Forum Discussion
API Management Policy - Secure way to detect requests from Application Gateway
Hello.
We got API Management which is reachable from internal network, and from external network (internet) via Application Gateway.
I want to add an authorization policy in an API which only applies if requests are coming from external network. Microsoft recommends NOT to use Host Header because it can be modified by the user (https://learn.microsoft.com/en-us/azure/architecture/best-practices/host-name-preservation#context).
Is there a secure way to check if requests are coming from external network? Would "Context.Request.OriginalUrl.Host" work for this - or is the value a copy of the Host Header? (https://learn.microsoft.com/en-us/azure/api-management/api-management-policy-expressions#ContextVariables)
3 Replies
shailesh14Microsoft
You can use the Web Application Firewall (WAF) provided by the Application Gateway or use a condition to check the identifier in header.
condition="@(context.Request.Headers.ContainsKey("X-Application-Gateway-Identifier"))
If you think header can be modified by client pass/send it via App gateway and before that check request in AppGateway.There is a policy that will check to see if the request is coming from a specific IP/Range which might help.
Azure API Management access restriction policies | Microsoft Learn
Another way to do this is to setup a different Product for access from external/internal and then use the conditional policy to check if a specific product is being used and apply the policies in that case.
Azure API Management advanced policies | Microsoft LearnHope this helps,
Johan
#skillingexpert
I think IP filtering would not work because all IPs should be able to access but only for a specifiy ip/range a special policy schould be applied. Filtering would not be combineable with the choose?
I think this would be an option (but im thankful for any other suggestions):
https://learn.microsoft.com/en-us/azure/api-management/policies/filter-ip-addresses-when-using-appgw
