Security overview
Azure API Management (APIM) provides multiple layers of security to protect your APIs and the data they expose. These layers include authentication, authorization, transport security, IP filtering, and built‑in policy enforcement.
Authentication
APIM supports several authentication mechanisms:
- OAuth 2.0 / OpenID Connect
- Managed identities
- JWT validation
- Client certificates
Example: Validate a JWT token in the inbound pipeline.
<validate-jwt header-name="Authorization"
failed-validation-httpcode="401"
failed-validation-error-message="Unauthorized">
<openid-config url="https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration"/>
<required-claims>
<claim name="aud" match="my-api-audience"/>
</required-claims>
</validate-jwt>
Authorization
Control who can call an API operation using check-header, check-ip, or custom policy expressions.
<check-header name="x-api-key" failed-check-httpcode="403">
<value>{{context.Variables["allowedKey"]}}</value>
</check-header>
Transport security (TLS/SSL)
All inbound and outbound traffic through the APIM gateway is secured with TLS 1.2 by default. Custom domain certificates can be uploaded via the Azure portal.
IP filtering
Restrict access to the gateway based on caller IP address ranges.
<check-ip addresses="203.0.113.0/24, 198.51.100.23">
<action>allow</action>
</check-ip>
Cross‑origin resource sharing (CORS)
Enable CORS for specific origins via the built‑in policy.
<cors>
<allowed-origins>
<origin>https://myapp.com</origin>
</allowed-origins>
<allowed-methods>
<method>GET</method>
<method>POST</method>
</allowed-methods>
<allowed-headers>
<header>content-type</header>
<header>authorization</header>
</allowed-headers>
</cors>
Security policies reference
| Policy | Description | Scope |
|---|---|---|
validate-jwt | Validates JWT tokens against a signing key or OpenID configuration. | Inbound |
check-header | Ensures a required header exists with an expected value. | Inbound |
check-ip | Allows or blocks calls based on source IP address. | Inbound |
cors | Adds CORS headers to responses. | Inbound/Outbound |
send-request | Calls an external service for additional validation. | Inbound/Outbound |
Best practices
- Enforce TLS 1.2 or higher on all endpoints.
- Use managed identities where possible to avoid secret leakage.
- Validate JWTs at the gateway; do not rely on downstream services.
- Implement least‑privilege access by using scopes and API keys.
- Log security‑related events to Azure Monitor for alerts.