Search code examples
azure-api-appsazure-api-management

Securing Azure API

I have an Azure WebAPI and I have added it to Azure API Management.

As well as accessing the API through an API Management URI I note that I can still directly access the Azure API using the URI to the API.

In order to secure the raw API should I:

  • add code to the API in order to secure it (by treating the API as the ASP.Net application it is and using a certificate)

or

  • Use some facility of Azure to secure the API
Solution

  • Your choice.

    • Upload a certificate to API Management, and verify it in your API
    • Enable basic auth security in API Management and in your backend API
    • Add a secret to a custom header in API Management and check it in your API.
    • Check the inbound IP address in your API as an API Management instance will keep the same IP for as long as it is provisioned
    • Add your API to an Azure VNet and use a network security group to only allow the API Management IP address access to the VNet