Share via

Easiest way to secure API hosted on App Service to be called only from APIM?

Pitawat 351 Reputation points
2021-08-26T11:28:48.343+00:00

I have an API hosted on Azure App Service which can be called from API Management (Basic tier). I'd like to block all requests that calls the App Service URL directly (*.azurewebsites.net).

I read through Microsoft Learn and found a few methods to achieve this (with some concerns after the => symbol):

  • Set Access Restriction on App Service to allow APIM IP only. => Does not restrict to my particular APIM instance as the IP is shared
  • mTLS authentication from APIM to App Service => Tried it and it works, but needs to change the code to verify only my certificate supplied from APIM. I don't want to change my code. If I set App Service to "require" incoming client certificate but not verifying the certificate in my code, anyone can call my API directly by just supplying any random certificate. Am I right?
  • Use Azure AD => I don't quite understand this method. I followed the documentation and it didn't work. If using Azure AD, what I want is to let APIM authenticate and access the App Service using managed identity. Is this possible? I think this is the easiest way but couldn't find any documentation.
  • Put App Service in VNET => Not possible for my situation as APIM Basic tier does not support VNET integration

What are the options I have to achieve this? Thanks.

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
2,446 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,930 questions
0 comments
Accepted answer
  1. MayankBargali-MSFT 70,936 Reputation points Moderator
    2021-08-30T07:12:04.557+00:00

    @Pitawat Your first option is possible as the VIP is static for basic tier as mentioned in this document with the certain excecption as mentioned in the document. But in case if you are in Consumption Tier then it is not static.

    Your third and fourth option are not supported in both Basic/Consumption Tier as mentioned in the APIM features document.

    Your second option can be other possible solution apart from first option when you are using Bais Tier. As you have mentioned this will need the code changes at the app service end where the APIM will use pass the certificate and the app servicer needs to validate this certificate. If you are not validating the certificate at app service end then anyone can pass any certificate to bypass it.

    Alternative if you don't want to use the certificate you can use the shared secret between the APIM and the app service. Your APIM will set a certain header with a certain value using policy and you need to check these header at the app service end and validate with the secret that was used between the two.

    For basic tier if you don't want to directly access the App Service URL (*.azurewebsites.net) then you can go with first or second option.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.