Protect your APIs behind API Management

I think API Management needs no introduction these days and it’s a no brainer to use it when developing APIs that back up any kind of customer facing apps thanks to its slew of features such as protection via subscriptions, monitoring, caching, or even some of the less obvious ones such as offering you the ability to seamlessly swap out your undelaying API without customer impact.

However in this article I want to talk about another feature that I just learned about and used successfully for the first time, the managed identity integration.

One of the challenges I recently had to solve, was to “hide” a pre-exiting API deployed in a Web App so that external parties cannot call it directly, it should only be available though API Manager.
Some initial thoughts was obviously VNets or IP filtering but that didn’t work due to the remote nature of work these days, and I still wanted the API to be available for developers without the need to connect to VPN.

The solution we came up with was to disallow anonymous requests on the web app, and have API Manager authenticate itself to the API using its Managed Identity capabilities.

The process is quite straight forward, essentially you need to get API manager to get a token to authenticate against the API endpoint using the <authentication-managed-identity> policy in the inbound:

1
2
3
4
5
<inbound>
<base />
<authentication-managed-identity resource="<id>" />
<set-backend-service base-url="https://my-api-test.azurewebsites.net" />
</inbound>

The key in the above code, the key element is the id value in the resource parameter. To obtain that, you need set up the Authentication / Authorization for your web app.

  1. Enable App Service Authentication

  2. Create a new Azure AD application

  3. Disable anonymous requests

  4. Save

  5. Get the client Id

Once you have performed these steps, you can configure your APIm policy with the client Id.
Keep in mind, that doing this will disable anonymous access at the web application level so you will need to authenticate with your own domain account if you need to make any calls directly (or access the website).

Share Comments