问题
We have a system that is based on 2 tiers, a Backend tier and a Frontend tier, right now both are Azure WebSites communicating trough WebAPI. I wan't to move the backend WebAPI to API App - question is - if it's possible to configure the security of an API App in such way, that it is only accessible from the configured Frontend ASP.NET MVC 6 Web application (hosted in Azure WebSites).
We planned to use Active Directory as an authentication method between the frontend Web App and the backend Web App, so that only the frontend can have access to the backend WebAPI. Is this the most secure way? Or are there simpler, but still secure ways for API Apps?
回答1:
At this point what you can do is:
- Convert the WebAPI to an API App
- Set the Access Level to Internal
This will make the API App only accessible from resources within the same Resource Group.
Now, the unfortunate part is that Web Apps (ex-Websites) although they can be on the same Resource Group, in the preview, they don't fully support the Gateway implementation, meaning they can't discover the API App within the Resource Group and the requests will look as external, so the internal API App won't be accessible. Until we support that (WebApps being fully integrated with the Gateway) a workaround to get you working on it is to effectively make the Web App another API App as well. You will still be able to use all the Web App features you know and love AND get the functionality you need with an internal API App, until Web Apps are fully on board with the Gateway.
You don't have to enable AAD to secure the access to the API App, as the API App is internal now.
If your web app has AJAX (Javascript client) accessing the API App, then the above approach doesn't work (if an API App is internal, then it blocks any external call) and you have set the "Access Level" of the API App as "Public Authenticated". Then you can enable AAD authentication and take advantage of the seamless authentication between apps that live behind the same Gateway. We will generate a token for you (x-zumo-auth header contains the token) which you can read and pass on every request back and forth to successfully authenticate the requests.
The only things to be aware are some known issues, listed here
来源:https://stackoverflow.com/questions/30322805/access-security-to-an-azure-app-service-api-app