Security considerations for the API Management landing zone accelerator

This article provides design considerations and recommendations for security when using the API Management landing zone accelerator. Security covers multiple aspects including securing the frontend APIs, securing backends, and securing the developer portal.

Learn more about the security design area.

Design considerations

  • Consider how you want to secure your frontend APIs beyond using subscription keys. OAuth 2.0, OpenID Connect, and mutual TLS are common options with built-in support.
  • Think about how you want to protect your backend services behind API Management. Client certificates and OAuth 2.0 are two supported options.
  • Consider which client and backend protocols and ciphers are required to meet your security requirements.
  • Consider API Management validation policies to validate REST or SOAP API requests and responses against schemas defined in the API definition or uploaded to the instance. These policies are not a replacement for a Web Application Firewall but can provide additional protection against some threats.

    Note

    Adding validation policies can have performance implications, so we recommend performance load tests to assess their impact on API throughput.

  • Consider which identity providers besides Microsoft Entra ID need to be supported.

Design recommendations

  • Deploy a Web Application Firewall (WAF) in front of API Management to protect against common web application exploits and vulnerabilities.
  • Use Azure Key Vault to securely store and manage secrets and make them available through named values in API Management.
  • Create a system-assigned managed identity in API Management to establish trust relationships between the service and other resources protected by Microsoft Entra ID, including Key Vault and backend services.
  • APIs should only be accessible over HTTPS to protect data in-transit and ensure its integrity.
  • Use the latest TLS version when encrypting information in transit. Disable outdated and unnecessary protocols and ciphers when possible.

Enterprise scale assumptions

The following are assumptions that went into the development of the API Management landing zone accelerator:

  • Configuration of Azure Application Gateway as a WAF.
  • Protection of the API Management instance in a VNet that controls internal and external connectivity.

Next steps