how to properly secure backend API on public operations

Sheldon Lyttle 21 Reputation points
2021-05-31T17:18:44.82+00:00

I have a series of API operations that I want to host in Azure and expose through API Management (APIM) as a single product. The API implements its own security and authorization through the use of java web tokens but I don't want any of the backend APIs accessible to the general public through the application service endpoint. Instead I want to implement a custom domain, and expose them through APIM. Some operations should be accessible to the world, while others should be only available to our internal users, but they all relate to the same product.

I don't really want to use Vnets because that forces you to use the premium teir pricing model.

I have gone through the documentation that talks about securing api backends using oAuth2, but that appears to require all users to provide a subscription.

Basically what I want is to have my cake and eat it too... more precisely:

a) no one can call the backend APIs from the internet, but I can still call them from our on-prem network for testing and debugging (and APIM can call them of course)

b) everyone can call some operations from the internet (my authentication API that issues a java web token based on a username and password that is passed in the body of the call)

c) some operations can't be called from the internet and must be called from our on-prem network (operations that involve downloading of information, but they still go through APIM

Anyone have some suggestions on how to achieve this kind of configuration?

thx

-Sheldon

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
2,453 questions
{count} votes

Accepted answer
  1. Pramod Valavala 20,656 Reputation points Microsoft Employee Moderator
    2021-06-01T11:40:08.067+00:00

    @Sheldon Lyttle Without a VNET to identify where traffic is coming from, IP Restrictions are an effective way to approach this. And you could keep this in place for connections between APIM and the App Service (to prevent direct access to the App Service ever). Or as @MikeUrnun mentioned, client certificate authentication is also an option here.

    OAuth2 would still be the best solution here and contrary to what you've mentioned, you would just have to disable subscriptions for your APIs and have all users, both internal and external to authenticate with OAuth2.

    You can disable subscriptions from the Settings tab on an API like below

    101340-image.png


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.