I have a series of API operations that I want to host in Azure and expose through API Management (APIM) as a single product. The API implements its own security and authorization through the use of java web tokens but I don't want any of the backend APIs accessible to the general public through the application service endpoint. Instead I want to implement a custom domain, and expose them through APIM. Some operations should be accessible to the world, while others should be only available to our internal users, but they all relate to the same product.
I don't really want to use Vnets because that forces you to use the premium teir pricing model.
I have gone through the documentation that talks about securing api backends using oAuth2, but that appears to require all users to provide a subscription.
Basically what I want is to have my cake and eat it too... more precisely:
a) no one can call the backend APIs from the internet, but I can still call them from our on-prem network for testing and debugging (and APIM can call them of course)
b) everyone can call some operations from the internet (my authentication API that issues a java web token based on a username and password that is passed in the body of the call)
c) some operations can't be called from the internet and must be called from our on-prem network (operations that involve downloading of information, but they still go through APIM
Anyone have some suggestions on how to achieve this kind of configuration?
thx
-Sheldon