Disable Public Network Access to API Management Services with Private Endpoints

Risk Level: High (not acceptable risk)

Rule ID: APIManagement-008

Azure API Management services configured with a private endpoint should not be publicly accessible in order to enhance security by ensuring that the API service instance is only accessible from within your private network, over Azure Private Link, limiting exposure to potential external threats and unauthorized access.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

When an Azure API Management service instance configured with a private endpoint is publicly accessible, it opens up the backend services to the public Internet, increasing the risk of unauthorized access, potential security breaches, and compliance violations. Therefore, it is vital to restrict access to these instances solely within the private network to maintain the security and integrity of the backend infrastructure.

Audit

To determine if the Azure API Management services configured with a private endpoint are publicly exposed, perform the following actions:

To determine whether Azure API Management services with private endpoints are accessible to the public Internet, using Azure Portal, is not currently supported.

Using Azure CLI

01 Run apim list command (Windows/macOS/Linux) using custom query filters to list the name and the associated resource group for each Azure API Management service instance available in the current subscription:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

az apim list
  --output table
  --query '[*].{name:name, resourceGroup:resourceGroup}'

02 The command output should return the requested Azure API Management service names:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

Name                           ResourceGroup
----------------------         ------------------------------
cc-main-api-service-instance   cloud-shell-storage-westeurope
cc-project5-service-instance   cloud-shell-storage-westeurope

03 Run apim show command (Windows/macOS/Linux) using the name of the Azure API Management service instance that you want to examine and its associated resource group as the identifier parameters to determine if the selected service instance is configured with a private endpoint:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

az apim show
  --name cc-main-api-service-instance
  --resource-group cloud-shell-storage-westeurope
  --output yaml
  --query 'privateEndpointConnections'

04 The command output should return the information available for the configured private endoint(s), important information such endpoint identifier, resource provisioning state, and Private Link service status. If the apim show command does not produce an output, the service instance is not configured with a private endpoint. If the apim show command returns an output, as shown in the example above, the API service has a private endpoint, therefore you can continue the Audit process with the next step:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

- groupIds:
	- Gateway
	id: /subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.ApiManagement/service/cc-main-api-service-instance/privateEndpointConnections/cc-api-service-private-endpoint
	name: cc-api-service-private-endpoint
	privateEndpoint:
		id: /subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/privateEndpoints/cc-api-service-private-endpoint
		resourceGroup: cloud-shell-storage-westeurope
	privateLinkServiceConnectionState:
		actionsRequired: null
		description: ''
		status: Approved
	provisioningState: Succeeded
	resourceGroup: cloud-shell-storage-westeurope
	type: Microsoft.ApiManagement/service/privateEndpointConnections

05 Run apim show command (Windows/macOS/Linux) using the name of the Azure API Management service instance that you want to examine as the identifier parameter to determine if the selected service instance, configured with a private endpoint, is exposed to the public Internet:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

az apim show
  --name cc-main-api-service-instance
  --resource-group cloud-shell-storage-westeurope
  --query 'publicNetworkAccess'

06 The command output should return the "publicNetworkAccess" configuration attribute value:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

"Enabled"

If the publicNetworkAccess value is set to "Enabled", as shown in the example above, public network access is enabled for the selected Azure API Management service, therefore the service instance is publicly accessible.

07 Repeat steps no. 3 - 6 for each Azure API Management service available within the current Azure subscription.

08 Repeat steps no. 1 – 7 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To disable public network access to API Management services configured with private endpoints, perform the following actions:

Disabling public network access to API Management service instances via Azure Portal is not currently supported.

Using Azure CLI

01 Run apim update command (Windows/macOS/Linux) using the name of the Azure API Management service instance that you want to configure and its associated resource group as the identifier parameters to disable public network access for the selected service instance by setting the --public-network-access parameter to false. The changes can take from 15 to 45 minutes to apply. Once the public network access is disabled, the private endpoint is the exclusive access method:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

az apim update
  --name cc-main-api-service-instance
  --resource-group cloud-shell-storage-westeurope
  --public-network-access false

02 The command output should return the new configuration details for the service instance:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

{
	"additionalLocations": null,
	"apiVersionConstraint": {
		"minApiVersion": null
	},
	"certificates": null,
	"createdAtUtc": "2023-11-11T09:05:29.087014+00:00",
	"customProperties": {
		"Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2": "true",
		"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30": "false",
		"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10": "false",
		"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11": "false",
		"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls13": "False",
		"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168": "false",
		"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30": "false",
		"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10": "false",
		"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11": "false",
		"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls13": "False"
	},
	"developerPortalUrl": "https://cc-main-api-service-instance.developer.azure-api.net",
	"disableGateway": false,
	"enableClientCertificate": null,
	"gatewayRegionalUrl": "https://cc-main-api-service-instance-westeurope-01.regional.azure-api.net",
	"gatewayUrl": "https://cc-main-api-service-instance.azure-api.net",
	"hostnameConfigurations": [
		{
			"certificate": null,
			"certificatePassword": null,
			"certificateSource": "BuiltIn",
			"certificateStatus": null,
			"defaultSslBinding": true,
			"encodedCertificate": null,
			"hostName": "cc-main-api-service-instance.azure-api.net",
			"identityClientId": null,
			"keyVaultId": null,
			"negotiateClientCertificate": false,
			"type": "Proxy"
		}
	],
	"id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.ApiManagement/service/cc-main-api-service-instance",
	"identity": null,
	"location": "West Europe",
	"managementApiUrl": "https://cc-main-api-service-instance.management.azure-api.net",
	"name": "cc-main-api-service-instance",
	"natGatewayState": "Unsupported",
	"notificationSenderEmail": "apimgmt-noreply@mail.windowsazure.com",
	"outboundPublicIpAddresses": [
		"xxx.xxx.xxx.xxx"
	],
	"platformVersion": "stv2",
	"portalUrl": "https://cc-main-api-service-instance.portal.azure-api.net",
	"privateEndpointConnections": [
		{
			"groupIds": [
				"Gateway"
			],
			"id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.ApiManagement/service/cc-main-api-service-instance/privateEndpointConnections/cc-api-service-private-endpoint",
			"name": "cc-api-service-private-endpoint",
			"privateEndpoint": {
				"id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/privateEndpoints/cc-api-service-private-endpoint",
				"resourceGroup": "cloud-shell-storage-westeurope"
			},
			"privateLinkServiceConnectionState": {
				"actionsRequired": null,
				"description": "",
				"status": "Approved"
			},
			"provisioningState": "Succeeded",
			"resourceGroup": "cloud-shell-storage-westeurope",
			"type": "Microsoft.ApiManagement/service/privateEndpointConnections"
		}
	],
	"privateIpAddresses": null,
	"provisioningState": "Succeeded",
	"publicIpAddressId": null,
	"publicIpAddresses": [
		"xxx.xxx.xxx.xxx"
	],
	"publicNetworkAccess": "Disabled",
	"publisherEmail": "user@domain.com",
	"publisherName": "TrendMicro",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"restore": null,
	"scmUrl": "https://cc-main-api-service-instance.scm.azure-api.net",
	"sku": {
		"capacity": 1,
		"name": "Developer"
	},
	"systemData": {
		"createdAt": "2023-11-11T08:05:29.046481+00:00",
		"createdBy": "user@domain.com",
		"createdByType": "User",
		"lastModifiedAt": "2023-11-11T17:09:51.844507+00:00",
		"lastModifiedBy": "user@domain.com",
		"lastModifiedByType": "User"
	},
	"tags": {},
	"targetProvisioningState": "",
	"type": "Microsoft.ApiManagement/service",
	"virtualNetworkConfiguration": null,
	"virtualNetworkType": "None",
	"zones": null
}

03 Repeat steps no. 1 and 2 for each Azure API Management service that you want to configure, available within the current subscription.

04 Repeat steps no. 1 - 3 for each subscription created in your Microsoft Azure cloud account.

References

Azure Official Documentation
Use a virtual network to secure inbound and outbound traffic for Azure API Management
Connect privately to API Management using an inbound private endpoint
PrivateLinkServiceConnectionState
Private Link

Azure CLI Documentation
az apim list
az apim show
az apim update

Publication date Dec 26, 2023

Audit

Using Azure CLI

Remediation / Resolution

Using Azure CLI

References

Related APIManagement rules