Architecture for Secure User Access with Azure B2C and Azure API Management

Question

I'm planning to create an API Management instance where users can securely access my APIs through B2C, with access restricted to those who sign in using pre-made accounts. To achieve this, I'd like to understand the recommended architectural approach and best practices for integrating Azure B2C with Azure API Management (to be specific, I'm using an Azure Function that uses Node JS inside of Azure APIM). What considerations should I keep in mind when designing this system to be extremely secure? Any insights into the architecture, potential configurations, and key components involved would be highly valuable. Thank you in advance for your help and please let me know if anything needs any clarification!

Answer 1

Hi (sorry for waiting this long to reply!),

Looking over the components here are a few recommendations though this list is not exhaustive.

• Use OAuth for all calls to APIM this would mean setting up an App Registration that can be used via B2C policies
• Enforce HTTPS and TLS 1.3
• Enforce HTTPS on the Azure Function
• Turn FTP on the Azure function or use SFTP
• Put the APIM instance and Azure Function in a vNet if using a tier that supports it
• If not IP restrict the Azure function to the VIP of the APIM instance

This is making the assumption that it is B2C calling the APIM instance and not users in that B2C instance. If it is users then also include.

• APIS should be accessed via OAuth or another secure standard (stay away from API keys)
• Apply rate limiting (use products if needed)
• Put the APIM instance behind Azure Front Door (then enable HSTS, Azure firewall, Rate limiting at this level etc)
• If put behind Azure front door a VNet is needed to force calls through the Front Door instance or a Private Endpoint (I think these are supported)

Hope this is what you were looking for. If you want me to expand on more points here let me know.