How to protect the Backend API against calls other than Azure API Management












0















I have an ASP.NET Core REST API Service hosted on an Azure Web App. I own its source code and I can change it if required.



I am planning to publish REST API Service with Azure API Management.



I am adding Azure AD authentication to the Azure API Management front. So, the API management front is secured. All the steps are is described here.



All good so far. Here is the question (or challange?) :



Considering that my backend REST API Service is hosted on Azure and publicly accessible, how do I protect it against the request calls other than the API Management Calls?



How the backend service knows the identity and AAD group claims of the incoming call and access to its claims?



A link to a code sample or online documentation would be a great help.



Update



While there are some overlaps with the follwoing question:



How to prevent direct access to API hosted in Azure app service



... part of this question is still outstanding:



How the backend service knows the identity and AAD group claims of the incoming call and access to its claims?






azure-api-management







share|improve this question

























  • Possible duplicate of How to prevent direct access to API hosted in Azure app service

    – MKaz
    Nov 13 '18 at 7:45











  • @MKaz, please see my update.

    – Allan Xu
    Nov 13 '18 at 17:06











  • See stackoverflow.com/questions/52173908/…

    – Vitaliy Kurokhtin
    Dec 3 '18 at 18:46
















0















I have an ASP.NET Core REST API Service hosted on an Azure Web App. I own its source code and I can change it if required.



I am planning to publish REST API Service with Azure API Management.



I am adding Azure AD authentication to the Azure API Management front. So, the API management front is secured. All the steps are is described here.



All good so far. Here is the question (or challange?) :



Considering that my backend REST API Service is hosted on Azure and publicly accessible, how do I protect it against the request calls other than the API Management Calls?



How the backend service knows the identity and AAD group claims of the incoming call and access to its claims?



A link to a code sample or online documentation would be a great help.



Update



While there are some overlaps with the follwoing question:



How to prevent direct access to API hosted in Azure app service



... part of this question is still outstanding:



How the backend service knows the identity and AAD group claims of the incoming call and access to its claims?






azure-api-management







share|improve this question

























  • Possible duplicate of How to prevent direct access to API hosted in Azure app service

    – MKaz
    Nov 13 '18 at 7:45











  • @MKaz, please see my update.

    – Allan Xu
    Nov 13 '18 at 17:06











  • See stackoverflow.com/questions/52173908/…

    – Vitaliy Kurokhtin
    Dec 3 '18 at 18:46














0












0








0








I have an ASP.NET Core REST API Service hosted on an Azure Web App. I own its source code and I can change it if required.



I am planning to publish REST API Service with Azure API Management.



I am adding Azure AD authentication to the Azure API Management front. So, the API management front is secured. All the steps are is described here.



All good so far. Here is the question (or challange?) :



Considering that my backend REST API Service is hosted on Azure and publicly accessible, how do I protect it against the request calls other than the API Management Calls?



How the backend service knows the identity and AAD group claims of the incoming call and access to its claims?



A link to a code sample or online documentation would be a great help.



Update



While there are some overlaps with the follwoing question:



How to prevent direct access to API hosted in Azure app service



... part of this question is still outstanding:



How the backend service knows the identity and AAD group claims of the incoming call and access to its claims?






azure-api-management







share|improve this question
















I have an ASP.NET Core REST API Service hosted on an Azure Web App. I own its source code and I can change it if required.



I am planning to publish REST API Service with Azure API Management.



I am adding Azure AD authentication to the Azure API Management front. So, the API management front is secured. All the steps are is described here.



All good so far. Here is the question (or challange?) :



Considering that my backend REST API Service is hosted on Azure and publicly accessible, how do I protect it against the request calls other than the API Management Calls?



How the backend service knows the identity and AAD group claims of the incoming call and access to its claims?



A link to a code sample or online documentation would be a great help.



Update



While there are some overlaps with the follwoing question:



How to prevent direct access to API hosted in Azure app service



... part of this question is still outstanding:



How the backend service knows the identity and AAD group claims of the incoming call and access to its claims?






azure-api-management




azure-api-management






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 13 '18 at 17:05







Allan Xu

















asked Nov 13 '18 at 0:00









Allan XuAllan Xu

1,78111837




1,78111837













  • Possible duplicate of How to prevent direct access to API hosted in Azure app service

    – MKaz
    Nov 13 '18 at 7:45











  • @MKaz, please see my update.

    – Allan Xu
    Nov 13 '18 at 17:06











  • See stackoverflow.com/questions/52173908/…

    – Vitaliy Kurokhtin
    Dec 3 '18 at 18:46



















  • Possible duplicate of How to prevent direct access to API hosted in Azure app service

    – MKaz
    Nov 13 '18 at 7:45











  • @MKaz, please see my update.

    – Allan Xu
    Nov 13 '18 at 17:06











  • See stackoverflow.com/questions/52173908/…

    – Vitaliy Kurokhtin
    Dec 3 '18 at 18:46

















Possible duplicate of How to prevent direct access to API hosted in Azure app service

– MKaz
Nov 13 '18 at 7:45





Possible duplicate of How to prevent direct access to API hosted in Azure app service

– MKaz
Nov 13 '18 at 7:45













@MKaz, please see my update.

– Allan Xu
Nov 13 '18 at 17:06





@MKaz, please see my update.

– Allan Xu
Nov 13 '18 at 17:06













See stackoverflow.com/questions/52173908/…

– Vitaliy Kurokhtin
Dec 3 '18 at 18:46





See stackoverflow.com/questions/52173908/…

– Vitaliy Kurokhtin
Dec 3 '18 at 18:46












2 Answers
2






active

oldest

votes


















0














You can enable static IP restriction on your WebApp to only allow incoming traffic from the VIP of your APIM Service facing ( keep in mind in some specific scenarios , the VIP may change and will be required to update the whitelist again).



Clients ==> AAD==> VIP APIM Service <==> (VIP APIM allowed) Web App



https://docs.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions






share|improve this answer
























  • How do I know the IP range come from APIM? Is there any official IP list for Azure Services in every regions?

    – Allan Xu
    Nov 14 '18 at 4:05



















-1














You can use CORS to define which domain can access your API
See the documentation => https://docs.microsoft.com/en-us/aspnet/core/security/cors?view=aspnetcore-2.1






share|improve this answer
























  • CORS topic is important, but it is not directly related to this question. Because CORS is related to browser to service interaction. But we cannot assume all the requests come from a browser.

    – Allan Xu
    Nov 13 '18 at 19:14











  • Can you tell me where it is write that is related to browser? It's not because the first line say that browser have a some-origin policy that CORS is related to browser. It's a server side control. You should really read more. CORS is controlling the DOMAIN origin... that's not related to browser. You just need to put inside your Register() in WebApiConfig config.EnableCors() and then putting as an attribute [EnableCors('http://www.thedomainyouwant.whatever')] and only calls from this url will be done. CORS allow cross-origin but can be used to same-origin policy as well

    – Max
    Nov 15 '18 at 13:59











Your Answer






StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53271858%2fhow-to-protect-the-backend-api-against-calls-other-than-azure-api-management%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























2 Answers
2






active

oldest

votes








2 Answers
2






active

oldest

votes









active

oldest

votes






active

oldest

votes









0














You can enable static IP restriction on your WebApp to only allow incoming traffic from the VIP of your APIM Service facing ( keep in mind in some specific scenarios , the VIP may change and will be required to update the whitelist again).



Clients ==> AAD==> VIP APIM Service <==> (VIP APIM allowed) Web App



https://docs.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions






share|improve this answer
























  • How do I know the IP range come from APIM? Is there any official IP list for Azure Services in every regions?

    – Allan Xu
    Nov 14 '18 at 4:05
















0














You can enable static IP restriction on your WebApp to only allow incoming traffic from the VIP of your APIM Service facing ( keep in mind in some specific scenarios , the VIP may change and will be required to update the whitelist again).



Clients ==> AAD==> VIP APIM Service <==> (VIP APIM allowed) Web App



https://docs.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions






share|improve this answer
























  • How do I know the IP range come from APIM? Is there any official IP list for Azure Services in every regions?

    – Allan Xu
    Nov 14 '18 at 4:05














0












0








0







You can enable static IP restriction on your WebApp to only allow incoming traffic from the VIP of your APIM Service facing ( keep in mind in some specific scenarios , the VIP may change and will be required to update the whitelist again).



Clients ==> AAD==> VIP APIM Service <==> (VIP APIM allowed) Web App



https://docs.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions






share|improve this answer













You can enable static IP restriction on your WebApp to only allow incoming traffic from the VIP of your APIM Service facing ( keep in mind in some specific scenarios , the VIP may change and will be required to update the whitelist again).



Clients ==> AAD==> VIP APIM Service <==> (VIP APIM allowed) Web App



https://docs.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions







share|improve this answer












share|improve this answer



share|improve this answer










answered Nov 14 '18 at 3:08









JoleiJolei

1




1













  • How do I know the IP range come from APIM? Is there any official IP list for Azure Services in every regions?

    – Allan Xu
    Nov 14 '18 at 4:05



















  • How do I know the IP range come from APIM? Is there any official IP list for Azure Services in every regions?

    – Allan Xu
    Nov 14 '18 at 4:05

















How do I know the IP range come from APIM? Is there any official IP list for Azure Services in every regions?

– Allan Xu
Nov 14 '18 at 4:05





How do I know the IP range come from APIM? Is there any official IP list for Azure Services in every regions?

– Allan Xu
Nov 14 '18 at 4:05













-1














You can use CORS to define which domain can access your API
See the documentation => https://docs.microsoft.com/en-us/aspnet/core/security/cors?view=aspnetcore-2.1






share|improve this answer
























  • CORS topic is important, but it is not directly related to this question. Because CORS is related to browser to service interaction. But we cannot assume all the requests come from a browser.

    – Allan Xu
    Nov 13 '18 at 19:14











  • Can you tell me where it is write that is related to browser? It's not because the first line say that browser have a some-origin policy that CORS is related to browser. It's a server side control. You should really read more. CORS is controlling the DOMAIN origin... that's not related to browser. You just need to put inside your Register() in WebApiConfig config.EnableCors() and then putting as an attribute [EnableCors('http://www.thedomainyouwant.whatever')] and only calls from this url will be done. CORS allow cross-origin but can be used to same-origin policy as well

    – Max
    Nov 15 '18 at 13:59
















-1














You can use CORS to define which domain can access your API
See the documentation => https://docs.microsoft.com/en-us/aspnet/core/security/cors?view=aspnetcore-2.1






share|improve this answer
























  • CORS topic is important, but it is not directly related to this question. Because CORS is related to browser to service interaction. But we cannot assume all the requests come from a browser.

    – Allan Xu
    Nov 13 '18 at 19:14











  • Can you tell me where it is write that is related to browser? It's not because the first line say that browser have a some-origin policy that CORS is related to browser. It's a server side control. You should really read more. CORS is controlling the DOMAIN origin... that's not related to browser. You just need to put inside your Register() in WebApiConfig config.EnableCors() and then putting as an attribute [EnableCors('http://www.thedomainyouwant.whatever')] and only calls from this url will be done. CORS allow cross-origin but can be used to same-origin policy as well

    – Max
    Nov 15 '18 at 13:59














-1












-1








-1







You can use CORS to define which domain can access your API
See the documentation => https://docs.microsoft.com/en-us/aspnet/core/security/cors?view=aspnetcore-2.1






share|improve this answer













You can use CORS to define which domain can access your API
See the documentation => https://docs.microsoft.com/en-us/aspnet/core/security/cors?view=aspnetcore-2.1







share|improve this answer












share|improve this answer



share|improve this answer










answered Nov 13 '18 at 17:10









MaxMax

25715




25715













  • CORS topic is important, but it is not directly related to this question. Because CORS is related to browser to service interaction. But we cannot assume all the requests come from a browser.

    – Allan Xu
    Nov 13 '18 at 19:14











  • Can you tell me where it is write that is related to browser? It's not because the first line say that browser have a some-origin policy that CORS is related to browser. It's a server side control. You should really read more. CORS is controlling the DOMAIN origin... that's not related to browser. You just need to put inside your Register() in WebApiConfig config.EnableCors() and then putting as an attribute [EnableCors('http://www.thedomainyouwant.whatever')] and only calls from this url will be done. CORS allow cross-origin but can be used to same-origin policy as well

    – Max
    Nov 15 '18 at 13:59



















  • CORS topic is important, but it is not directly related to this question. Because CORS is related to browser to service interaction. But we cannot assume all the requests come from a browser.

    – Allan Xu
    Nov 13 '18 at 19:14











  • Can you tell me where it is write that is related to browser? It's not because the first line say that browser have a some-origin policy that CORS is related to browser. It's a server side control. You should really read more. CORS is controlling the DOMAIN origin... that's not related to browser. You just need to put inside your Register() in WebApiConfig config.EnableCors() and then putting as an attribute [EnableCors('http://www.thedomainyouwant.whatever')] and only calls from this url will be done. CORS allow cross-origin but can be used to same-origin policy as well

    – Max
    Nov 15 '18 at 13:59

















CORS topic is important, but it is not directly related to this question. Because CORS is related to browser to service interaction. But we cannot assume all the requests come from a browser.

– Allan Xu
Nov 13 '18 at 19:14





CORS topic is important, but it is not directly related to this question. Because CORS is related to browser to service interaction. But we cannot assume all the requests come from a browser.

– Allan Xu
Nov 13 '18 at 19:14













Can you tell me where it is write that is related to browser? It's not because the first line say that browser have a some-origin policy that CORS is related to browser. It's a server side control. You should really read more. CORS is controlling the DOMAIN origin... that's not related to browser. You just need to put inside your Register() in WebApiConfig config.EnableCors() and then putting as an attribute [EnableCors('http://www.thedomainyouwant.whatever')] and only calls from this url will be done. CORS allow cross-origin but can be used to same-origin policy as well

– Max
Nov 15 '18 at 13:59





Can you tell me where it is write that is related to browser? It's not because the first line say that browser have a some-origin policy that CORS is related to browser. It's a server side control. You should really read more. CORS is controlling the DOMAIN origin... that's not related to browser. You just need to put inside your Register() in WebApiConfig config.EnableCors() and then putting as an attribute [EnableCors('http://www.thedomainyouwant.whatever')] and only calls from this url will be done. CORS allow cross-origin but can be used to same-origin policy as well

– Max
Nov 15 '18 at 13:59


















draft saved

draft discarded




















































Thanks for contributing an answer to Stack Overflow!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53271858%2fhow-to-protect-the-backend-api-against-calls-other-than-azure-api-management%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Full-time equivalent

Image
Full-time equivalent From Wikipedia, the free encyclopedia Jump to navigation Jump to search Full-time equivalent ( FTE ) or whole time equivalent ( WTE ) is a unit that indicates the workload of an employed person (or student) in a way that makes workloads or class loads comparable [1] across various contexts. FTE is often used to measure a worker's or student's involvement in a project, or to track cost reductions in an organization. An FTE of 1.0 is equivalent to a full-time worker or student, while an FTE of 0.5 signals half of a full work or school load. [2] Contents 1 U.S. Federal Government 2 In education 2.1 Example 3 Notes 4 References U.S. Federal Government [ edit ] In the U.S. Federal Government, FTE is defined by the Government Accountability Office (GAO) as the number of total hours worked divided by the maximum number of compensable hours in a full-time schedule as
Read more

さくらももこ

Image
さくら ももこ 本名 非公開 [1] 生誕 ( 1965-05-08 ) 1965年5月8日 日本・静岡県清水市 (現・静岡市清水区) 死没 ( 2018-08-15 ) 2018年8月15日(53歳没) 日本・東京都目黒区 国籍 日本 職業 漫画家 エッセイスト 作詞家 活動期間 1984年 - 2018年 ジャンル 少女漫画 青年漫画 児童漫画 代表作 『ちびまる子ちゃん』 『コジコジ』 受賞 1989年:第13回講談社漫画賞少女部門 (『ちびまる子ちゃん』) 1990年:第32回日本レコード大賞 (『おどるポンポコリン』作詞) 公式サイト さくらプロダクション テンプレートを表示 さくら ももこ (1965年5月8日 - 2018年8月15日 [2] )は、日本の漫画家、エッセイスト、作詞家、脚本家。また、自身の少女時代をモデルとした代表作のコミック『ちびまる子ちゃん』の主人公の名前でもある。静岡県清水市(現・静岡市清水区)出身。血液型はA型。身長159cm。一男の母親。 代表作のコミック『ちびまる子ちゃん』の単行本の売上は累計3000万部を超える。また、エッセイストとしても独特の視点と語り口で人気が高く、初期エッセイ集三部作『もものかんづめ』『さるのこしかけ』『たいのおかしら』はいずれもミリオンセラーを記録。 目次 1 経歴 2 人物・交遊関係 3 主な作品 3.1 漫画 3.2 エッセイ 3.3 作詞 3.4 詩集 3.5 雑誌・ムック本 3.6 翻訳 3.7 絵本、ドラマ脚本他 3.8 ラジオ出演 3.9 その他 4 関係人物 4.1 アシスタント 4.2 さくらももこを演じた人物 5 脚注 5.1 注釈 5.2 出典 6 外部リンク 経歴 年譜形式の経歴は推奨されていません 。人物の伝記は流れのあるまとまった文章で記述し、年譜は補助的な使用にとどめてください。 ( 2018年8月 ) 清水市立(当時)入江小学校
Read more

13 indicted, 8 arrested in Calif. drug cartel investigation

Image
Fox News U.S. World Opinion Politics Entertainment Business Lifestyle TV Radio More Expand / Collapse search Login Watch TV ☰ Hot Topics U.S. Crime Military Education Terror Immigration Economy Personal Freedoms World U.N. Conflicts Terrorism Disasters Global Economy Environment Religion Scandals Opinion Politics Executive Senate House Judiciary Foreign policy Polls Elections Entertainment Celebrity News Movies TV News Music News Style News Entertainment Video Business Markets Politics Technology Features Business Leaders Lifestyle Food + Drink Cars + Trucks Travel + Outdoors House + Home Fitness + Well-being Style + Beauty Family Science Archaeology Air & Space Planet Earth Wild Nature Natural Science Dinosaurs Tech Security Innovation Drones Computers Video Games Military Tech Health Healthy Living Medical Research Mental Health Cancer Heart Health Children'
Read more