I am planning to use Azure Event Grid as a pub-sub mechanism. We want to use custom webhook as a subscription to Event Grid Topic. While I was able to use validation request successfully, is there any way using which we can implement the authentication and/or DDOS protection for the webhook endpoint being exposed? I came across a query string param solution, but that does not seem very legitimate.
2
votes
1 Answers
1
votes
If you don't want to expose the endpoint you could put something like API Management in front of it. You will have to handle the validation part within the inboud policy, however. Here is an example: https://github.com/dbarkol/EventGrid-API-Management/blob/master/eventgrid-apim-policy.xml
For the custom endpoint, other defensive measures you can take are to:
- Make sure the aeg-event-type value is set to Notification for incoming events.
- Inspect the subscription ID in the payload (reject if it's an unknown sender)
- Continue using a query string parameter and verify on each call.
Query string parameters are secured and never traced.
