Azure API Management - Protecting the privacy of backend services
    • Dark
      Light
    • PDF

    Azure API Management - Protecting the privacy of backend services

    • Dark
      Light
    • PDF

    Article Summary

    One of the powerful features of Azure API Management is protecting the privacy of the backend services from being discoverable or reachable from external users. We can consider API Management as an implementation of Gatekeeper Pattern, where you're adding additional layers of security to protect your backend services.

    In Azure API Management, you can choose which backend service you would like to use (Functions App, Logic Apps, Custom Web Service). When you go for the Custom Web Service option, there are few things you need to be aware of and secure since they are not secured by default in Azure API Management.

    Looking at HTTP response for an API with a custom web service as the backend service, you'll notice that API Management exposes the backend service's endpoint, as you can see in the screenshot.
    1(4)

    What you can do to protect this is to go ahead and use one of the API Management policies to mask this endpoint. The good thing is that API Management has a Transformation policy that does this for you.
    2(3)

    Once you add this policy to the out pounding policies of your API Management, then API Management will mask the custom web service endpoint and use the API Management endpoint instead, which will be more secure for the backend services.

    3(5)


    Was this article helpful?