I want to start by saying that the API Management services (and specifically the Azure API Management, since this is the component I usually go to) are central and necessary in today’s digital transformation as they’re promoters to generating an ecosystem that allows secure rapid growth of apps and integrations. It’s a true foundation for the future.
I have encountered or implemented the component in diferent industries, serving high availability public facing applications and securing access to newly developed containerized microservices as well as serverless apps and now traditional API apps and even legacy APIs or WCF, all while exposing a secure and developer friendly gateway to the world.
The main business and transformational reason to add an API Management service is always the need to provide secure and scalable access to either internal apps or third-party users while being able to carry out transactions in a modern way and from any type of device.
As a quick and short overview of API Management provides, amongst others, the following Tool and Gateway features:
- API Visibility
- Security Mediation
- Traffic control
- Data transformation
- Developer Tools
- API catalogue portal
- Developer registration and discovery
- Developer authentication
- Documentation and testbed
- API Analytics
- API Monetization (either subscription or metered billing model)
Topic today is not API security but API Management security concerns and how API Management provides security to APIs. I will briefly touch on the threats that the APIs are exposed to since they are not the same as threats wesites are exposed to. For this reason, there is no benefit in applying WAF (Web Application Firewall) on APIs. At the same time, API Management exposes a Developer Portal that is a web application and that is subject to issues that plague any website.
Main API security concerns:
- HTTPS protected API without any authentication
- SSL without certificate validation, a secure connection is not necessarily trusted
- API rate limiting or throttling
- Parameter tampering
- Command Injection
- API overloads
- Use of unprotected identity and keys
- Unencrypted payload
- API Keys in query strings
- Exposure of underlying infrastructure (Server type/OS, cookie support, error stack trace)
Let me know if we need to get more into details. Just drop me a line below.
As I said, the API Management is exposing both an API Gateway and a Developer Portal and the purpose of this post is to talk about API Management security and it’s benefits for securing the APIs.
Secure API Management
From my experience with Azure in general and API Management in particular, the architecture I go to for securing API Gateway and Developer Portal endpoints is that in which the API Management service can be configured in a Virtual Network in internal mode, which makes it accessible only from within the Virtual Network.
To expose any of the endpoints to the outside world I prefer using an Azure Application Gateway, a PAAS Service, which provides a Layer-7 load balancer. It acts as a reverse-proxy service and provides among its offering a Web Application Firewall (WAF). A newer offering that looks quite promising is the new Azure Front Door that plays the role of an Application Gateway and Traffic Manager. Having these two together provides nice capabilities for automatic failover and multi-region DR strategies and we can have another conversation on this topic alone as I believe the multi-region offering for Azure API Management does not quite meet the requirements for a robust Disaster Recovery.
Microsoft documentation explains how to setup the API Management in an internal VNET in an easy 10 minutes read post: https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-integrate-internal-vnet-appgateway and the general result looks as illustrated on the aforementioned blogpost:
The scripts provided in Microsoft’s blogpost required a bit of tweaking for me but before a successful deployment and finally I ended up using ARM templates to provision and configure the environment and the API Management. Documented steps are the right way of approaching this deployment and create your scripts.. your (IaaC) Infrastructure as a Code.
Considerations for above architecture
- Developer Portal may be internal only, resolved by an internal DNS and accessible only within the company’s network or a subnet of it connected to the Azure vnet by some VPN. This is a great way of avoiding headackes while the API endpoint is not provided as a product to third parties.
- Application Gateway can provide Mutual SSL authentication for API Management while providing the internet with an endpoint secured with a diferent certificate.
- API Gateway is not directly available from the outside world forcing the entire traffic to go through the Application Gateway and be secured behind it.
- Custom probe Application Gateway endpoint being: https://your-api-management-api-gateway.url/status-0123456789abcdef
- Together with a Traffic Manager sitting before the Application Gateway, you have a turnkey sollution to enablement/disablement of an entire region and allow for safe large scale brown field deployments and pre-enablement shakedown scenarios if required.
Now that we have secured the API Management itself, let’s discuss security provided by API Management.