An API gateway without a security policy is a load balancer with extra steps.Azure API Management is deployed as a gateway in front of critical banking APIs. The team enabled authentication, set rate limits, and called it done. Three months later a penetration test found that six backend APIs were reachable directly — bypassing the gateway entirely. The gateway was a control that could be routed around. API security has seven distinct layers. Most teams configure two. The ones that get skipped are where the real incidents happen. The architecture pattern that makes APIM the only path to your APIs – not a path:
The Gateway Bypass Problem
The most common API security finding in Azure environments: the APIM gateway enforces authentication and rate limiting, but the backend APIs behind it are reachable directly from within the Azure environment-or in some cases from the internet. An attacker who gains any foothold inside the Azure network can call the backend APIs directly, bypassing all gateway controls.
The rule that must be unbreakable: the backend APIs must validate that every request comes from the APIM gateway and reject everything else. This is not the default configuration. It must be explicitly implemented.
Layer 1: WAF in Front of APIM
Azure Application Gateway with Web Application Firewall deployed in front of APIM provides OWASP Core Rule Set protection before traffic reaches the gateway. The WAF intercepts known attack patterns — SQL injection, cross-site scripting, path traversal ,before they become APIM policy evaluations. Configure APIM to accept traffic only from the Application Gateway’s private IP, making the WAF mandatory in the request path.
Layer 2: JWT Validation with validate-jwt Policy
The APIM validate-jwt policy extracts and validates the bearer token on every inbound request. Configure it to validate: the issuer (your Entra ID tenant), the audience (your API’s application ID), the signature (against the Entra ID JWKS endpoint), and the token expiry. A request with a missing, expired, or tampered token is rejected before it reaches any backend operation.
Do not rely on the backend to validate the token. The APIM policy is the enforcement point. Backends should additionally validate the APIM client certificate, but token validation belongs in the gateway.
Layer 3: Scope and Role-Based Routing
Different consumer identities should reach different API operations based on their token claims. A retail banking customer should never reach the payment initiation API without the specific scope claim that grants that permission. Configure APIM policies to check specific claims before forwarding to sensitive operations, not just that the token is valid, but that it contains the required claims for the specific operation being called.
Layer 4: Rate Limiting for Financial APIs
Standard rate limiting counts requests. Financial API rate limiting must also consider the value and risk of each request. A payment API should have lower rate limits than a balance inquiry API. A caller that triggers a high risk score in a transaction should have their limit reduced dynamically. APIM’s rate-limit-by-key policy supports custom key expressions that can incorporate claim values, enabling per-user, per-product, and per-operation rate limiting simultaneously.
Layer 5: Input Validation
APIM policies can validate request schemas, enforce payload size limits, and check for injection patterns before the request reaches the backend. The validate-content policy validates JSON or XML bodies against a schema. The validate-headers policy enforces required headers. Reject malformed requests at the gateway, do not let them reach backend application code.
Layer 6: Backend Mutual TLS
The gateway presents a client certificate to the backend on every request. The backend validates this certificate before processing the request. An attacker who somehow reaches the backend IP directly cannot present a valid APIM client certificate and is rejected. Combined with Private Endpoints restricting backend access to the APIM subnet only, this creates defense in depth at the backend layer.
Be the first to comment
Leave a Comment
💡 Comments are reviewed before publishing.