访问安全到Azure的应用服务API应用 [英] Access security to an Azure App Service API App
问题描述
我们有一个基于2层,后端层和前端层,现在都是Azure的网站已传达槽的WebAPI的系统。我wan't移动后端的WebAPI到API应用程序 - 问题是 - 如果它可以配置在这样的方式的API应用程序的安全性,它的仅从配置的前端访问ASP.NET 6 MVC的Web应用程序(在Azure中托管网站已)。
We have a system that is based on 2 tiers, a Backend tier and a Frontend tier, right now both are Azure WebSites communicating trough WebAPI. I wan't to move the backend WebAPI to API App - question is - if it's possible to configure the security of an API App in such way, that it is only accessible from the configured Frontend ASP.NET MVC 6 Web application (hosted in Azure WebSites).
我们计划使用Active Directory作为前端Web App和后端Web应用程序之间的身份验证方法,因此,只有前端可以访问到后端的WebAPI。这是最安全的方法是什么?还是有更简单,但对于API应用程序仍然是安全的方法是什么?
We planned to use Active Directory as an authentication method between the frontend Web App and the backend Web App, so that only the frontend can have access to the backend WebAPI. Is this the most secure way? Or are there simpler, but still secure ways for API Apps?
推荐答案
在这一点上你可以做的是:
At this point what you can do is:
- 将转换到的WebAPI的API应用程序
- 将访问级别为Internal
这会使API应用程序只能从同一资源组内的资源进行访问。
This will make the API App only accessible from resources within the same Resource Group.
现在,不幸的是,Web应用程序(不包括网站),虽然他们可以在同一个资源组,在preVIEW,他们不完全支持网关实现,这意味着他们不能发现资源组和请求中的API应用程序看起来外部,因此内部API应用程序将无法访问。直到我们支持(的WebApp正在与网关完全集成)的解决方法,让你的工作就可以了是有效地使Web App的另一个API应用程序也是如此。你仍然可以使用所有的Web App的功能,你熟悉和喜爱,并得到你需要的内部API应用程序的功能,直到Web应用程序完全与网关板。
Now, the unfortunate part is that Web Apps (ex-Websites) although they can be on the same Resource Group, in the preview, they don't fully support the Gateway implementation, meaning they can't discover the API App within the Resource Group and the requests will look as external, so the internal API App won't be accessible. Until we support that (WebApps being fully integrated with the Gateway) a workaround to get you working on it is to effectively make the Web App another API App as well. You will still be able to use all the Web App features you know and love AND get the functionality you need with an internal API App, until Web Apps are fully on board with the Gateway.
您不必使AAD,以确保访问API的应用程序,如API应用程序现在是内部的。
You don't have to enable AAD to secure the access to the API App, as the API App is internal now.
如果您的Web应用程序具有AJAX(JavaScript客户端)访问API应用程序,那么上面的方法不起作用(如果API应用程序是内部的,那么它会阻止任何外部调用)并已设置访问级别的API应用的公共身份验证。然后,您可以启用AAD认证,并采取住在同一个网关后面的应用程序的无缝认证的优势。我们将生成一个令牌,你(X-谟-auth的头包含令牌),你可以阅读和在每次请求来回传递成功验证请求。
If your web app has AJAX (Javascript client) accessing the API App, then the above approach doesn't work (if an API App is internal, then it blocks any external call) and you have set the "Access Level" of the API App as "Public Authenticated". Then you can enable AAD authentication and take advantage of the seamless authentication between apps that live behind the same Gateway. We will generate a token for you (x-zumo-auth header contains the token) which you can read and pass on every request back and forth to successfully authenticate the requests.
唯一的事情需要注意一些已知问题,上市<一个href=\"https://social.msdn.microsoft.com/Forums/azure/en-US/7f8b42f2-ac0d-48b8-a35e-3b4934e1c25e/api-app-known-issues?forum=AzureAPIApps\"相对=nofollow>这里
The only things to be aware are some known issues, listed here
这篇关于访问安全到Azure的应用服务API应用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
