To safeguard your Azure API Management APIs from unauthorized access, it is imperative to implement network access restrictions based on IP addresses. This requires configuring your APIs to accept requests from authorized IP addresses or designated IP address ranges. Unrestricted network access, which permits connections from all IP addresses, is not recommended. To configure the network (IP-based) access for your APIs, a built-in policy named ip-filter must be implemented at the API level.
By filtering incoming requests based on caller IP addresses in Azure API Management, you can proactively enhance security by preventing access from known malicious sources. This measure mitigates potential threats and ensures that only trusted, designated requests are allowed, minimizing the risk of unauthorized access or attacks on your API infrastructure.
Audit
To determine if your Azure API Management APIs allow unrestricted network access, perform the following operations:
Remediation / Resolution
To allow API calls from specific, trusted IP addresses/IP address ranges only, perform the following operations:
References
- Azure Official Documentation
- How to set or edit Azure API Management policies
- Restrict caller IPs
- Azure PowerShell Documentation
- az apim list
- az apim api list
- New-AzApiManagementContext
- Get-AzApiManagementPolicy
- Set-AzApiManagementPolicy
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Unrestricted API Access
Risk Level: Medium