Using the ipSecurity element in the Web.config of an API App to restrict access to Azure API Management

There are several ways to secure the back-end service of an API in Azure API Management like client certificates and VPN connections but there is also another relatively simple option. Implement IP address restrictions in the back-end API and only allow access to the IP address of the API Management gateway! You can do this by adding the ipSecurity element in the Web.config of the API App.

 

Steps

First go to the Dashboard page in API Management. Copy from this tab the Public Virtual IP Address of the API Management gateway.
Azure API Management - DASHBOARD
 
Go in Visual Studio to the the web.config of the back-end API App. Enter the ipSecurity settings and add the IP Address of the API Management gateway.
<security>
    <ipSecurity allowUnlisted="false">
    <clear/>
    <add ipAddress="127.0.0.1" allowed="true"/>
    <add ipAddress="21.97.217.24" allowed="true"/>    
    </ipSecurity>
</security>
 
Publish the API App again to Azure.
Publish API App in Visual Studio
 
Test the published API App with a tool like PostMan. You should now get an error message.
Postman -
 
Test the API also in the API Management Developer Portal. That should still work because now the back-end API is called via the API Management gateway.
Azure API Management - Developer Portal
 

 

Conclusion

Adding the ipSecurity element in the Web.config of the back-end API App only restricts access to the IP address of the API Management gateway. It doesn’t secure the communication between the back-end API and Azure API Management. So if your back-end service is not running in the same datacenter as Azure API Management (for example On-premises) you still have to add extra security measures like client certificates.

Add comment

  Country flag

biuquote
  • Comment
  • Preview
Loading

About the author

Tomasso Groenendijk lives in Netherlands and is a senior integration consultant at Motion10. He has over 15 years’ experience in software development and software design. Tomasso is specialized in application integration with a strong interest in the Windows Azure cloud platform. In 2014, 2015 and 2016 Tomasso was awarded with the Microsoft Azure MVP award. He is an active contributor to the integration community through his work on his blog, MSDN samples, TechNet Wiki and also speaking on events.

 
 
 
MVP profile Tomasso Groenendijk
 
 
Sentinet Product Specialist
 
 
BizTalk360 Product Specialist

Month List