TL;DR

You decided to build a web application in Azure - great! The solution contains App Service, CosmosDB, Blob Storage or other resouces. You started with really simple solution, but as IT Pro you decided to build three environments: Development, Test, and Production. You also decided to use Azure API Management to manage your APIs. You are aware of the security risks and you want to protect your resources. Please fallow my suggestion to use Azure FrontDoor and API Management to protect your resources.

Big Picture

Secure Azure Resources

Azure FrontDoor

Azure FrontDoor is a Layer 7 (Application level - you have access to the payload, headers) load balancer with a global network and built-in security. In the context of security, it is a perfect element to be the guardian of your resources. With the Premium plan (recommended), you can use built-in rules for Web Application Firewall (WAF) to protect your resources. It is an excellent option to protect your resources:

  • from DDoS attacks,
  • bots(with build in rules),
  • IP Ranges (in the context of Service to Service limitations),
  • OWSAP Top 10 (with build in rules)
  • and more with custom rules (payload size, headers, etc.)

The resource is costly. Consider using one instance for all your resources (API Management, Web Apps, etc.) and use different dedicated rules for all of them - based on the requirements. To test new rules, you can enable them for a single resource with a detection mode only. Also, in the context of any ’tests’, you can create a sandbox - FrontDoor instance - highly recommended to use Infrastructure as Code (IaC) to deploy one more time.

Azure API Management

You are growing your solution and you have more and more APIs. You need to manage who can use them, how often, and from where - you found a perfect solution - Azure API Management. Adding additional abstraction to hide your ‘real’ resources is a good option. In addition, you can use policies to protect your resources:

  • use additional policies like JWT validation,
  • rate limiting, and more.

Like the FrontDoor, you can use one resource for all your APIs and environments.

Documentation & Links