how to properly secure backend API on public operations

Question

how to properly secure backend API on public operations

Sheldon Lyttle 21

I have a series of API operations that I want to host in Azure and expose through API Management (APIM) as a single product. The API implements its own security and authorization through the use of java web tokens but I don't want any of the backend APIs accessible to the general public through the application service endpoint. Instead I want to implement a custom domain, and expose them through APIM. Some operations should be accessible to the world, while others should be only available to our internal users, but they all relate to the same product.

I don't really want to use Vnets because that forces you to use the premium teir pricing model.

I have gone through the documentation that talks about securing api backends using oAuth2, but that appears to require all users to provide a subscription.

Basically what I want is to have my cake and eat it too... more precisely:

a) no one can call the backend APIs from the internet, but I can still call them from our on-prem network for testing and debugging (and APIM can call them of course)

b) everyone can call some operations from the internet (my authentication API that issues a java web token based on a username and password that is passed in the body of the call)

c) some operations can't be called from the internet and must be called from our on-prem network (operations that involve downloading of information, but they still go through APIM

Anyone have some suggestions on how to achieve this kind of configuration?

thx

-Sheldon

Sheldon Lyttle 21 Reputation points

2021-05-31T17:35:12.333+00:00

One additional note, I came up with what I consider a cheesy way of securing the backend IPs, through ACLs ... essentially only allowing the IP address of APIM and our company's public IP to access the app service. On top of that, I added inbound IP related rules in APIM on the operations I didn't want to be callable from the internet.

This was intended to be a stop-gap measure until I found a more sophisticated way of doing the same.
MikeUrnun 9,777 Reputation points Moderator

2021-05-31T22:36:27.967+00:00

Hi Sheldon - I'm curious if you considered certificate-based authentication and if there were any concerns?

Accepted answer

0 additional answers

Your answer

Sheldon Lyttle 21 Reputation points

2021-05-31T17:35:12.333+00:00

One additional note, I came up with what I consider a cheesy way of securing the backend IPs, through ACLs ... essentially only allowing the IP address of APIM and our company's public IP to access the app service. On top of that, I added inbound IP related rules in APIM on the operations I didn't want to be callable from the internet.

This was intended to be a stop-gap measure until I found a more sophisticated way of doing the same.
MikeUrnun 9,777 Reputation points Moderator

2021-05-31T22:36:27.967+00:00

Hi Sheldon - I'm curious if you considered certificate-based authentication and if there were any concerns?

Answer 1

Pramod Valavala 20,656 Microsoft Employee Moderator

@Sheldon Lyttle Without a VNET to identify where traffic is coming from, IP Restrictions are an effective way to approach this. And you could keep this in place for connections between APIM and the App Service (to prevent direct access to the App Service ever). Or as @MikeUrnun mentioned, client certificate authentication is also an option here.

OAuth2 would still be the best solution here and contrary to what you've mentioned, you would just have to disable subscriptions for your APIs and have all users, both internal and external to authenticate with OAuth2.

You can disable subscriptions from the Settings tab on an API like below

Sheldon Lyttle 21 Reputation points

2021-06-01T12:02:59.95+00:00

Thanks for the help here! That really helps!

If I use oAuth2, doesn't that still mean that external users would still have to have some kind of identity set up in our AAD? Even if Subscription Required flag is turned off, wouldn't the backend API will demand an an identity through oAuth2?

Because the APIs were not originally design for APIM, they have their own authentication and authorization mechanism, and use a SQL database to handle that.

After some thinking last night, it is looking more and more like Vnets may be the answer for us. If we put APIM on an internal vnet, it looks like we can then use Application Gateway to expose only those operations that we want to. It is an expensive way to go though, so I'll take a serious look at all the options you have presented.

Thanks again for all your help.
Pramod Valavala 20,656 Reputation points Microsoft Employee Moderator

2021-06-02T13:59:36.07+00:00

@Sheldon Lyttle Yes. That is correct about the external users requiring identity. Leveraging Azure AD B2C with APIM is an option here where they can login with their own existing identities as configured on B2C.

Otherwise, VNET would be the way to go to ensure network level protection. But this is indeed a pricey option.

Share via

how to properly secure backend API on public operations

0 additional answers

Your answer