Skip to content

Securing APIs using Azure APIM

 

In the recent years, Microservices architecture have gained a lot of spotlight and creating APIs to communicate between services and outside world is the new norm. Managing the APIs effectively is a basic requirement for the organizations. To make management of APIs simpler and hassle-free Azure APIM offers wide variety of features including various security features.

     In this article, we shall discuss some of the features that we can implement in Azure APIM to keep your APIs safe and secure. Let us work with an example and discuss how they can be implemented.

Example:

YourWeather.com (YW) is a company that collects weather information. YW decides to monetize the Data by exposing APIs for the client to use. Below table shows their subscription plans:

API Name

Free

Silver

Gold

Current Weather

One Week forecast

One month forecast

Air Quality Index

UV Index

Calls per minute

10

1000

5000

Let me skip the part where the APIs are created and get right in to configuring Azure APIM for these APIs. I am also skipping the basic security mechanisms like Authentication and authorization.

  1. Organizing the Clients and restricting the access through products:

        This goes without saying, Organize the APIs by products and allowing clients by using only the APIs that they required by them, increases management efficacy. Once the clients are added as subscribers to appropriate products, clients can then access them by either providing
    subscription key as a value of ocp-apim-subscription-key request header or subscription-key URL query parameter.

        So, in our example, we will have three products with ‘Free’, ‘Silver’ and ‘Gold’ and allow subscribers on appropriate plans. This will not only guarantee that we provide right level of service to right customers but also restricts others from accessing API information belonging to other plans and the best part is, we achieve all these without adding any custom code to our application. Once the users are added, they can use added a header key ‘Ocp-Apim-Subscription-Key’ with the provided value into their API calls.

        Below screenshot shows how the products will look in the APIM:

            

    Make sure you enable “Requires Subscription” Option. This will enable you to identify Subscribers for each product.

    Bonus:

    I know that the ‘Ocp-Apim-Subscription-Key’
    header key may not be ideal for you and you may want to change that. Azure APIM offers options to customize them through Management APIs. Below is the API call that can help you with that:

PATCH /apis/{id}?api-version={{api-version}}

Authorization: {token}
Content-Type: application/json
If-Match: “*”

{
“subscriptionKeyParameterNames”:
{
“query”: “customQueryParameterName”,
“header”: “customHeaderParameterName”
}
}

 

Source: https://social.msdn.microsoft.com/Forums/en-US/70324d6a-624a-496c-8079-14a6595a6fab/howto-to-rename-subscription-key-parameter?forum=azureapimgmt

  1. Securing Backend service:

Back end services can be secured through Mutual Certificate Authentication. By doing so, we allows calls only though APIM and avoid/reject direct API calls to the service itself. To achieve this, we have to do the following:

        On APIM we have to upload the client certificate as shown below:

And Navigate to APIs > All Operations > Back End Blade and click edit and choose the client certificate that was uploaded earlier:

 

On the other hand, if you would like to secure your backend with other methods, you can use IP whitelisting on the backend service and allow only the IP of the APIM (which remains constant most of the time) or simply use Basic HTTP Authentication

Bonus:

You can use Self-Signed Certificate for this process as well. All you have to do is to ask APIM to Skip Certificate Chain Validation. it can be achieve it through the following PowerShell script

$context = New-AzureRmApiManagementContext -resourcegroup ‘ResourceGroup’ -servicename ‘{APIMService}’

New-AzureRmApiManagementBackend -Context $context -Url ‘https://{API}/myapi’ -Protocol http -SkipCertificateChainValidation $true

Source: https://docs.microsoft.com/en-us/azure/api-management/api-management-faq#can-i-use-a-self-signed-ssl-certificate-for-a-back-end

Disable/Enable Protocol settings:

The best practices on the application server is to implement TLS Hardening on the application server. It a good practice to enable TLS1.1 and TLS1.2 and disable vulnerable TLS1.0 thereby minimizing Man-in-the-Middle Attacks. On the APIM Side however there is already a blade provided for you to manage your Protocol Settings. You can see the Screenshot below:

 

  1. Remove fingerprinting headers:

    IETF (Internet Engineering Task Force) dictates in RFC 2068:

Revealing the specific software version of the server may allow the server machine to become more vulnerable to attacks against software that is known to contain security holes. Implementers SHOULD make the Server header field a configurable option.

 

Any IT security team would direct you to remove server related information making it difficult for the hackers. The headers like Server, X-Powered-By, X-AspNet-Version falls in this category. This can be easily achieved in APIM. In our example, we navigate YourWeather APIs > Design > All Operations > Edit “Outbound Processing”. Then insert below policies between <outbound></outbound>

 

<set-header name=”X-Powered-By” exists-action=”delete” />

<set-header name=”X-AspNet-Version” exists-action=”delete” />

the polices page should look like below    

  1. Masking Actual URLs in the Responses:

This is very similar to last item – removing headers. But, here we are looking for replace instead of remove. The basic idea here is to mask and protect the actual URL by replacing the actual URL with APIM URL.

This can be achieved by navigating to the same policy page and adding the following:

<find-and-replace from=”://yourweather.azurewebsites.net” to=”://yourweather.azure-api.net/api/v1″/>

 

In our example it will look like:

 

  1. Limit requests (Throttling) to avoid DoS :

This is not only a security feature but directly helps to achieve the business goals. This policy will allow each subscriber of the product to make the desired number of API calls during the renewal period. Based on the example each “Products” like “Gold” product have has a rate limit associated with them like 5000 calls/minute. This can be achieved by Navigating to the each product and add the following policy in the inbound section. Therefore, the policies for each product will look like below:

Free:

Silver:

Gold:

 

Conclusion:

Azure APIM offers lot of features and I have just scratched the surface. Please explore and Let me know how Azure APIM is helping you to achieve your desired implementation.

Happy Coding and Happy Azuring.

Published inAzure

Be First to Comment

    Leave a Reply

    Your email address will not be published. Required fields are marked *