Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Restrict API Caller IPs

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your Azure API Management APIs are configured to allow calls from specific IP addresses or IP address ranges only in order to protect your API resources against unauthorized access. Prior to running this conformity rule, you need to specify the list of public IPv4 addresses and/or IPv4 address ranges that are allowed to access your APIs, in the rule settings, on your Trend Micro Cloud One™ – Conformity account console. To configure IP-based access for your APIs, a built-in policy named ip-filter must be implemented at the API level.

Security

Filtering incoming requests based on caller IP addresses in Azure API Management enhances security by preventing access from known malicious sources. This proactive measure helps safeguard your APIs, mitigates potential threats, and ensures that only authorized and trusted requests are allowed, minimizing the risk of unauthorized access or attacks on your API infrastructure.

Audit

To determine if the access to your Azure API Management APIs is limited to specific (trusted) IP addresses/IP address ranges only, perform the following actions:

Using Azure Console

01 Sign in to your Trend Micro Cloud One™ – Conformity console, access Restrict API Caller IPs conformity rule settings and identify the list of trusted IPv4 addresses/ranges defined for your Azure API Management APIs.

02 Sign in to the Azure Management Console.

03 Navigate to All resources blade at https://portal.azure.com/#view/HubsExtension/BrowseAll to access all your Microsoft Azure cloud resources.

04 Choose the Azure subscription that you want to access from the Subscription filter box and choose Apply.

05 From the Type filter box, select API Management service and choose Apply to list only the Microsoft Azure API Management services available in the selected subscription.

06 Click on the name (link) of the Azure API Management service that you want to examine.

07 In the main navigation panel, under APIs, select APIs to access the list of APIs managed by the selected service.

08 Select the API that you want to examine, listed under All APIs.

09 Choose the Design tab, select All operations from the API menu, and check the Policies section for Inbound processing to determine the inbound policies that modify the request before it is sent to the backend service. If the ip-filter policy is not listed in the Policies section, the built-in policy required for filtering API calls from specific IP addresses is not enabled for the selected API resource. If the ip-filter policy is available for Inbound processing, continue the Audit process with the next step.

10 Click on the ip-filter policy and find the ip-filter element that has action set to "allow" (i.e. \<ip-filter action="allow"\>) in the policy definition. Compare the IP addresses/IP address ranges from address and address-range elements with the ones identified at step no. 1. If one or more IPv4 addresses allowed in the ip-filter policy are not specified in the conformity rule settings, the access to the selected Azure API Management API is not restricted to trusted IP addresses only.

11 Repeat steps no. 8 - 10 for each API managed by the selected Azure API Management service.

12 Repeat steps no. 6 - 11 for each Azure API Management service available within the current Azure subscription.

13 Repeat steps no. 4 – 12 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Sign in to your Trend Micro Cloud One™ – Conformity console, access **Restrict API Caller IPs** conformity rule settings and identify the list of trusted IPv4 addresses/ranges defined for your Azure API Management APIs.

02 Run apim list command (Windows/macOS/Linux) using custom query filters to list the name and the associated resource group for each Azure API Management service instance available in the current subscription: 

az apim list 
  --output table 
  --query '[*].{name:name, resourceGroup:resourceGroup}'

03 The command output should return the requested Azure API Management service names: 

Name                           ResourceGroup
----------------------         ------------------------------
cc-main-api-service-instance   cloud-shell-storage-westeurope
cc-project5-service-instance   cloud-shell-storage-westeurope

04 Run apim api list command (Windows/macOS/Linux) using the name of the Azure API Management service instance that you want to examine and its associated resource group as the identifier parameters to describe the name of each API managed by the selected service: 

az apim api list 
  --service-name cc-main-api-service-instance 
  --resource-group cloud-shell-storage-westeurope 
  --query '[].name'

05 The command output should return the requested Azure API Management API names: 

[
	"cc-worker-api",
	"cc-filter-api"
]

06 Run Get-AzApiManagementPolicy PowerShell command (cmdlet) to describe the policies defined at the API level for the selected Azure API Management API: 

# Get the service instance name and associated resource group
$apimServiceInstance = New-AzApiManagementContext -ResourceGroupName "cloud-shell-storage-westeurope" -ServiceName "cc-main-api-service-instance"

# Get the policies defined for the selected API
Get-AzApiManagementPolicy -Context $apimServiceInstance -ApiId "cc-worker-api"

07 The command output should return the policies configured for the selected API resource: 

<!--
        IMPORTANT:
        - Policy elements can appear only within the <inbound>, <outbound>, <backend> section elements.
        - To apply a policy to the incoming request (before it is forwarded to the backend service), place a corresponding policy element within the <inbound> section element.
        - To apply a policy to the outgoing response (before it is sent back to the caller), place a corresponding policy element within the <outbound> section element.
        - To add a policy, place the cursor at the desired insertion point and select a policy from the sidebar.
        - To remove a policy, delete the corresponding policy statement from the policy document.
        - Position the <base> element within a section element to inherit all policies from the corresponding section element in the enclosing scope.
        - Remove the <base> element to prevent inheriting policies from the corresponding section element in the enclosing scope.
        - Policies are applied in the order of their appearance, from the top down.
        - Comments within policy elements are not supported and may disappear. Place your comments between policy elements or at a higher level scope.
-->
<policies>
	<inbound>
			<base />
			<ip-filter action="allow">
					<address>10.0.0.15</address>
					<address-range from="10.20.5.0" to="10.20.5.28" />
			</ip-filter>
	</inbound>
	<backend>
			<base />
	</backend>
	<outbound>
			<base />
	</outbound>
	<on-error>
			<base />
	</on-error>
</policies>

Check the \<policies\>\</policies\> element returned by the Get-AzApiManagementPolicy command output to determine the policies configured for the selected API. For IP-based access, the \<inbound\>\</inbound\> element must contain an ip-filter policy with the action attribute set to "allow" (i.e. \<ip-filter action="allow"\>\</ip-filter\>). If this ip-filter policy is not listed in the \<policies\>\</policies\> element, the built-in policy required for filtering API calls from specific IP addresses is not enabled for the selected API resource. If the ip-filter policy is available, compare the IP addresses/IP address ranges from the address and address-range elements with the ones identified at step no. 1. If one or more IPv4 addresses allowed in the ip-filter policy are not specified in the conformity rule settings, the access to the selected Azure API Management API is not restricted to trusted IP addresses only.

08 Repeat steps no. 6 and 6 for each API managed by the selected Azure API Management service.

09 Repeat steps no. 4 - 8 for each Azure API Management service available within the current Azure subscription.

10 Repeat steps no. 1 – 9 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To limit Azure API Management API access to specific, trusted IP addresses/IP address ranges only, perform the following actions:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#view/HubsExtension/BrowseAll to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box and choose Apply.

04 From the Type filter box, select API Management service and choose Apply to list only the Microsoft Azure API Management services available in the selected subscription.

05 Click on the name (link) of the Azure API Management service that you want to access.

06 In the main navigation panel, under APIs, select APIs to access the list of APIs managed by the selected service.

07 Select the API that you want to configure, listed under All APIs.

08 Select the Design tab and choose All operations from the API menu, to apply the policy to all operations.

09 If the ip-filter policy is not enabled for the selected API resource, choose + Add policy from the Inbound processing box, select Filter IP addresses (ip-filter) built-in policy, choose Allowed IPs, select + Add IP filter, add the trusted IP addresses/IP address ranges specified in the rule configuration settings, on your Trend Micro Cloud One™ – Conformity account console, and choose Save to apply the changes.

10 If the policy is enabled for the selected API, click on the ip-filter policy and find the ip-filter element that has action set to "allow" (i.e. \<ip-filter action="allow"\>) in the policy definition. Remove any unknown, untrusted IPv4 addresses from the address and address-range elements, add the trusted IP addresses/IP address ranges specified in the conformity rule settings, and choose Save to apply the changes.

11 Repeat steps no. 7 - 10 for each API managed by the selected Azure API Management service.

12 Repeat steps no. 5 - 11 for each Azure API Management service available within the current Azure subscription.

13 Repeat steps no. 3 – 12 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Configure the ip-filter policy required for filtering API calls from specific, trusted IP addresses and save the policy to a XML document named api-policy.xml. Remove any unknown, untrusted IPv4 addresses from the address and address-range elements, and add the trusted IP addresses/IP address ranges specified in the conformity rule settings, on your Trend Micro Cloud One™ – Conformity account console. If your API contains other policies, add them to the api-policy.xml file as well. The following example contains only the ip-filter policy. In this example, API access is allowed to IP address 10.0.0.45 and IP address range 10.20.5.30 to 10.20.5.38: 

<policies>
	<inbound>
		<base />
		<ip-filter action="allow">
			<address>10.0.0.45</address>
			<address-range from="10.20.5.30" to="10.20.5.38" />
		</ip-filter>
	</inbound>
	<backend>
		<base />
	</backend>
	<outbound>
		<base />
	</outbound>
	<on-error>
		<base />
	</on-error>
</policies>

02 Run Set-AzApiManagementPolicy PowerShell command (cmdlet) to apply the ip-filter policy defined at the previous step to the selected Azure API Management API (the command does not produce an output): 

# Get the service instance name and associated resource group
$apimServiceInstance = New-AzApiManagementContext -ResourceGroupName "cloud-shell-storage-westeurope" -ServiceName "cc-main-api-service-instance"

# Set the ip-filter built-in for the selected API using the api-policy.xml file
Set-AzApiManagementPolicy -Context $apimServiceInstance -ApiId "cc-worker-api" -PolicyFilePath "api-policy.xml"

03 Run Get-AzApiManagementPolicy PowerShell command (cmdlet) to describe the policy configured for the selected API at the previous step: 

# Get the service instance name and associated resource group
$apimServiceInstance = New-AzApiManagementContext -ResourceGroupName "cloud-shell-storage-westeurope" -ServiceName "cc-main-api-service-instance"

# Get the policies defined for the selected API
Get-AzApiManagementPolicy -Context $apimServiceInstance -ApiId "cc-worker-api"

04 The command output should return the response caching policies defined for the selected API: 

<policies>
	<inbound>
		<base />
		<ip-filter action="allow">
			<address>10.0.0.45</address>
			<address-range from="10.20.5.30" to="10.20.5.38" />
		</ip-filter>
	</inbound>
	<backend>
		<base />
	</backend>
	<outbound>
		<base />
	</outbound>
	<on-error>
		<base />
	</on-error>
</policies>

05 Repeat steps no. 1 - 4 for each API managed by the selected Azure API Management service.

06 Repeat steps no. 1 - 5 for each Azure API Management service available within the current Azure subscription.

07 Repeat steps no. 1 – 6 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Dec 27, 2023

Related APIManagement rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Restrict API Caller IPs

Risk Level: Medium