How to Secure Backend api app in Azure App Services

Kuldeep Singh(OT) 65 Reputation points
2024-06-24T08:01:19.4133333+00:00

Hi Team, we use Azure Managed Service - Azure web app and api app for application deployment on azure.

Frontend apps are hosted on web app and they are publicly accessible.

Backend api are hostend on api app its also publicly accessible.

then in last we have DB, which listen from Backend apis.

My concern is that how can i secure my backend api app, so that i can be only accessible via frontend apps.

one Method i found to use cors, but to use cors but then devloer can access the api directly.

Can anyone suggests me what we can do best here to achieve security and also devloper work not get stopped.

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,361 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Ben Gimblett 3,845 Reputation points Microsoft Employee
    2024-06-24T10:45:11.1133333+00:00

    Hi - Thanks for the question
    CORS is about cross origin management (http and requests to different domains)

    In this context you can consider a few things

    But there's two things you should always ensure.
    (1) End to end transport security - each hop is over TLS etc
    (2) Strong auth - either cert or oauth2

    Options
    (1) Use the outbound Ips of the frontend App and access restrictions on the backend API (this is only necessary when the apps are not on the same plan or where the plans are not showing the same outbound Ips (meaning they're on the same webspace/stamp)
    However the problem with this is that you are "allow listing" not only your traffic but also other users of the same webspace/stamp.
    One alternative is to host single tenant (App Service Environment v3) but this is expensivre
    Another is to VNET integrate the web app to a subnet in a VNET and use a AZ NAT Gateway
    (but again this adds cost)

    (2) VNET Integrate the front end to a VNET subnet (again, this is for outbound calls ) and have both API and DB answer on a private endpoint - you would need to disable public access for both - if using Az PaaS this is via the software firewall (Web App = Access restrictions, SQL DB PaaS for example also has a software firewall)
    There is a small cost associated with Private endpoints

    (3)
    A variation on the above is to VNET integrate the front end but use "Service Endpoints" on that subnet locking the public endpoint for both API and DB to the front ends VNET Subnet on the public endpoint of each
    This avoids the small private endpoint charge but in theory you still address on a public IP for the API and DB both - it's just that they wont accept traffic from anywhere but your front end as controlled by the software firewall for each

    I can provide you some doc links - so let us know if you have further queries on any of the above by using the comments