CODEWITHSUNDEEP
apiazureasp.net-web-apiazure-api-managementazure-api-apps
adelb
adelb

Reputation: 821

API security in Azure best practice

I'm developing a web API that will be called by other web apps in the same Azure host and also other 3rd party services/ app. I'm currently looking into API Apps and API management, but there are several things unclear for me regarding security implementation:

  1. Does API App need to have authentication when implemented with API management? If yes, what are the options? This link http://www.kefalidis.me/2015/06/taking-advantage-of-api-management-for-api-apps/ mentions "Keep in mind that it’s not necessary to have authentication on the API App, as you can enable authentication on API Management and let it handle all the details." So that means having the API App authentication to public anonymous? But then someone who knows the direct URL of the API App can access it directly.
  2. What is the best way to implement API Management security? The one mentioned in the tutorial (Having a raw subscription key passed in the header) seems to be prone to man in the middle attack
  3. What advantages does API App add instead of implementing with normal Web API project?

Thanks in advance.

Upvotes: 5

Views: 3198

Answers (1)

Miao Jiang
Miao Jiang

Reputation: 633

I can answer from API Management perspective. To secure the connection between API Mgmt and your backend (sometimes called last-mile security), there are a few options:

  1. Basic Authentication: this is the simplest solution
  2. Mutual certificate authentication: https://azure.microsoft.com/en-us/documentation/articles/api-management-howto-mutual-certificates/ - this is the most common approach.
  3. IP Whitelisting: if you have a Standard or Premium tier APIM instance, the IP address of the proxy will remain constant. Thus you can configure firewall rules to block unknown IP addresses.
  4. JWT token: if your backend has the capability to validate JWT tokens, you can block any callers without a valid JWT.

This video might also be helpful: https://channel9.msdn.com/Blogs/AzureApiMgmt/Last-mile-Security

I think the document meant you can do the JWT token validation in APIM. However, to prevent someone calling your backend directly, you'll have to implement one of the options mentioned above in your Api Apps

Upvotes: 4

Related Questions