Share via

Application Gateway in front of API Management

PK 45 Reputation points
2025-01-23T04:49:38.73+00:00

Hey Guys,

We have API Management.

https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/api-management-security-baseline

Microsoft's security baseline states to have WAF as part of Network Security with Application Gateway. What would the WAF do with the API's?

WAF is primarily designed for web application firewall. API requests are entirely different and I see that WAF won't be of much use in this case.

In API Management - we can configure IP filtering, throttling etc. I do not see a benefit of having Application Gateway in front of API Management.

Please advise.

Thanks!

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,115 questions
Accepted answer
  1. Praveen Bandaru 235 Reputation points Microsoft Vendor
    2025-01-23T08:56:47.2466667+00:00

    Hello Prasenna Kannan
    Greetings!

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    I understand your concerns about the necessity of having an Application Gateway with a Web Application Firewall (WAF) in front of API Management.

    Here are some insights that might help clarify the benefits:

    1. Enhanced Security: An Application Gateway with WAF provides an additional layer of security by inspecting incoming traffic and blocking malicious requests before they reach your API Management. This includes protection against common web vulnerabilities such as SQL injection, cross-site scripting (XSS), and other OWASP top 10 threats.
    2. SSL Termination: The Application Gateway can handle SSL termination, offloading the SSL decryption work from your backend servers, thus improving the performance of your API Management by reducing its load.
    3. Load Balancing: It offers advanced load balancing capabilities, ensuring efficient traffic distribution across multiple instances of your API Management service, which helps maintain high availability and reliability.
    4. Centralized Management: Placing an Application Gateway in front of API Management allows for centralized management of security policies, routing rules, and SSL certificates, simplifying the overall architecture and easing management.
    5. Traffic Filtering and Routing: The Application Gateway can restrict traffic source locations and ensure that only legitimate requests reach your API Management. It supports flexible routing rules, beneficial for managing complex web applications.
    6. Protection Against DDoS Attacks: It helps mitigate Distributed Denial of Service (DDoS) attacks by filtering out malicious traffic before it reaches your API Management.
    7. Seamless Integration: The Application Gateway integrates seamlessly with API Management, allowing selective exposure of external APIs while keeping others internal, adding an extra layer of protection and security.

    Kindly check the below reference doc: https://learn.microsoft.com/en-us/answers/questions/2108669/azure-api-management-application-gateway

    Application Gateway allows you to expose specific APIs to external consumers while keeping others internal, offering better control over API access.

    Single Front End: You can use a single APIM instance for both internal and external consumers, simplifying management and reducing costs.

    If all your APIs are in APIM, consider the Premium Tier, which supports deployment to multiple regions and is fronted by Azure Traffic Manager.

    If your APIs are a mix of APIM, Functions, App Services, VMs, etc., Azure Front Door is a suitable option. For APIs deployed inside a VNET, Azure Application Gateway is required.

    You can read more about the various load-balancing services offered by Azure in this official doc.

    Check the below screen shot for more understanding:

    User's image

    Kindly check the reference doc: https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/api-management-security-baseline#ns-6-deploy-web-application-firewall

    If you choose not to utilize the Web Application Firewall, you can opt for the Application Gateway Standard V2 SKU solely for routing and load balancing purposes.

    If above is unclear and/or you are unsure about something add a comment below. Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

    Regards

    Praveen

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Konstantinos Bellis 6 Reputation points
    2025-01-23T14:27:59.8433333+00:00

    Hey i have used APIM injected on a VNET so in that scenario AG is the means to control access to it.

    All the settings in APIM although can provide security traffic is still going out in the public and directly to your APIM. If you want to protect it you vnet inject it and use an AG . You can for example have a managed PP environment injected on the same vnet with so completely isolate traffic and provide controllable access to a third party endpoint through AG. IF you like that use case please accept my answer.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.