When an API is designed, the security of the API is a crucial aspect that should not be overlooked. Secure APIs help provide better protection against unauthorized access and ensure that data is shared only amongst authorized entities. Azure API Management is a service provided by Microsoft Azure that helps with the secure distribution of APIs. In this tutorial, we will walk you through how to secure your API with Azure API Management.
Pre-requisites
Before we begin, you’ll need to have the following:
- A Microsoft Azure account
- An API hosted in an accessible location. For this tutorial, we will use a simple API hosted on an Azure Function App
Step 1: Create an API Management account
First, we need to create an API Management account in Microsoft Azure.
- Log in to the Microsoft Azure Portal
- Navigate to the API Management Services page
- Click the Add button to add a new service
- On the Add API Management screen, fill in the required information, such as account name, subscription, resource group, and location.
- Once you have entered all the required information, click the Create button to create an API Management account
Step 2: Import your API
With an API Management account in place, we can now import the API that needs to be secured.
- Click on the newly created API Management account
- In the API Management account page, click the APIs link on the left-hand menu
- On the APIs page, click the Add API button
- In the Add API screen, fill in the required information, such as API URL and Display name
- Choose the authentication type for the API. There are multiple options available, such as No authentication, OAuth 2.0, and OpenID Connect. For this tutorial, we will choose No authentication.
- Click the Create button to add the API to Azure API Management
Step 3: Configure API Security
With API imported, the next step is to configure the API security.
- From within the API Management account page, click on the API that you imported in step 2
- In the API Operations page, click on the Settings link on the left-hand side menu
- In the Settings screen, navigate to the Security tab and choose your preferred security mechanism. For instance, we can choose OAuth 2.0.
- Configure the authentication mechanism by filling in the required fields. In the case of OAuth 2.0, various fields, such as Client ID, Client Secret, Authorization Endpoint, Token Endpoint, etc. need to be filled in.
- Once you have configured all the necessary fields, click the Save button to save the changes
Step 4: Create users and groups
When an API is secured using Azure API Management, users need to be created, and access needs to be granted. This can be done using Azure Active Directory.
- Navigate to the Azure Active Directory page on the Azure Portal
- In the Azure Active Directory page, click on the Users link on the left-hand side menu
- In the Users page, click on the New user button to add a new user
- Fill in the required fields, such as First name, Last name, User name, etc.
- Click on the Create button to create the user
- Repeat steps 3 to 5 to add more users if necessary
- Now we will create a group for which we will grant access to the API
- Click on the Groups link on the left-hand side menu
- In the Groups page, click on the New group button to add a new group
- Fill in the required fields, such as Name and Description of the group.
- Click on the Create button to create the group
- From the Overview page of the API Management account, click on Access control (IAM)
- Click on the Add role assignment button
- Choose the role that you want the group to have, such as Contributor or Reader
- In the Select field, search for the group you created in step 9
- Once you have selected the group, click on the Save button to grant access to the group
Step 5: Add policies for further security
API Management provides policies that can be added to an API to provide extra layers of security or perform certain operations. In this step, we will add a policy to limit the requests per second.
- From within the API Management account page, click on the API that you imported in step 2
- In the API Operations page, click on the Policies link on the left-hand side menu
- In the Policies page, select Add API Policy
- Add the following policy to the policy editor to limit requests per second. For instance, limit to 5 requests per second.
<policies>
<inbound>
<rate-limit-by-key calls="5" renewal-period="60" counter-key="@(context.Subscription.Id)" />
</inbound>
</policies>
- Click on the Save button to save the policy.
Step 6: Test the secured API
With all the necessary settings in place, it’s time to test the secured API.
- From within the API Management account page, click on the API that you imported in step 2
- In the API Operations page, click on the Test button to test the API
- In the Test page, choose the operation to test and click the Send button to test the API.
If all the settings have been configured correctly, you should receive a response indicating that the API is successfully secured.
Conclusion
Securing your API with Azure API Management is a crucial step in designing a secure API. By following these steps, you can add an extra layer of security to your APIs. Azure API Management provides various mechanisms to secure an API, such as OAuth 2.0, OpenID Connect, and other policies. These mechanisms can be easily configured, and access can be granted to groups or users via Azure Active Directory. By securing your API, you can provide better protection against unauthorized access and ensure that data is shared only amongst authorized entities.