-1

I have created a .NET Core API and deployed it as an App Service in Azure. On top of that, I have an instance of Azure API Management. Now I want the API to be only accessible through the APIM.

During the free testing phase, i restricted the access to the API to the IP of the APIM. As i do not expect my API to have high traffic and to save costs, i now switched to free and consumption tier.

As my APIM uses the consumption tier, there is no static IP that I could use to restrict the API access. As my App Service uses a free plan, neither VNet Integration nor incoming client certificates are available.

Is there are a way to secure a free App Service API with a APIM in consumption tier with Azure except from implementing it myself?

DanielGrams
  • 31
  • 6

1 Answers1

1

You have a few options with Consumption SKU in mind:

  1. Basic auth - make APIM send a well known secret and check for that secret in API App.
  2. Client certificate authentication - make APIM use client cert to connect to API App and check for it there.
Vitaliy Kurokhtin
  • 7,205
  • 1
  • 19
  • 18
  • Hi @vitaliy! Many thanks for taking the time to answer. Am i right that for both options i have to implement it in code? Because I did not see any configuration for basic auth or client certificate authentication in Azure App Service (Free tier). – DanielGrams Jun 05 '19 at 10:58
  • Client certificate requirement may be configured for the app: https://learn.microsoft.com/en-us/azure/app-service/app-service-web-configure-tls-mutual-auth, but actual code to validate the certificate must be implemented inside the app. Basic auth should be done entirely in code. – Vitaliy Kurokhtin Jun 05 '19 at 17:28