Azure API Management


How to restrict direct call to APIs?


Hi there,
This question originally asked here: http://forums.asp.net/p/2026790/5840116.aspx?Re+how+to+restrict+direct+call+to+APIs+
Our Asp.net Web API uses Azure Rest API Management system.
My actual url of api is: aurl.com and management url is restapiurl.net
I can make call to either url and api executed successfully. We only allow a call via management
api. Is there anyway we can restrict direct API calls?
Gaurav Arora mycity : http://mynangal.com
Gaurav,
The video Steve shared did mention 2 options to secure your backend. In general, there are 4 options, you can use one or more of them in combination:
1. Basic Authentication
2. Shared secret
3. Whitelisting IP address. (If you have a standard tier instance, the API Management proxy IP is guranteed to be static)
4. SSL mutual authentication (http://azure.microsoft.com/en-us/documentation/articles/api-management-howto-mutual-certificates/)
Regards,
Miao
hi Gaurav,
Thanks for your sharing !
For this issue, I will research this issue on my side and post back for you. Thanks for your understanding.
Regards,
WillWe are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey.
Hi,
Please check out the following video: Last-mile Security with Azure API Management, which discusses how to secure back-end services, I think it may have exactly the information that you need.
https://www.youtube.com/watch?v=YgQJjRye_Y8&list=PL8nfc9haGeb4khJEFcDU9Lluit5nYlB3a&index=7
Steve Danielson MSFT
Hi Steve,
Thanks for sharing url. Unfortunately, it says nothing related to my problem.
Actual issue is my webapi is api.domain.com and I hosted the same on azureapi.domain.com
Here, user can directly make calls to api.domain.com but I wanted to restrict them via azureapi.domain.com
Gaurav Arora mycity : http://mynangal.com
hi Gaurav,
Thanks for your sharing !
For this issue, I will research this issue on my side and post back for you. Thanks for your understanding.
Regards,
Will
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey.
Thanks Will,
I am waiting for some good news :)Gaurav Arora mycity : http://mynangal.com
Gaurav,
The video Steve shared did mention 2 options to secure your backend. In general, there are 4 options, you can use one or more of them in combination:
1. Basic Authentication
2. Shared secret
3. Whitelisting IP address. (If you have a standard tier instance, the API Management proxy IP is guranteed to be static)
4. SSL mutual authentication (http://azure.microsoft.com/en-us/documentation/articles/api-management-howto-mutual-certificates/)
Regards,
Miao
Gaurav,
The video Steve shared did mention 2 options to secure your backend. In general, there are 4 options, you can use one or more of them in combination:
1. Basic Authentication
2. Shared secret
3. Whitelisting IP address. (If you have a standard tier instance, the API Management proxy IP is guranteed to be static)
4. SSL mutual authentication (http://azure.microsoft.com/en-us/documentation/articles/api-management-howto-mutual-certificates/)
Regards,
Miao
Still looking for good solution ?Thanks & Regards, Gaurav Kumar Arora http://gaurav-arora.com http://mynangal.com
Gaurav,
The video Steve shared did mention 2 options to secure your backend. In general, there are 4 options, you can use one or more of them in combination:
1. Basic Authentication
2. Shared secret
3. Whitelisting IP address. (If you have a standard tier instance, the API Management proxy IP is guranteed to be static)
4. SSL mutual authentication (http://azure.microsoft.com/en-us/documentation/articles/api-management-howto-mutual-certificates/)
Regards,
Miao
Still looking for good solution!Thanks & Regards, Gaurav Kumar Arora http://gaurav-arora.com http://mynangal.com
A similar question is being asked on StackOverflow where a user is trying to implement a shared secret solution between API Management and Web API. See
http://stackoverflow.com/questions/32637656/best-place-to-check-shared-secret-in-web-api
I added a code sample that shows how to check the shared secret in the WebAPI.
Darrel
Hi there,
This question originally asked here: http://forums.asp.net/p/2026790/5840116.aspx?Re+how+to+restrict+direct+call+to+APIs+
Our Asp.net Web API uses Azure Rest API Management system.
My actual url of api is: aurl.com and management url is restapiurl.net
I can make call to either url and api executed successfully. We only allow a call via management
api. Is there anyway we can restrict direct API calls?
Gaurav Arora mycity : http://mynangal.com
I found a way to do this and posting my answer here, so that others can get benefited:
1. Set a policy to change the url - refer to policy guidelines in documentation
2. Use Rest API to validate the APIKey with incoming request.Thanks & Regards, Gaurav Kumar Arora http://gaurav-arora.com http://mynangal.com

Related Links

Using Control Flow policy to check back end response and return a Different Status Code
How to import several APIs from Swagger without Web API URL suffix?
When trying to create an API management element in Azure, the title of the Option (and footer text on the image) says 'preview',
Best method to allow Unauthenticated access to API in Azure APIM
validate-jwt - Unable to create to obtain configuration
Client-Side Certificate Authentication with Azure and Apache/Rails
OAuth2 backend API to expose with basic authentication
Set a variable with JWT claim as value
Creating a Webservice in Azure
REST Api just heavily changed?
Azure Resource created by/ created at
Developer portal showing various Liquid errors
Is there REST API to Create/Update/Delete API Policies?
Azure Service Fabric Cluster with OWIN Stateless Web api.
eLogic Learning LMS - Configuring the Multi-Language feature with Azure Cognitive Services
APIM instance stuck on "updating" state after upgrading licens

Categories

MSDN
Visual Studio Languages
Windows Desktop Develo...
Windows Phone Dev Center
BizTalk Server
Orchard
WebsitePanel
Open Specifications
Exchange Server
Archived Forums N-R
Skype for Business
Announcements for all ...
Visual F#
Windows App Studio Beta
Windows Desktop Sideba...
Windows Desktop Search...
Windows Hardware Testi...
Excel for Developers
Word for Developers
Azure Storage
Pricing & Billing
Azure Pack
Azure Backup
Azure Scheduler
Azure Notification Hubs
Azure CDN
Azure DevTest Labs
Azure Stack
.NET Framework Class L...
BizTalk Server General
BizTalk Server RFID
Commerce Server 2007
WCF Data Services
ADO.NET DataSet
ADO.NET Entity Framewo...
XML, System.Xml, MSXML...
ISV Open Discussions
Visual Basic for Appli...
SyncFx – Microsoft Syn...
Transact-SQL
SQL Server XML
SQL Server Documentation
SQL Server High Availa...
Windows Embedded Compa...
SQL Server 2012 PowerP...
SQL Server 2012 Report...
CRM Development
Open Specifications Qu...
Microsoft Atlas APIs: ...
Getting Started with S...
Report a Silverlight Bug
Performance Profiling ...
MVVM / ViewModel Patte...
WCF RIA Services with ...
Visual Studio Report C...
Retired SharePoint Wor...
Project Online General...
.NET Framework 4 Appli...
.NET Framework 4 Relea...
.NET Framework Network...
Building Windows Store...
Commerce Server 2002 a...
Doloto
Dryad, DSC, and DryadL...
Face Tracking – Kinect...
LINQ to SQL (Pre-Release)
Microsoft adCenter: De...
MS-Build, Multi-Target...
Multimap API Developme...
Parallel Computing Pla...
Search Server: Develop...
Search Server: Feature...
Search Server: Federation
Sharepoint Development...
Security for Azure
Share your How to samp...
SQL Server in Azure VMs
SQL Server 2014 Analys...
SQL Server 2014 Setup ...
UI Design for Windows ...
Visual Basic Express E...
Visual Basic IDE
Visual Basic Language
Visual Studio Team Ser...
Visual Studio 2008 Exp...
Visual Studio Database...
Visual Studio Editor i...
Visual Studio Guidance...
Visual Studio Web Perf...
Visual Studio WPF/SL D...
Windows MultiPoint Mou...
Windows Phone Preview ...
OneDrive Development (...
Maps In Windows - APIs

Resources

Encrypt Message



code
soft
python
ios
c
html
jquery
cloud
mobile