This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 47%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAD%3C/text%3E%3C/svg%3E)
One Azure App service hosts a asp.net core API, another different Azure app service hosts a Web app. The web app can be accessed by end users that don't need to sign in (public). The web app calls the API. How can the API access can be restricted so that only the web app hosted in Azure can make calls, but end users cannot directly call the API end points, but the end users can still access the website (webapp)?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 24%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
Add IP/domain based restrictions that only the ip of web should be allowed to access the API under cors settings.
Thanks AliSufyan for the suggestion. Is there any other way/s to achieve this than adding IP restrictions as IP addresses in App service could change.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 59%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
If your requirement fits, you may try Service Endpoints. With service endpoints, to ensure inbound traffic to your API app comes only from the subnet used by your web app. The process for setting service endpoints is similar to the process for setting IP access restrictions. You can build an allow/deny list of access rules that includes public addresses and subnets in your virtual networks.
Considering Sneha's answer or mine, both are relatively similar but again depends upon your level of comfort with both
On the Web Api, enable the Private Endpoints feature. This will disable all public access and restrict access from within the VNET. This feature will require an unused subnet, which will then be used to allocate an inbound private IP Address
Hi Aqilancd,
A bit late but, see this, might help
https://learn.microsoft.com/en-us/azure/api-management/api-management-access-restriction-policies
Use Azure Api management