Securing your APIs with Azure API Management Service. A Dummies Guide.

Rajesh Rajamani
7 min readMay 26, 2021

--

Azure API Management Service

Azure API Management Service is a PAAS ( Platform -as-a- Service offering ) from Azure that provides scalable , secure API Management service for your organization.

This is a dummies tutorial on how to configure your Azure API Management service to secure your APIs developed and hosted in Azure Functions.

At this point I assume that you have some idea of what are Azure Functions and in particular http — trigger functions . If you are not sure, I recommend you to follow the article below.

Initiation for the un-initiated:

What is an API ?

Simply , Application Programming Interface . A set of functions and procedures allowing the creation of applications that access the features or data of an operating system, application, or other service in a standardised way.

Focus on why I highlighted standardised way . When you are having different systems in your infrastructure , it becomes difficult to enable your users to effectively use the system as the input / output interactions for each system can be different from each other.

Now, this is where an API can help . You can design an API that standardises the way an external user or that fact an internal user interacts with your systems.

Modern APIs adhere to standards (typically HTTP and REST), that are developer-friendly, easily accessible and understood broadly.

I’m sure you’ll recognize HTTP and REST the 2 common used protocols for effective communication between systems.

Why is it important to secure your API ?

Obvious question . But let’s understand . An API is typically a HTTP / REST interface that allows the external world to interact with your systems . Now if the API is not “controlled” it is quite possible that it is misused.

Some examples of misuse ( not exhaustive though )

  1. Request flooding , a technique by which a hacker can flood your API with a barage of requests resulting in your system being overloaded and rendered un-usable.
  2. Un-authorized usage, a technique where by a user is able to access your API without having proper authentication such as an API token or say from an IP Address that you dont recognize for example.
  3. Un-structured usage , either a delibrate or inadvertent error by which the request coming to your API is not well formed in terms of the method , payload etc

The examples that I gave are the mosic basic ones . However , in order to prevent such misuse you need a great deal of programming skills , understanding of HTTP vulnerabilities , spoofing et all to name a few.

Azure API Management:

Azure API Management provides in-built functionalities and tools that can help you configure the rules and secure your API with just a few clicks.

As part of this tutorial , we will see how a http — trigger function can be secured with Azure API Management. Before going further let’s understand why is it important to secure this http-trigger function.

If you know Azure functions or have read the tutorial above on http-trigger , you’ll know that an Azure function can be triggered by making a post request . Now if a rogue user has figured out the url of your http function, then it’s going be pretty simple to just flood your function to execute it repeatedly in a loop. This can result in excessive costs if not trapped .

Keeping that in mind , we will go through this tutorial where we are going to secure our http function with Azure API Management . We will use two techniques to demonstrate the simplicity and effectiveness of this service.

  1. API Token based restriction
  2. IP based restriction

Tutorial

I assume that you already have a http function created ( from the article above ).

Step 1: Creating an Azure API Management

Logon to your Azure portal and search for API Management services.

Ensure that you select the pricing tier ( Developer ) for this tutorial to avoid cost.

Step 2 : Importing an API into your API Management.

In the API Management blade , click on APIs

Step 2 a : Import the Azure Function App containing the http function by clicking the funtion app.

Here you can observe the flexibility offered by Azure that allows you to integrate APIs hosted on App Service too .

You also get the flexibility on standards .

Step 2 b : Select the Function App containing the http trigger

Step 2 c : Import the required http triggers into your API Management service.

Here you can see all the http-triggers showing up for the function app that you selected. If you have hosted multiple http triggers under the same function app then you can see all of them. In my case , I’m using an app that has 2 http methods .

Step 3 : Configuring the API security rules

Once your API is successfully imported , you should see your API

Lets configure the design and settings for your API

Step 3 a : Let’s setup an IP based filter . For that you have click on the Add Policy button under Inbound Processing box.

Now this will provide with you a lot of options . And you get the drill . Select the Filter IP addresses option

Now set your public IP in both From and To.

Note: In the example below , I’m using my public IP address ( ofcource faked here for the screenshot ) . You can also use IP ranges .

To get your public IP click here

Step 3 b: Let’s also setup a mandatory API token

For this , click on settings and select the Subscription required option.

For using this functionality you should facilitate your users to obtain an automatic subscription key by may be signing up to your API portal through an user interface or through other means.

But for simplicity , let’s use the sample API key that’s available in the Test tab

Step 4: It’s time to test.

You can use the Test interface to test your API Call or can use a client like Postman.

Let’s pass a json object in request body.

Hit the Send button

And you get an error.

You are testing the API from the Azure Portal and therefore the portal’s own IP address is being passed and thus resulting in an error.

Now make a small change and check the Bypass CORS Proxy to allow your own IP to be used

And voila !! your request receives a success response.

And that’s just a start in securing your API and Back end efficiently with API Management Service.

If you are interested in more of such fantastic , simple to understand tutorials consider following me on Medium.

Here is my publication link .

And if you consider following me then ,

--

--

Rajesh Rajamani
Rajesh Rajamani

No responses yet