Best practice rules for API Management
- Authorize Developer Accounts by Using Microsoft Entra ID
Ensure that user sign-in with Microsoft Entra ID is enabled for Azure API Management Developer Portal.
- Check the Cipher Suites Configured for API Gateways
Ensure that Azure API Management API gateways do not use weak cipher suites.
- Check the TLS Version Configured for API Gateways
Ensure that Azure API Management API gateways do not use deprecated TLS protocols.
- Disable Public Network Access to API Management Services with Private Endpoints
Ensure that Azure API Management services with private endpoints are not publicly exposed.
- Enable Built-In Response Caching
Ensure that Azure API Management APIs are configured to enforce built-in response caching.
- Enable Integration with Application Insights
Ensure that Azure API Management APIs are using Application Insights.
- Enable Resource Logs
Ensure that resource logs are enabled for Azure API Management API services.
- Enable Support for HTTP/2
Ensure that HTTP/2 support is enabled within Microsoft Azure API Management.
- Enforce HTTPS
Ensure that Azure API Management APIs are configured to enforce HTTPS for API calls.
- Prevent the Exposure of Credentials and Secrets using Encrypted Named Values
Ensure that named values are encrypted to prevent the exposure of secrets in Azure API Management.
- Secure access to APIs using client certificates
Ensure that Azure API Management services are configured to use client certificates.
- Unrestricted API Access
Ensure that no Azure API Management API allows unrestricted access.
- Use System-Assigned Managed Identities for Azure API Management Services
Ensure that Azure API Management services are using system-assigned managed identities.
- Use User-Assigned Managed Identities for Azure API Management Services
Ensure that Azure API Management services are using user-assigned managed identities.