2

We have a API-based microservice system, where a public API gateway (.NET Nancy API running on Azure Website) calls into microserviced API's (various technologies) to return data.

Currently, the microserviced API's are either Azure WebSites, or Azure Functions (HTTP trigger), so that means they have a public endpoint, with HTTP exposed to the public. (e.g https://my-microservice.azurewebsites.net)

Is there any way to lock this down so that only the API gateway can call into it?

I've read about DIPR but that seems to be based on a public IPv4 address (i don't think we can get a static IP for the API gateway?).

Currently we make the microserviced API's require authentication via bearer tokens (using IdSrv auth server), but ideally i'd like to secure the API's at the network level, then remove the token/IdSrv dependency. Can we leverage VNET's?

How do other people solve this? As in, how can we lock down an Azure Website from public access?

TIA.

Janusz Nowak
  • 2,595
  • 1
  • 17
  • 36
RPM1984
  • 72,246
  • 58
  • 225
  • 350

1 Answers1

2

You should use Azure Virtual Network and create rules for inbound/outbound traffic (valid for Standard / Premium App Service Plans): https://learn.microsoft.com/en-us/azure/app-service-web/web-sites-integrate-with-vnet

There's also Azure App Service environment for that, however it requires a Premium App Service Plan: https://learn.microsoft.com/en-us/azure/app-service-web/app-service-app-service-environment-intro

Thiago Custodio
  • 17,332
  • 6
  • 45
  • 90
  • Thanks for your answer. I'm assuming the VNET solution only applies to App Service Plan? Eg since Azure Functions on Consumption plan don't have fixed locations/VMs and no underpinned App Service Plan, they can't be placed in a VNET? If so what are my options for securing Azure Functions on Consumption plan? – RPM1984 May 15 '17 at 22:35
  • Also - looks like inbound/outbound traffic only applies to VM's/cloud services, not Web Apps? From my reading - it appears the only way to restrict access to an Azure Website is by using App Service Environment. – RPM1984 May 17 '17 at 00:24
  • I guess you're right. It seems that only though Azure Service Environments ... I'll check if there's any other way. – Thiago Custodio May 17 '17 at 01:20
  • https://feedback.azure.com/forums/169385-web-apps/suggestions/19304494-enable-only-azure-traffic :) :) Needs more votes. Ta @ThiagoCustodio for creating this UserVoice request. – Pure.Krome May 17 '17 at 04:52