英文:
Restricting access to certain controllers to Azure APIM only
问题
我们有一个相当庞大而古老的ASPNET Core代码库,使用OIDC进行保护。有数十个控制器。假设有50个控制器。其中45个从我们的前端调用。还有5个API用于促进与合作伙伴的集成工作流程。
我打算将这些面向合作伙伴的API移动到Azure APIM后面,以便能够使用策略来管理它们,并在将来实现货币化。
虽然这些API可以从APIM访问,但也可以直接从合作伙伴那边访问。这意味着我实际上不能强迫我们的合作伙伴始终通过APIM路由。
有什么建议吗?
虽然我可以检查某些标识符的存在,这些标识符只会由APIM填充,但我不想这样做。这仍然无法保护等端点免受合作伙伴方面的调用。
英文:
we have a pretty big and old codebase written in ASPNET core protected using OIDC. There are tens of controllers. Let's say there are 50 controllers. Of these, 45 gets called from our frontend. And 5 are APIs that facilitates integration workflows with our partners.
I intend to move these partner facing APIs behind Azure APIM to be able to manage them using policies and be able to monetise them in future.
While those APIS are accessible from APIM, they are also accessible directly from partner side. Which means I cannot really force our partners to go via the APIM route always.
Any pointers?
While I can check for the presence of some identifier that will only get populated by APIM, I don't want to do that. This still does not protect etc endpoint from being called from partner's side.
答案1
得分: 1
以下是翻译好的部分:
问题是您是否允许端点暴露,但不能直接调用,这在大多数情况下都可以接受,或者您是否希望实际上使端点不可供直接调用。对于后者,只有 VNET 方法可行,但可能会变得复杂。对于前者,您有一些选项:
- 共享秘密。正如您自己提出的,让 APIM 设置一个秘密头部/查询,并在后端验证。合作伙伴仍然可以直接调用,但如果未提供秘密,您可以使您的 API 始终返回 404/401。
- 如果您的后端位于 Azure 中,您可以使用托管标识而不是秘密。
- 为了增加安全性,您可以在后端使用证书身份验证。让 APIM 在后端请求中添加客户端证书,然后后端验证该证书。
- 较不建议的选项是在后端验证调用者的 IP 地址。APIM 确实具有静态 IP 地址,因此根据您的服务布局,您可能能够使后端仅在调用来自 APIM 时响应。
- VNET。您需要将后端与 APIM 放在 VNET 中。然后通过其他网关公开面向合作伙伴的 API,通过 APIM 公开非合作伙伴的 API。
英文:
The question you need to answer is if you're ok having endpoints exposed, but not callable directly, which is fine in most cases, or you want to actually make endpoints not available for direct calls. For the latter only VNET approach would work, but it could get complicated. For the former you do have some options:
- Shared secret. As you propose yourself, have APIM set a secret header/query and validate that in your backend. Partners will still be able to call directly, but you could make your API always return 404/401 if secret is not provided.
- If you backend is in Azure, you could use Managed Identity instead of secret.
- For extra security, you could use certificate authentication with backend. Have APIM add client certificate to backend request and backend validate that certificate.
- Somewhat less advised option is to validate caller's IP address on your backend. APIM does have static IP address, so depending on your service's layout you may be able to make your backend respond only if call came from APIM.
- VNET. You'd have to put your backend into VNET along side with APIM. And then expose partner facing APIs via some other gateway, and non partner facing ones via APIM.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论