Access security to an Azure App Service API App

南笙酒味 提交于 2019-12-10 10:39:10

问题


We have a system that is based on 2 tiers, a Backend tier and a Frontend tier, right now both are Azure WebSites communicating trough WebAPI. I wan't to move the backend WebAPI to API App - question is - if it's possible to configure the security of an API App in such way, that it is only accessible from the configured Frontend ASP.NET MVC 6 Web application (hosted in Azure WebSites).

We planned to use Active Directory as an authentication method between the frontend Web App and the backend Web App, so that only the frontend can have access to the backend WebAPI. Is this the most secure way? Or are there simpler, but still secure ways for API Apps?


回答1:


At this point what you can do is:

  1. Convert the WebAPI to an API App
  2. Set the Access Level to Internal

This will make the API App only accessible from resources within the same Resource Group.

Now, the unfortunate part is that Web Apps (ex-Websites) although they can be on the same Resource Group, in the preview, they don't fully support the Gateway implementation, meaning they can't discover the API App within the Resource Group and the requests will look as external, so the internal API App won't be accessible. Until we support that (WebApps being fully integrated with the Gateway) a workaround to get you working on it is to effectively make the Web App another API App as well. You will still be able to use all the Web App features you know and love AND get the functionality you need with an internal API App, until Web Apps are fully on board with the Gateway.

You don't have to enable AAD to secure the access to the API App, as the API App is internal now.

If your web app has AJAX (Javascript client) accessing the API App, then the above approach doesn't work (if an API App is internal, then it blocks any external call) and you have set the "Access Level" of the API App as "Public Authenticated". Then you can enable AAD authentication and take advantage of the seamless authentication between apps that live behind the same Gateway. We will generate a token for you (x-zumo-auth header contains the token) which you can read and pass on every request back and forth to successfully authenticate the requests.

The only things to be aware are some known issues, listed here



来源:https://stackoverflow.com/questions/30322805/access-security-to-an-azure-app-service-api-app

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!