Securing API App Service sitting behind Azure API Management

3
votes

I have a design issue that I've been struggling with in Azure. I have created a .NET Core API and deployed it as an App Service in Azure. On top of that, I have an instance of Azure API Management with oAuth 2 securing it. I was able to achieve this by following this tutorial:

https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad

So, the API Management instance is secured with policies and rate limiting, but the back-end URL is wide open and requires no authentication. What is the best process to secure the back-end URL?

1
azureauthenticationapi-management
Possibly more solutions here: stackoverflow.com/q/36764654/2579733Max Ivanov

1 Answers

5
votes

you can set APIM public IP in accessing whitelist of your App service to make sure only APIM requests will be able to access your App Service. For how to set IP restriction , you may refer to this doc : https://docs.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions#adding-and-editing-ip-restriction-rules-in-the-portal