Geek Answers Handbook

API Security in Azure Best Practice

I am developing a web API that will be called by other web applications on the same Azure node, as well as in other third-party services / applications. I am currently studying API applications and the API, but there are a few obscure things to implement security:

  • Is an authentication API required when implementing API management? If so, what are the options? This link http://www.kefalidis.me/2015/06/taking-advantage-of-api-management-for-api-apps/ mentions: "Keep in mind that you do not need to have authentication in the API application, as you can enable authentication when managing the API and let it handle all the details. " So does this mean that the authentication of the API is for a public anonymous? But then someone who knows the direct URL of the API application can access it directly.
  • What is the best way to implement security management APIs? One of the ones mentioned in the textbook (the presence of an unprocessed subscription key passed in the header) seems to be affected by the person in an average attack.
  • What are the benefits of adding an API application instead of implementing with a regular web API project?

Thanks in advance.

+5
source share
1 answer

I can answer in terms of API management. To provide a connection between the Mgmt API and your backend (sometimes called last mile security), there are several options:

  • Basic Authentication: This is the easiest solution.
  • Mutual certificate verification: https://azure.microsoft.com/en-us/documentation/articles/api-management-howto-mutual-certificates/ is the most common approach.
  • IP White List: If you have an instance of APIM Standard or Premium, the IP address of the proxy server will remain constant. This way, you can configure firewall rules to block unknown IP addresses.
  • JWT token: if your backend has the ability to check JWT tokens, you can block all callers without a valid JWT.

This video may also be useful: https://channel9.msdn.com/Blogs/AzureApiMgmt/Last-mile-Security

I think the document meant that you could do a JWT token check in APIM. However, so that someone does not directly access your server, you will have to implement one of the options mentioned above in Api Apps

+2
source

More articles:


All Articles