I am trying to achieve the following the scenario but ending up as 403 response.
Client -> sends Cert A -> API Management -> Forwards Cert A -> Backend API (Azure Api App) -> Authenticates the certificate.
Is there is a way to configure API management to forward the incoming certificate to the backend API?
I tried various transformation policies on the incoming request but none of the options worked.
Please suggest.
This is technically not possible since client certificate's private key is never transmitted over wire. So there is no way APIM could use it to authenticate to backend. Even more so since there is no affinity between client connection and backend connection in APIM. Your best option is to send client certificate information in a custom header. You can use ser-header policy to set it at APIM level along with policy expressions to extract client certificate information from request.
With the new authentication-certificate policy (learn.microsoft.com) you may return the certificate as a byte[] coming from a separate send-request response-variable and use it as follows:
<authentication-certificate body="#(context.Variables.GetValueOrDefault<byte[]>("byteCertificate"))" password="optional-certificate-password" />
You could store the password as a secret named value or even get it from the KeyVault by using this snippet:
github.com/Azure/api-management-policy-snippets
Related
I'm somewhat new to Azure APIM and am trying to figure out solution to a scenario which I've be tasked to solve using APIM Policies. Here's how the workflow is supposed to work:
System A makes a REST call to the APIM gateway.
This triggers APIM to call REST API endpoint B to a get value x.
Finally, APIM needs to relay the original call received from system A to system C such that the header information from the System A's call and value x from endpoint B's call are included.
Thus, is there a way to accomplish this using only a combination of Azure APIM policies?
Thanks,
1 & 2. You can connect System A to System B via Azure APIM gateway. You can connect APIM with system B as steps suggested in answer : Azure Api management for connecting to application
After connection, the REST API URL will be ready which you can call from system A and setup connection.
3.All the parameters (headers/payload) sent to API by calling service (System A) will be passed to System B as it is unless you make changes.
We have multiple device which access microservice via Azure APIM. Each device has wrapper, for example Mobile wrapper which access microservice. Now i want to do mutual certificate authentication in order to restrict mobile wrapper accessing microservice directly via APIM. Hence we decided to install client certificate at mobile wrapper which is hosted on Azure Appservice and server certificate at Azure APIM to do authentication before connecting to microservices. Similarly we have multiple client certificate for individual device wrapper like whatsapp bot, FB etc which will be interacting with APIM. My question is if this approach is feasible from architecture perspective.
Sure that would work, just make sure that you actually test for a client certificate in APIM policy (context.Request.ClientCertificates) and validate them somehow. You could compare thumbprint to a predefined hardcoded value, or call .Validate on a certificate if all of them are issued by limited number of CA, and CA cert is uploaded into APIM.
I have an ASP.NET Core REST API Service hosted on an Azure Web App. I own its source code and I can change it if required.
I am planning to publish REST API Service with Azure API Management.
I am adding Azure AD authentication to the Azure API Management front. So, the API management front is secured. All the steps are is described here.
All good so far. Here is the question (or challange?) :
Considering that my backend REST API Service is hosted on Azure and publicly accessible, how do I protect it against the request calls other than the API Management Calls?
How the backend service knows the identity and AAD group claims of the incoming call and access to its claims?
A link to a code sample or online documentation would be a great help.
Update
While there are some overlaps with the follwoing question:
How to prevent direct access to API hosted in Azure app service
... part of this question is still outstanding:
How the backend service knows the identity and AAD group claims of the incoming call and access to its claims?
You can enable static IP restriction on your WebApp to only allow incoming traffic from the VIP of your APIM Service facing ( keep in mind in some specific scenarios , the VIP may change and will be required to update the whitelist again).
Clients ==> AAD==> VIP APIM Service <==> (VIP APIM allowed) Web App
https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions
To borrow some thought on using APIm to secure webapi, are the scenarios below supported?
certificate
The intention is to secure the azure hosted webapi, my thought now is to have APIm to validate incoming calling client and check the thumbprint to be one of the certificate I configured in APIm, upon authenticated then APIm to forward the call to my webapi however using another certificate (where I am to hardcode the certificate in my webapi logic check)
IP restriction
The intention is to limit the caller IP in APIm, furthermore I can somehow configure webapi to accept the call only from APIm nowhere else (lock down)
Yes, all the scenarios are possible. Refer below links
Secure Apis with client certificate
Secure your backend with mutual certificates
Restrict caller IPs policy
I'm using the API Gateway service to manage my spring boot resources. I want to point the gateway to my sub-domain. I tried adding it to alias in Route 53 but it does not work. There's an option in the API Gateway console which asks for my domain and some credentials. I don't know if a sub-domain can work and what should i add to certificate input. Probably it is asking for an SSL certificate and I am ready to purchase one, but before i do that, i want to be sure that it accepts sub-domains.
Yes, API Gateway supports subdomains. You can try with self-signed certificate and see the options.
See the official documentation on using Custom Domain Names in API Gateway.