10

I'm trying to understand whether the Azure API Management suite includes any WAF functionality (as described by OWASP for example) within its Security or Policy settings.

If "no" or "don't" know does it make sense to front public-facing APIs (that handle PII), exposed via the Azure API Management with a Web Application Firewall (WAF), or anywhere else in the Cloud -> APIM -> VPN -> Firewall -> On-Premise services topology?

Thanks in advance

juvchan
  • 6,113
  • 2
  • 22
  • 35
Bex Bissell
  • 101
  • 1
  • 4

3 Answers3

9

Based on this list of WAF capabilities, API Management can do some of these things out of the box, many could be implemented using custom policies and some of these things cannot be done. Policies can manipulate HTTP requests and responses. However they cannot function at a level lower than this.

There is no built-in functions to try and prevent injection attacks, but it is possible to build them. It is also a reasonable option to deploy a dedicated WAF between API Management gateway and your APIs.

Darrel Miller
  • 139,164
  • 32
  • 194
  • 243
  • Does this mean we need to have WAF enabled Application gateway configured with API Management as backend pool to have a secure end point exposed to internet? – Joy George Kunjikkuru Nov 07 '18 at 14:29
  • That's what MS recommends, yes: https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/apis/protect-apis – Daniel Hilgarth Apr 23 '23 at 13:35
3

You can make your API Management Service private inside a subnet and put App Gateway with WAF in front of it. The tricky part is that this is available only in the Premium plan for API Management.

However, since ultimately you want to protect your application not the APIMS from attacks like SQL injection, you can put AppGateway+WAF between APIMS and your application. At the same time AppGateway will be your Load Balancer.

SSL and end-to-end encryption will need some attention.

Piotr Gwiazda
  • 12,080
  • 13
  • 60
  • 91
  • Isn't that like activating the firewall of the VPN itself? Does the WAF in between really provide any benefit over that? Also, if it's in between you don't benefit from logging/triggered actions for attempted attacks, that the WAF can provide. These won't be triggered if the APIM swallows the attempted attacks. – Heinzlmaen Feb 14 '22 at 14:52
2

Its best to have a separate WAF module on top of your APIMS.

APIMS <-> WAF <-> LB

API abusing is trending these days .I think WAF protection inbuilt to many cloud providers are basically in its infantry stage . Better to use some dedicated WAF modules

Vaisakh
  • 21
  • 2