skip to Main Content

I want to restrict access to my Azure Container App with an Api Management in Azure.

I successfully linked the Api Management with the Container App and I have activated a Subscription with an Api Key that will prevent public access over the Api Management Service Url. The problem, however, is that the Container App can still be accessed over the public Url of the Container App.

There is still the option to set the Ingress Traffic in the Container App to Limited to Container Apps Environment but then the Api Management will not have access to the Container App as well.

What is the correct way to properly secure the Container App behind an Api Management Service?

5

Answers


  1. You app service is still accessible over the public internet because you haven’t configured Access Restrictions in your App Service’s Network.

    What you need to do is go to your App service. Then select Networking from the left menu and Turn on Access Restrictions for inbound traffic.
    enter image description here

    Create an access restriction rule to deny from the internet.
    enter image description here

    Next create a second acccess rule to allow access from the APIM. Ensure the priority on this one is higher.

    enter image description here

    Read the Microsoft Docs on how to set app service IP restrictions here : https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions

    Login or Signup to reply.
  2. For Azure Container Instances, you don’t have the option to configure IP restrictions similar to Azure App Services. Instead you will have to first create a virtual network and configure a Network Security Group to Deny all traffic from the internet and allow only from APIM, and then deploy your Azure Container Instance to this virtual network.

    See here for deploying an azure container instance to a virtual network : https://learn.microsoft.com/en-us/azure/container-instances/container-instances-vnet

    For configuring network security groups in your virtual network see : https://learn.microsoft.com/en-us/azure/virtual-network/manage-network-security-group#work-with-security-rules

    Login or Signup to reply.
  3. Assuming your API management service has a static IP (not a consumption plan), you would need to use you own VNET:

    Then using NSG, you could add an inbound rule to only allow traffic from the APIM service IP on HTTPS (TCP 443).

    Login or Signup to reply.
  4. Azure container apps do now seem to have the ability to restrict inbound ip addresses

    https://azure.microsoft.com/en-gb/updates/public-preview-inbound-ip-restrictions-support-in-azure-container-apps/

    We have are looking at a similar architecture with a similar dilemma. Everything we have is secured with Azure b2c but if I want to make an internal container/microservice accessible to Azure Api Management I think I’d have to drop b2c (api management has no UI to log into b2c) and make it publicly accessible via the Ingress. If the inbound ip addresses are restricted to api management maybe that is ok. It does worry me that ip addresses can be spoofed although you’d hope Microsoft have thought of that.

    Another alternative which I’ve not investigated but which does work for Azure functions is managed identities. This might not work at all with container apps though

    https://www.svenmalvik.com/azure-apim-function-msi/

    Login or Signup to reply.
  5. First, I think that it is good to explain networking architecture in Azure Container Apps.

    Azure Container Apps run in the context of an environment, which is supported by a virtual network (VNET). When you create an environment, you can provide a custom VNET, otherwise a VNET is automatically generated for you.

    There are two ways to deploy Container Apps environments:

    1. External – Container Apps environments deployed as external resources are available for public requests. External environments are deployed with a virtual IP on an external, public facing IP address.

    2. Internal – When set to internal, the environment has no public endpoint. Internal environments are deployed with a virtual IP (VIP) mapped to an internal IP address. The internal endpoint is an Azure internal load balancer (ILB) and IP addresses are issued from the custom VNET’s list of private IP addresses.

    I attach the image from Azure portal to show above two options:

    enter image description here

    Now going further, if you want your container app to restrict all outside access, create an internal Container Apps environment.

    Now when it comes to deployment of the Container Apps to the Container Apps Environment, accessibility level you selected for the environment will impact the available ingress options for your container app deployments.

    If you are deploying to an external environment, you have two options for configuring ingress traffic to your container app:

    1. Limited to Container Apps Environment – to allow only traffic from other container apps deployed within the shared Container Apps environment.

    2. Accepting traffic from anywhere – to allow the application to be accessible from the public internet.

    enter image description here

    If you are deploying to an internal environment, you also have two options for configuring ingress traffic to your container app:

    1. Limited to Container Apps Environment – to allow only traffic from other container apps deployed within the shared Container Apps environment.

    2. Limited to vNET (Virtual Network) – to allow traffic from the VNET to make container app to be accessible from other Azure resources or applications within the virtual network or connected to the virtual network through Peering or some type of VPN connectivity

    enter image description here

    Now in you case, what you are looking for is the architecture where you enable access to Azure Container Apps only through the Azure API Management. In this case you have to deploy Azure Container Apps Environment with Internal mode and set ingress traffic to Limited to VNet (Virtual Network).

    I assume that Azure API Management can be accessible from the Internet. In this case you have to deploy Azure API Management inside an Azure Virtual Network. There are two possible modes: internal, and external. In you scenario, you can use external mode. More details can be found here. When API Management instance in the external mode, the developer portal, API gateway, and other API Management endpoints are accessible from the public internet, and backend services are located in the Azure Virtual Network.

    enter image description here

    Here I also attach the solution architecture to show how all these components are connected together. I also have Azure Front Door here but API Management is deployed with external mode. Please remember that you will also need private DNS Zone for your Azure Container Apps Environment domain, to make it possible to refer to specific APIs from the Azure API Management using URLs, example:

    https://ca-tmf-mip-vc-api–v-01.blacklacier-cf61414b.westeurope.azurecontainerapps.io

    enter image description here

    Helpful links:

    Repo with Bicep files to deploy Azure Container App with internal mode

    Azure Container Apps Virtual Network Integration

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search