to your backend API must come through the API proxy.
回答6:
Azure API management cannot modify your backend service. It's role is limited to being a proxy.
You will have to apply authentications to each Web API or configure your firewall to accept requests only from Azure APIM.
回答7:
Is your backend app an Azure Function app or an App Service app?
If so, Managed Identity may be the simplest way to restrict access. No need to store client secrets/certificates in the API Management + not as flaky as IP whitelisting method.
- Create an Azure Active Directory Application for the Function App.
- Enable Authentication/Authorization module on the Function App and reference the AAD app from step 1.
- Enable a Managed Identity on the APIM instance.
- Add a
<authentication-managed-identity>policy to the APIM and reference the AAD app from step 1.
I've blogged about this approach in more detail in Restrict Azure Functions to API Management with Terraform
Reference:
- Use managed identities in Azure API Management
- Configure your App Service or Azure Functions app to use Azure AD login
来源:https://stackoverflow.com/questions/36764654/make-back-end-apis-only-accessible-via-azure-api-management