There are several ways to secure the back-end service of an API in Azure API Management like client certificates and VPN connections but there is also another relatively simple option. Implement IP address restrictions in the back-end API and only allow access to the IP address of the API Management gateway! You can do this by adding the ipSecurity element in the Web.config of the API App.
Steps
First go to the Dashboard page in API Management. Copy from this tab the Public Virtual IP Address of the API Management gateway. |
 |
|
Go in Visual Studio to the the web.config of the back-end API App. Enter the ipSecurity settings and add the IP Address of the API Management gateway. |
<security>
<ipSecurity allowUnlisted="false">
<clear/>
<add ipAddress="127.0.0.1" allowed="true"/>
<add ipAddress="21.97.217.24" allowed="true"/>
</ipSecurity>
</security>
|
|
Publish the API App again to Azure. |
 |
|
Test the published API App with a tool like PostMan. You should now get an error message. |
 |
|
Test the API also in the API Management Developer Portal. That should still work because now the back-end API is called via the API Management gateway. |
 |
|
Conclusion
Adding the ipSecurity element in the Web.config of the back-end API App only restricts access to the IP address of the API Management gateway. It doesn’t secure the communication between the back-end API and Azure API Management. So if your back-end service is not running in the same datacenter as Azure API Management (for example On-premises) you still have to add extra security measures like client certificates.