Forum Discussion

ChrisTrailight's avatar
ChrisTrailight
Copper Contributor
Nov 25, 2024

API Management service secure configuration for Standard v2 SKU

Hi all,

 

I am transitioning an API Managment gateway from the Developer SKU to something Production ready. The Standard V2 SKU is the first tier that supports vnet integration which we require. The OWASP API security framework used by MS recommends that external connectivity to service configuration endpoints is disabled

However, Direct Management API access is not supported in this tier (and the ps cmdlets are just wrappers for API calls)

So it seem it is not possible to disable public access to these endpoints in this sku. Is this the case? and if so, how is it possible to safely configure an APIMG using this sku?

 

any pointers appreciated...

 

Chris

  • Consider the following:

     

    1. Use Network Security Groups (NSGs): Apply NSGs to restrict access to your API Management instance. This can help control inbound and outbound traffic, ensuring only trusted sources can reach your endpoints.
    2. Private Endpoints: Although the Standard V2 SKU does not support private endpoints directly, you can use a combination of VNet integration and NSGs to limit exposure. Ensure your API backends are isolated within the VNet.
    3. Azure Application Gateway: Deploy an Azure Application Gateway in front of your API Management instance. This can provide an additional layer of security, including Web Application Firewall (WAF) capabilities to protect against common threats.
    4. Custom Policies: Implement custom policies within API Management to enforce security measures, such as IP filtering, rate limiting, and JWT validation.
    5. Azure Front Door: Consider using Azure Front Door to manage and secure traffic to your API Management instance. It offers global load balancing, SSL termination, and DDoS protection.
  • kyazaferr's avatar
    kyazaferr
    Iron Contributor

    Use VNet Integration for Isolation

    The Standard v2 SKU supports VNet Integration, which allows you to place the APIM instance in a private network. By doing so, you can:

    • Isolate the APIM gateway from public internet traffic.
    • Control inbound and outbound connectivity via Network Security Groups (NSGs) or Azure Firewall.

    Key Steps:

    • Integrate the APIM instance into a VNet (Internal mode). This ensures that only resources within the VNet or those with private endpoint connections can access it.
    • Configure NSGs to allow traffic only from trusted sources.

     Secure Access with Azure Private Link

    While the Standard v2 SKU doesn't support private endpoints for the management API itself, you can:

    • Use Azure Private Link for connecting backend services securely to your APIM instance.
    • Restrict management plane operations to trusted IP ranges by enabling Management IP Restrictions.

    Key Steps:

    1. Enable IP filtering for the management endpoints, restricting access to trusted ranges.
    2. Use Azure role-based access control (RBAC) to govern access to the APIM service.

    Use API Policies for Additional Security

    Implement security policies directly within APIM to protect your APIs. Consider:

    • Rate limiting and quotas to prevent abuse.
    • IP restrictions or JWT validation policies to restrict access to APIs based on trusted sources or tokens.

    Alternative Configuration with Automation

    Since PowerShell cmdlets for APIM rely on the management API, you must secure API keys and access permissions:

    • Store credentials securely in Azure Key Vault.
    • Use Azure DevOps or automation scripts running in a secured environment (e.g., within a trusted VNet or Azure Bastion) to manage APIM configurations.

    Security Recommendations

    To comply with the OWASP API Security guidelines:

    1. Use application gateways or reverse proxies in front of APIM for added protection.
    2. Implement WAF (Web Application Firewall) policies to guard against threats.
    3. Regularly review and rotate access keys (e.g., primary and secondary management keys).

     

  • kyazaferr's avatar
    kyazaferr
    Iron Contributor

    While the Standard v2 SKU lacks support for completely disabling public access to the management API, you can still secure the service by:

    1. Enabling VNet integration.
    2. Applying IP restrictions.
    3. Automating management through trusted environments.
    4. Using security policies and WAF in conjunction with APIM.

    If the limitations of this SKU impact critical operations, consider the Premium SKU for a more comprehensive solution.

  • ChrisTrailight's avatar
    ChrisTrailight
    Copper Contributor

    thanks both - some very helpful suggestions here - will review today and then mark a solution 

  • ChrisTrailight 

    To securely configure Azure API Management (APIM) in Standard v2 SKU, please try these steps

    1. Enable VNet Integration:
      Set the APIM instance to "Internal" mode in the VNet to restrict API traffic to internal networks.
    2. Restrict Management Access:
      Use Azure AD for management authentication.
      Limit access to endpoints via Network Security Groups (NSGs) and IP whitelisting.
    3. Add a WAF/Firewall:
      Deploy Azure Application Gateway with WAF or Azure Firewall to control and monitor traffic.
    4. Follow Security Best Practices:
      Apply OWASP guidelines: validate inputs, use rate limiting, and enforce strong authentication.

    5: Consider Premium SKU:
    For full private endpoint integration and enhanced security, upgrade to the Premium tier.

    This setup secures your APIM while working within Standard v2 limitations

Resources