We have an APIM which forwards requests to different backend servers based on different policies. I want to restrict requests to backend servers to only come from that APIM (and no other entity). Two options at hand were:
- IP filtering at backend-servers to accept requests only if they come from APIM IP addresses - don't want to go down this path since APIM IP addresses can change and its a hassle to keep the list updated.
- A client-certificate authentication mechanism - APIM will send a certificate which can then be verified by backend-server.
What I haven't been able to understand is how does APIM send the certificate? Is the certificate sent in a HTTP header or is the certificate sent in the TLS layer below HTTP?
Asking this because: I am looking for a way to not mandate backend servers to do APIM certificate authentication; i.e. APIM should send the certificate but what different backend-server's do with it, is up to them (they may choose to verify the client certificate or just allow the request without verification). For this to work, my understanding is that its best to send client-certificate from APIM as part of a custom header. If the authentication-certificate policy in APIM sends the certificate in the TLS layer, then its not necessary that the certificate will reach the backend server's application logic. For instance, in the case where the backend is a Azure app web service, then the TLS termination happens at a frontend load balancer which then forwards the certificate to the app code in a custom header X-ARR-ClientCert. Since I am dealing with different kinds of backend-servers (not only Azure App Service), sending the certificate in a custom header (which will make its way to app-code in the same header regardless of the backend server type) makes more sense.
Any thoughts on this approach and if my understanding is wrong on how client-certificates in APIM work?
