I have a bunch of app services listed in API management. These services call third party clients who want to whitelist my IP
I would like to give them the public IP address of the APIM instance. I tried to check this by having my app service hosted in APIM call a dummy function app I had created. In the dummy function app I logged the header details.
It appeared that the IP coming through was that of the app service and not the APIM instance. I was expecting (and hoping) it to be the APIM IP
See on APIM overview page, public IP will be visible in the top section
APIM is only a gateway in front of app service. It is not a host environment for app service. So if you call 3rd party services from within the app service, the IP of the caller will always be the app service. It won't be the IP of APIM. Actually the call won't go through APIM at all.
Related
How to call the secured API management linked APIs configured in azure portal when developing locally using SWA CLI? All I observed in the SWA configuration is meant for functions as APIs not the APIM.
https://learn.microsoft.com/en-us/azure/static-web-apps/apis-api-management
When adding API Management APIs to an azure static web app, an automatic proxy product is created on APIM securing access to the API for this app via /api prefix on the static web app domain. I did not see any mentions of how this works for local development to pass the user claims from SWA emulator to the API via that proxy?
I was trying to do this recently and I don't think it's possible. My solution was to add a proxy to my dev server (in my case vite) to proxy all requests to the /api route to the Api Management URL, setting the necessary subscription key header.
I have created a .NET Core API and deployed it as an App Service in Azure. On top of that, I have an instance of Azure API Management. Now I want the API to be only accessible through the APIM.
During the free testing phase, i restricted the access to the API to the IP of the APIM. As i do not expect my API to have high traffic and to save costs, i now switched to free and consumption tier.
As my APIM uses the consumption tier, there is no static IP that I could use to restrict the API access.
As my App Service uses a free plan, neither VNet Integration nor incoming client certificates are available.
Is there are a way to secure a free App Service API with a APIM in consumption tier with Azure except from implementing it myself?
You have a few options with Consumption SKU in mind:
Basic auth - make APIM send a well known secret and check for that secret in API App.
Client certificate authentication - make APIM use client cert to connect to API App and check for it there.
I have an ASP.NET Core REST API Service hosted on an Azure Web App. I own its source code and I can change it if required.
I am planning to publish REST API Service with Azure API Management.
I am adding Azure AD authentication to the Azure API Management front. So, the API management front is secured. All the steps are is described here.
All good so far. Here is the question (or challange?) :
Considering that my backend REST API Service is hosted on Azure and publicly accessible, how do I protect it against the request calls other than the API Management Calls?
How the backend service knows the identity and AAD group claims of the incoming call and access to its claims?
A link to a code sample or online documentation would be a great help.
Update
While there are some overlaps with the follwoing question:
How to prevent direct access to API hosted in Azure app service
... part of this question is still outstanding:
How the backend service knows the identity and AAD group claims of the incoming call and access to its claims?
You can enable static IP restriction on your WebApp to only allow incoming traffic from the VIP of your APIM Service facing ( keep in mind in some specific scenarios , the VIP may change and will be required to update the whitelist again).
Clients ==> AAD==> VIP APIM Service <==> (VIP APIM allowed) Web App
https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions
I have deployed an application on IBM BlueMix. The application needs to use a smtp server for sending emails. The smtp server will only allow requests from a static ip. As the application is on the cloud, it may not always have a static ip.
In IBM Bluemix there is a service called as Statica, however that is as per the example only for http and https requests. How can we get a static ip for the application to connect to a smtp server?
Your best best for something like this would probably be to use an SMTP server that accepts some kind of login credentials - having the source IP be static is probably not going to be a tenable solution if you're running an app in the CloudFoundry apps on BlueMix.
If you need a static IP, I'd consider running your apps in the container service, or on a virtual.
I have Google Cloud project consisting of a compute engine instance which I want to configure as a push subscriber of Cloud Pub/Sub service. I have setup an apache webserver with a self-signed certificate on the instance and have also made a DNS entry (abc.mydomain.com) which points to the instance which has a static IP address. I am already a verified owner of the domain (mydomain.com) on webmasters.
Whenever I add the subscription from the Cloud console, it fails with the error: "The subscription could not be added" and does not show any other useful information.
Please help.
Self-signed certificates are not supported.
There are few options for you:
Pay for the certificate
Use App Engine as a proxy
Use pull subscriptions
Use App Engine Managed VM
The last one is basically a Compute Engine instance, but you will get free https connection via a subdomain of appspot.com.