I have an API hosted on Azure App Service which can be called from API Management (Basic tier). I'd like to block all requests that calls the App Service URL directly (*.azurewebsites.net).
I read through Microsoft Docs and found a few methods to achieve this (with some concerns after the => symbol):
Set Access Restriction on App Service to allow APIM IP only. => Does not restrict to my particular APIM instance as the IP is shared
mTLS authentication from APIM to App Service => Tried it and it works, but needs to change the code to verify only my certificate supplied from APIM. I don't want to change my code. If I set App Service to "require" incoming client certificate but not verifying the certificate in my code, anyone can call my API directly by just supplying any random certificate. Am I right?
Use Azure AD => I don't quite understand this method. I followed the documentation and it didn't work. If using Azure AD, what I want is to let APIM authenticate and access the App Service using managed identity. Is this possible? I think this is the easiest way but couldn't find any documentation.
Put App Service in VNET => Not possible for my situation as APIM Basic tier does not support VNET integration
What are the options I have to achieve this? Thanks.