1) Both Apigee and WSO2 have OOTB threat protection policies for threats such as XML Bombs, XML External Entity Attacks, XPath Injection, Javascript Injection etc. Does Azure API manager support that?
2) Apigee supports bot detection. Does Azure APIM support that?
APIM doesn't have that, but another Azure product - App Gateway - does similar things: https://azure.microsoft.com/en-us/services/application-gateway/. I can be setup to work with APIM.
APIM doesn't have that either, not sure about anything else in Azure.
Related
Is there a way to capture network traces for azure api management when we make a REST API call?
In my case, it makes a REST API call and the request goes through custom DNS to the destination resource. I wanted to capture the network traffic to analyze in case of any transient failures.
No, this capability does not exist so far, you have to open support ticket and get help from the support team.
I'm looking for a away to protect my APIs in APIM, I really don't understand the difference between Subscription Key and OAuth 2.0 using Access Token. Can we use OAuth2.0 instead of Subscription Key or use both ?
As per my understanding,
In Simple:
Subscription keys are the common way to access the Azure APIs in APIM instance.
If the API requires subscription key to access it by the user, then we call it as secured API. Otherwise, it is unsecured API and mostly used by the public.
But for unsecured access to that certain APIs, configuring another mechanism to secure client access is recommended.
Those other mechanisms to secure access to APIs in APIM were OAuth 2.0, Client Certificates, and Restring caller IPs.
As DeepDave recommended this SO Thread states that,
It is not possible to use OAuth token to identify client, but you can use it for rate-limiting and logging (of sorts).
You can identify the users and their level of access (To how many products/APIs, they have access) easily by using subscription keys because they are associated on 3 scopes like Product level, All APIs level, or an individual level.
OAuth 2.0 provides extra layer of security both in Authentication and Authorization.
To Implement the other mechanisms like OAuth2.0 or other, these references are useful:
Protect APIM using OAuth2.0
API Protecting Mechanisms in Azure
A Workaround of Protecting APIs in Azure API Management using OAuth 2.0 Client Credential Flow & test using Postman
Extra layer of security to avoid unauthorized access to APIs using OAuth 2.0
I am using Azure API Management to provide API gateway for some APIs. To set up a policy for a particular Api, I have used a Property(Named Value) to restore user metadata and then I assign it into a Variable in incoming request body. When adding a new user I need to add metadata for the new user in to the json. The property value has grown and exceeded the limit now and I cannot add more info to it anymore. I am wondering what the best way is to restore my large metadata in order to be accessible in API Management policy?
Update1:
I have switched the Authentication process from Azure to Auth0 so I can add the user metadata to Auth0 app_metadata and then in Azure policies I validate JWT from Auth0 and obtain token claim(app_metadata) explained in this article. By doing so I can solve the large user metadata (json) issue however this doesn't solve other non-related user metadata stored in other Properties(Named Value) and moreover the API gateway inbound policies are growing and becoming a huge bunch of logic which is not easy to manage and maintain.
At this stage I am looking for a solution to handle all the API gateway inbound policies in a better way and more manageable environment i.e. C#. So my two cents is to implement the API gateway inbound policies in a new .net Api and call this new API in the existing API gateway inbound policies so that it can play a bridge role between Azure API gateway and existing API however I'm still not sure if this is acheivable and whether existing API can be called via new API directly or it should be called via Azure API gateway in some way!
At this point you have to either store it in multiple variables or hardcode it in policy directly.
After more research I ended up with this solution which basically suggests to restore user metadata in Azure Cosmos DB and call Cosmos API in API Management Policy to access to the metadata and also the Cosmos API call can be cached in the policy.
Can Azure API Management be used in reverse?, i.e. to wrap 3rd party API's
We are having to use some external 3rd party API's and there are various issues, which API Management policies would solve.
Is it valid to have our internal calls route through API Management to the external site?
I see no problems with this setup, ultimately APIM does not require you to own backend services you're invoking.
In Azure API Management, we can create operations through the Portal. See below link.
https://azure.microsoft.com/en-in/documentation/articles/api-management-howto-add-operations/
Is there anyway to configure the Operations through C#/Code instead of portal?
Regards,
Pratik
We have REST APIs as well as PowerShell cmdlets.
https://msdn.microsoft.com/library/azure/dn894081.aspx?f=255&MSPPError=-2147217396