question

PitawatNantamanop-3754 avatar image
0 Votes"
PitawatNantamanop-3754 asked PitawatNantamanop-3754 edited

Easiest way to secure API hosted on App Service to be called only from APIM?

I have an API hosted on Azure App Service which can be called from API Management (Basic tier). I'd like to block all requests that calls the App Service URL directly (*.azurewebsites.net).

I read through Microsoft Docs and found a few methods to achieve this (with some concerns after the => symbol):

  • Set Access Restriction on App Service to allow APIM IP only. => Does not restrict to my particular APIM instance as the IP is shared

  • mTLS authentication from APIM to App Service => Tried it and it works, but needs to change the code to verify only my certificate supplied from APIM. I don't want to change my code. If I set App Service to "require" incoming client certificate but not verifying the certificate in my code, anyone can call my API directly by just supplying any random certificate. Am I right?

  • Use Azure AD => I don't quite understand this method. I followed the documentation and it didn't work. If using Azure AD, what I want is to let APIM authenticate and access the App Service using managed identity. Is this possible? I think this is the easiest way but couldn't find any documentation.

  • Put App Service in VNET => Not possible for my situation as APIM Basic tier does not support VNET integration

What are the options I have to achieve this? Thanks.




azure-webappsazure-api-management
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

MayankBargali-MSFT avatar image
0 Votes"
MayankBargali-MSFT answered PitawatNantamanop-3754 edited

@PitawatNantamanop-3754 Your first option is possible as the VIP is static for basic tier as mentioned in this document with the certain excecption as mentioned in the document. But in case if you are in Consumption Tier then it is not static.

Your third and fourth option are not supported in both Basic/Consumption Tier as mentioned in the APIM features document.

Your second option can be other possible solution apart from first option when you are using Bais Tier. As you have mentioned this will need the code changes at the app service end where the APIM will use pass the certificate and the app servicer needs to validate this certificate. If you are not validating the certificate at app service end then anyone can pass any certificate to bypass it.

Alternative if you don't want to use the certificate you can use the shared secret between the APIM and the app service. Your APIM will set a certain header with a certain value using policy and you need to check these header at the app service end and validate with the secret that was used between the two.

For basic tier if you don't want to directly access the App Service URL (*.azurewebsites.net) then you can go with first or second option.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @MayankBargali-MSFT ,

Thanks for the reply. Regarding the first option on VIP. I thought the VIP is shared across other customer's APIM instances. But according to the documentation you provided, it seems like the VIP is dedicated for my particular APIM instance for the lifetime of the service. If this is the case, that would be wonderful to achieve my goal using APIM's VIP.

Could you please confirm that the VIP is dedicated to my particular APIM instance and I can just restrict access to App Service using that IP?


EDIT: Never mind, I saw on the documentation you provided (IP addresses of API Management service section ) clearly states that the VIP is exclusive to only that APIM instance and not shared.

Thanks again.


1 Vote 1 ·