locked
Securing Web API und ASP.NET in Azure RRS feed

  • Question

  • User1325343359 posted

    Hi forum,

    i want to build an ASP.NET MVC application that calls a WebApi to manage data. Both applications should be hosted in Azure.

    Is it somehow possible to secure the access to WebAPI controllers with the service account that executes the ASP.NET application?

    I want to eliminate every possibility that some person with some authentication token can make a REST call to tamper the WebAPI.

    Many thanks in advance!

    regards,

    xxxcoderxxx

    Wednesday, July 27, 2016 9:17 AM

All replies

  • User-491950272 posted

    Greetings,

    You have 2 applications (first is ASP.NET MVC and the second is Web API), if you secure your API(s) in your development process (depends upon the method that you have chosen), the it will surely be secure in Azure. So make sure that you secure your Web API in your development workflow. You can learn how to secure your web application from here. There are a number of options available from which you can choose.

    Note: You can use Azure API Management also for creating your API(s). You can learn about them from here.

    Thursday, July 28, 2016 9:56 AM
  • User1325343359 posted

    Hi Janshair,

    thanks for your reply, but i am not really understanding what are trying to say. Maybe i rephrase my question. Is it possible to create a service account in Azure AD and set the service account as execution account for the Azure ASP.NET MVC application? And then restrict access to the Azure WebAPI application to exactly this service account? This way it would be 100% secure that only the ASP.NET application has access to the WebAPI.

    Or with other words: I am looking for an Azure mechanismen that rejects every external call, but only allows internal Azure calls from a special Azure account. It would be cool if i can restrict this security to certain controllers, but not the whole WebAPI application. But if its not possible then its also OK.

    Thursday, July 28, 2016 11:03 AM