Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Disable Public Network Access to API Management Services with Private Endpoints

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: APIManagement-008

Azure API Management services configured with a private endpoint should not be publicly accessible in order to enhance security by ensuring that the API service instance is only accessible from within your private network, over Azure Private Link, limiting exposure to potential external threats and unauthorized access.

Security

When an Azure API Management service instance configured with a private endpoint is publicly accessible, it opens up the backend services to the public Internet, increasing the risk of unauthorized access, potential security breaches, and compliance violations. Therefore, it is vital to restrict access to these instances solely within the private network to maintain the security and integrity of the backend infrastructure.

Audit

To determine if the Azure API Management services configured with a private endpoint are publicly exposed, perform the following actions:

To determine whether Azure API Management services with private endpoints are accessible to the public Internet, using Azure Portal, is not currently supported.

Using Azure CLI

  1. Run apim list command (Windows/macOS/Linux) using custom query filters to list the name and the associated resource group for each Azure API Management service instance available in the current subscription:

    az apim list
  --output table
  --query '[*].{name:name, resourceGroup:resourceGroup}'

  2. The command output should return the requested Azure API Management service names:

    Name                           ResourceGroup
----------------------         ------------------------------
cc-main-api-service-instance   cloud-shell-storage-westeurope
cc-project5-service-instance   cloud-shell-storage-westeurope

  3. Run apim show command (Windows/macOS/Linux) using the name of the Azure API Management service instance that you want to examine and its associated resource group as the identifier parameters to determine if the selected service instance is configured with a private endpoint:

    az apim show
  --name cc-main-api-service-instance
  --resource-group cloud-shell-storage-westeurope
  --output yaml
  --query 'privateEndpointConnections'

  4. The command output should return the information available for the configured private endoint(s), important information such endpoint identifier, resource provisioning state, and Private Link service status. If the apim show command does not produce an output, the service instance is not configured with a private endpoint. If the apim show command returns an output, as shown in the example above, the API service has a private endpoint, therefore you can continue the Audit process with the next step:

    - groupIds:
	- Gateway
	id: /subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.ApiManagement/service/cc-main-api-service-instance/privateEndpointConnections/cc-api-service-private-endpoint
	name: cc-api-service-private-endpoint
	privateEndpoint:
		id: /subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/privateEndpoints/cc-api-service-private-endpoint
		resourceGroup: cloud-shell-storage-westeurope
	privateLinkServiceConnectionState:
		actionsRequired: null
		description: ''
		status: Approved
	provisioningState: Succeeded
	resourceGroup: cloud-shell-storage-westeurope
	type: Microsoft.ApiManagement/service/privateEndpointConnections

  5. Run apim show command (Windows/macOS/Linux) using the name of the Azure API Management service instance that you want to examine as the identifier parameter to determine if the selected service instance, configured with a private endpoint, is exposed to the public Internet:

    az apim show
  --name cc-main-api-service-instance
  --resource-group cloud-shell-storage-westeurope
  --query 'publicNetworkAccess'

  6. The command output should return the "publicNetworkAccess" configuration attribute value:

    "Enabled"

    If the publicNetworkAccess value is set to "Enabled", as shown in the example above, public network access is enabled for the selected Azure API Management service, therefore the service instance is publicly accessible.

  7. Repeat steps no. 3 - 6 for each Azure API Management service available within the current Azure subscription.

  8. Repeat steps no. 1 – 7 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To disable public network access to API Management services configured with private endpoints, perform the following actions:

Disabling public network access to API Management service instances via Azure Portal is not currently supported.

Using Azure CLI

  1. Run apim update command (Windows/macOS/Linux) using the name of the Azure API Management service instance that you want to configure and its associated resource group as the identifier parameters to disable public network access for the selected service instance by setting the --public-network-access parameter to false. The changes can take from 15 to 45 minutes to apply. Once the public network access is disabled, the private endpoint is the exclusive access method:

    az apim update
  --name cc-main-api-service-instance
  --resource-group cloud-shell-storage-westeurope
  --public-network-access false

  2. The command output should return the new configuration details for the service instance:

    {
	"additionalLocations": null,
	"apiVersionConstraint": {
		"minApiVersion": null
	},
	"certificates": null,
	"createdAtUtc": "2023-11-11T09:05:29.087014+00:00",
	"customProperties": {
		"Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2": "true",
		"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30": "false",
		"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10": "false",
		"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11": "false",
		"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls13": "False",
		"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168": "false",
		"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30": "false",
		"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10": "false",
		"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11": "false",
		"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls13": "False"
	},
	"developerPortalUrl": "https://cc-main-api-service-instance.developer.azure-api.net",
	"disableGateway": false,
	"enableClientCertificate": null,
	"gatewayRegionalUrl": "https://cc-main-api-service-instance-westeurope-01.regional.azure-api.net",
	"gatewayUrl": "https://cc-main-api-service-instance.azure-api.net",
	"hostnameConfigurations": [
		{
			"certificate": null,
			"certificatePassword": null,
			"certificateSource": "BuiltIn",
			"certificateStatus": null,
			"defaultSslBinding": true,
			"encodedCertificate": null,
			"hostName": "cc-main-api-service-instance.azure-api.net",
			"identityClientId": null,
			"keyVaultId": null,
			"negotiateClientCertificate": false,
			"type": "Proxy"
		}
	],
	"id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.ApiManagement/service/cc-main-api-service-instance",
	"identity": null,
	"location": "West Europe",
	"managementApiUrl": "https://cc-main-api-service-instance.management.azure-api.net",
	"name": "cc-main-api-service-instance",
	"natGatewayState": "Unsupported",
	"notificationSenderEmail": "apimgmt-noreply@mail.windowsazure.com",
	"outboundPublicIpAddresses": [
		"xxx.xxx.xxx.xxx"
	],
	"platformVersion": "stv2",
	"portalUrl": "https://cc-main-api-service-instance.portal.azure-api.net",
	"privateEndpointConnections": [
		{
			"groupIds": [
				"Gateway"
			],
			"id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.ApiManagement/service/cc-main-api-service-instance/privateEndpointConnections/cc-api-service-private-endpoint",
			"name": "cc-api-service-private-endpoint",
			"privateEndpoint": {
				"id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/privateEndpoints/cc-api-service-private-endpoint",
				"resourceGroup": "cloud-shell-storage-westeurope"
			},
			"privateLinkServiceConnectionState": {
				"actionsRequired": null,
				"description": "",
				"status": "Approved"
			},
			"provisioningState": "Succeeded",
			"resourceGroup": "cloud-shell-storage-westeurope",
			"type": "Microsoft.ApiManagement/service/privateEndpointConnections"
		}
	],
	"privateIpAddresses": null,
	"provisioningState": "Succeeded",
	"publicIpAddressId": null,
	"publicIpAddresses": [
		"xxx.xxx.xxx.xxx"
	],
	"publicNetworkAccess": "Disabled",
	"publisherEmail": "user@domain.com",
	"publisherName": "TrendMicro",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"restore": null,
	"scmUrl": "https://cc-main-api-service-instance.scm.azure-api.net",
	"sku": {
		"capacity": 1,
		"name": "Developer"
	},
	"systemData": {
		"createdAt": "2023-11-11T08:05:29.046481+00:00",
		"createdBy": "user@domain.com",
		"createdByType": "User",
		"lastModifiedAt": "2023-11-11T17:09:51.844507+00:00",
		"lastModifiedBy": "user@domain.com",
		"lastModifiedByType": "User"
	},
	"tags": {},
	"targetProvisioningState": "",
	"type": "Microsoft.ApiManagement/service",
	"virtualNetworkConfiguration": null,
	"virtualNetworkType": "None",
	"zones": null
}

  3. Repeat steps no. 1 and 2 for each Azure API Management service that you want to configure, available within the current subscription.

  4. Repeat steps no. 1 - 3 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Dec 26, 2023

Related APIManagement rules