Make back end APIs only accessible via Azure API management

半世苍凉 提交于 2021-01-20 16:50:10

问题


I have multiple Web APIs deployed in Azure without applying authentication, so anyone has access to internet has the access to the Web APIs.

Now I would like to apply authentications to the Web APIs, instead of implementing the same authentication logic in different Web APIs, I found Azure API gateway (API management) is a potential solution.

With Azure API management documentation, I learned I can apply policies like validate-jwt to authenticate requests to back end Web APIs. However, endpoints of the back end Web APIs are still available to users.

So, how should I hide them? Must I define a sub network or does Azure API management have a feature for this?


回答1:


Recently I also had this same problem. Finally I found the solution by using 'IP Restrictions' function. See the following steps:

1) Go to your API management Overview page in Azure portal, copy the VIP.

2) In your Web APP > Networking

3) Paste in your VIP




回答2:


Microsoft's Solution: How to secure back-end services using client certificate authentication in Azure API Management

Using this approach, any attempt to access a back-end service without the required certificate will result in a 403 - Forbidden response.

You can use a self-signed certificate as opposed to using a trusted CA signed certificate ($$). I chose to implement an Azure Key Vault where I generated a new certificate, downloaded it as a *.PFX file, and uploaded it into my API Management instance as described in the article.




回答3:


Here is an answer from @PramodValavala-MSFT
https://github.com/MicrosoftDocs/azure-docs/issues/26312#issuecomment-470105156

Here are options:

  • IP restrictions (as described by @redman)
  • Function keys
  • Authentication/Authorization for Functions
  • Managed Identity for APIM

p.s. in my case I want with IP restrictions since it allows to keep all of the auth on the API Management Gateway.




回答4:


Or you could use:

  1. Basic auth
  2. Mutual certificate auth
  3. VPN

to secure Azure API Management service communication with your backend service.




回答5:


Look into setting up TLS on Azure API Management so that all connections to your backend API must come through the API proxy.




回答6:


Azure API management cannot modify your backend service. It's role is limited to being a proxy.

You will have to apply authentications to each Web API or configure your firewall to accept requests only from Azure APIM.




回答7:


Is your backend app an Azure Function app or an App Service app?

If so, Managed Identity may be the simplest way to restrict access. No need to store client secrets/certificates in the API Management + not as flaky as IP whitelisting method.

  1. Create an Azure Active Directory Application for the Function App.
  2. Enable Authentication/Authorization module on the Function App and reference the AAD app from step 1.
  3. Enable a Managed Identity on the APIM instance.
  4. Add a <authentication-managed-identity> policy to the APIM and reference the AAD app from step 1.

I've blogged about this approach in more detail in Restrict Azure Functions to API Management with Terraform

Reference:

  • Use managed identities in Azure API Management
  • Configure your App Service or Azure Functions app to use Azure AD login


来源:https://stackoverflow.com/questions/36764654/make-back-end-apis-only-accessible-via-azure-api-management

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!