Disable external IP for Azure App Service

Question

Please help me to protect access to APP Services (Api APP) in Azure from outside . I need to disable external IP. I have Web App which should be available for everyone and API APP which should be available for WEB but unavailable for others.

Thanks, Mykola

Answer 1

In addition to the AD bearer token already suggested, you could use a client certificate or a simple shared secret using HTTP Basic Authentication.

Answer 2

You cannot really disable the external IP address of an WebApp. There are various ways you can protect the API App.

First way is to protect it using Azure AD Bearer Token authentication. Check this sample here: https://azure.microsoft.com/en-us/documentation/articles/active-directory-devquickstarts-webapi-dotnet/

Once protected, you can use ADAL on your code behind to get token to call the API.

Here however I would raise the question - how do you think your web app will communicate with the Web API? Via JavaScript in the browser, or from the Code Behind. Because if you to call your Web API from in-browser JavaScript, then your question makes no sense! Because effectivly every user will need an access to your API in order the JavaScript to make the call!

Another way would be to create an App Service Environment for your API (rather costly for what you want to achieve). You can then put this App Service Environment into a Subnet of Virtual Network. You put your Web App into anotwer Web App Service plan and connect this to the same Virtual Network. Then you define such network security group, that you permit only internal access to your App Service environment.

At the end, I really doubt you want to disable Internet Access to your Web API. You just want to protect it, and IP Address filtering is not the best way to protect Web APIs.