Protect part of a public API with Azure APIM

Azure API Management (APIM) is a great tool for safely exposing internal API’s to the internet. With a few clicks API’s can be protected with several easy to implement security mechanisms such as subscription keys and client certificates.

The easiest way to expose a private API to an external party (through the internet) is by placing the API in a private virtual network (VNET) and deploying the Azure API management inside the VNET. In this way access to the API is only possible through API management and access to the API can be limited to those with a valid subscription key. This mode of deployment is available in the development and the premium tier of APIM.

Now suppose you have a public, internet facing, API and you still want to protect certain parts of that API with Azure APIM. In this case the security mechanisms of the API Management will not be sufficient, because after adding your API to the APIM it can still also be accessed on its own public IP address that was already exposed to the internet. Only an additional route to the API was added. Consider the following diagram of this situation:

In order to protect parts of the Public API from being directly accessed those parts will have to make sure client connections are ran through API Management. Fortunately such checks are possible because API Management uses dedicated static public IP addresses, except in the consumption tier. The public IP addresses an instance uses can be found in the overview pane of the APIM:

The parts of the Public API that need to be protected from direct access can be protected by using a Client IP safelist. In .NET Core the most flexible way of implementing such a safelist is to use an ActionFilterAttribute because such an attribute can be applied to action methods as well as to controllers. The client IP address can be read from the context.HttpContext.Connection.RemoteIpAddress property.

For more information on implementing a Client IP safelist the Microsoft documentation provides the following article: https://docs.microsoft.com/en-us/aspnet/core/security/ip-safelist?view=aspnetcore-3.1

Was this article helpful?

Related Articles