API Management and Application authentication

Question

I think I do not understand something obvious here.

If I configure an API App in API Management so that URL /B requires separate subscription/role other than basic one which enables /A URL, do I have to authorize in application itself by checking current user role?

I am confused because the API App has also its public URL and can be accessed directly. It will have also API Management URL. So even though I setup all the throttling and all policies, that can be ignored by accessing application directly.

Can't the API App be only internal, with configured identity and allow only connections from API Management? How to setup authentication so that users have to go via API Management?

Answer 1

Once you put your API behind API management, you should consider the backend API's URL as your own private URL that only you use if you need to.

Both you and the consumers of your API should only use the public API management URL so that you get the benefits of the API Management Gateway. Don't give external parties the public URL of your backend API.

You have various options to protect your backend API. These include using Azure AD, certificates, basic authentication and even only allowing the Azure API management IP address to connect to your backend API.

It depends on where your backend API is hosted, what tier of API Management you are using (some options are only available in Premium), and finally, what capabilities your backend API has.

See this post for more details on all of the above.

Hope this helps!