Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Built-In Response Caching

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: APIManagement-001

Ensure that built-in response caching is enabled for Microsoft Azure API Management APIs in order to reduce latency for API callers and backend load for API providers. To enable response caching, a set of caching policies must be configured at the API level.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Performance
efficiency

Enabling built-in response caching in Azure API Management enhances performance by reducing bandwidth and processing demands on the backend server. This results in lower latency for API consumers, optimizing overall system efficiency and delivering faster responses.


Audit

To determine if response caching is enabled for your Azure API Management APIs, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#view/HubsExtension/BrowseAll to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box and choose Apply.

04 From the Type filter box, select API Management service and choose Apply to list only the Microsoft Azure API Management services available in the selected subscription.

05 Click on the name (link) of the Azure API Management service that you want to examine.

06 In the main navigation panel, under APIs, select APIs to access the list of the APIs managed by the selected service.

07 Select the API that you want to examine, listed under All APIs.

08 Choose the Design tab, select All operations from the API menu, and check the Policies section for both Inbound processing and Outbound processing to determine the built-in policies configured for the selected resource. If the cache-lookup policy is not listed in the Inbound processing box and the cache-store policy is not available in the Outbound processing box, the built-in policies required for implementing response caching are not configured for the API, therefore built-in response caching is not enabled for the selected Azure API Management API.

09 Repeat steps no. 7 and 8 for each API managed by the selected Azure API Management service.

10 Repeat steps no. 5 - 9 for each Azure API Management service available within the current Azure subscription.

11 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run apim list command (Windows/macOS/Linux) using custom query filters to list the name and the associated resource group for each Azure API Management service instance available in the current subscription:

az apim list
  --output table
  --query '[*].{name:name, resourceGroup:resourceGroup}'

02 The command output should return the requested Azure API Management service names:

Name                           ResourceGroup
----------------------         ------------------------------
cc-main-api-service-instance   cloud-shell-storage-westeurope
cc-project5-service-instance   cloud-shell-storage-westeurope

03 Run apim api list command (Windows/macOS/Linux) using the name of the Azure API Management service instance that you want to examine and its associated resource group as the identifier parameters to describe the name of each API managed by the selected service:

az apim api list
  --service-name cc-main-api-service-instance
  --resource-group cloud-shell-storage-westeurope
  --query '[].name'

04 The command output should return the requested Azure API Management API names:

[
	"cc-worker-api",
	"cc-filter-api"
]

05 Run Get-AzApiManagementPolicy PowerShell command (cmdlet) to describe the policies defined at the API level for the selected Azure API Management API:

# Get the service instance name and associated resource group
$apimServiceInstance = New-AzApiManagementContext -ResourceGroupName "cloud-shell-storage-westeurope" -ServiceName "cc-main-api-service-instance"

# Get the policies defined for the selected API
Get-AzApiManagementPolicy -Context $apimServiceInstance -ApiId "cc-worker-api"

06 The command output should return the policies configured for the selected API resource:

<!--
	IMPORTANT:
	- Policy elements can appear only within the <inbound>, <outbound>, <backend> section elements.
	- To apply a policy to the incoming request (before it is forwarded to the backend service), place a corresponding policy element within the <inbound> section element.
	- To apply a policy to the outgoing response (before it is sent back to the caller), place a corresponding policy element within the <outbound> section element.
	- To add a policy, place the cursor at the desired insertion point and select a policy from the sidebar.
	- To remove a policy, delete the corresponding policy statement from the policy document.
	- Position the <base> element within a section element to inherit all policies from the corresponding section element in the enclosing scope.
	- Remove the <base> element to prevent inheriting policies from the corresponding section element in the enclosing scope.
	- Policies are applied in the order of their appearance, from the top down.
	- Comments within policy elements are not supported and may disappear. Place your comments between policy elements or at a higher level scope.
-->
<policies>
	<inbound>
			<base />
			<ip-filter action="allow">
					<address>10.0.0.15</address>
			</ip-filter>
	</inbound>
	<backend>
			<base />
	</backend>
	<outbound>
			<base />
	</outbound>
	<on-error>
			<base />
	</on-error>
</policies>

Check the \<policies>\</policies> element returned by the Get-AzApiManagementPolicy command output to determine the policies configured for the selected API. For response caching to be enabled, the \<inbound>\</inbound> element must contain a cache-lookup policy (e.g. \<cache-lookup vary-by-developer="false" vary-by-developer-groups="false" allow-private-response-caching="false" must-revalidate="false" downstream-caching-type="none" />) and the \<outbound>\</outbound> element must contain the cache-store policy (e.g. \<cache-store duration="3600" />). The cache-lookup policy is used to perform cache lookup and return a valid cached response when available and the cache-store policy caches responses according to the specified cache settings. If the cache-lookup and cache-store policies are not included in the Get-AzApiManagementPolicy command output, built-in response caching is not enabled for the selected Azure API Management API.

07 Repeat steps no. 5 and 6 for each API managed by the selected Azure API Management service.

08 Repeat steps no. 3 - 7 for each Azure API Management service available within the current Azure subscription.

09 Repeat steps no. 1 – 8 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To enable built-in response caching for your Azure API Management APIs, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#view/HubsExtension/BrowseAll to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box and choose Apply.

04 From the Type filter box, select API Management service and choose Apply to list only the Microsoft Azure API Management services available in the selected subscription.

05 Click on the name (link) of the Azure API Management service that you want to access.

06 In the main navigation panel, under APIs, select APIs to access the list of APIs managed by the selected service.

07 Select the API that you want to configure, listed under All APIs.

08 Select the Design tab and choose All operations from the API menu, to apply the policy to all operations.

09 Choose + Add policy from the Inbound processing box, select Cache responses (cache-lookup/store) built-in policy and set the preferred cache duration in the Duration (in seconds) box. (Optional) To access all the attributes supported by the caching policy, choose Full and configure the advanced attributes and elements based on your application requirements. Choose Save to apply the changes. Azure API Management automatically adds the cache-lookup policy to the list of Inbound processing policies and the cache-store policy to the list of Outbound processing policies. To ensure that response caching is enabled for your API, the cache-lookup and cache-store policies must be available in the Policies section for both inbound and outbound operations.

10 Repeat steps no. 7 - 9 for each API managed by the selected Azure API Management service.

11 Repeat steps no. 5 - 10 for each Azure API Management service available within the current Azure subscription.

12 Repeat steps no. 3 – 11 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Define the cache-lookup and cache-store policies required to enable response caching for your Azure API Management API and save the policies to a XML document named api-policies.xml. If your API contains other policies, add them to the api-policies.xml file as well. The following example contains only the cache-lookup and cache-store policies:

<policies>
	<inbound>
			<base />
			<cache-lookup vary-by-developer="false" vary-by-developer-groups="false" allow-private-response-caching="false" must-revalidate="false" downstream-caching-type="none" />
	</inbound>
	<backend>
			<base />
	</backend>
	<outbound>
			<base />
			<cache-store duration="3600" />
	</outbound>
	<on-error>
			<base />
	</on-error>
</policies>

02 Run Set-AzApiManagementPolicy PowerShell command (cmdlet) to apply the policies defined at the previous step in order to enable built-in response caching for the selected Azure API Management API (the command does not produce an output):

# Get the service instance name and associated resource group
$apimServiceInstance = New-AzApiManagementContext -ResourceGroupName "cloud-shell-storage-westeurope" -ServiceName "cc-main-api-service-instance"

# Set the built-in response caching policies for the selected API using the api-policies.xml file
Set-AzApiManagementPolicy -Context $apimServiceInstance -ApiId "cc-worker-api" -PolicyFilePath "api-policies.xml"

03 Run Get-AzApiManagementPolicy PowerShell command (cmdlet) to describe the built-in policies configured for the selected API at the previous step:

# Get the service instance name and associated resource group
$apimServiceInstance = New-AzApiManagementContext -ResourceGroupName "cloud-shell-storage-westeurope" -ServiceName "cc-main-api-service-instance"

# Get the policies defined for the selected API
Get-AzApiManagementPolicy -Context $apimServiceInstance -ApiId "cc-worker-api"

04 The command output should return the response caching policies defined for the selected API:

<policies>
	<inbound>
			<base />
			<cache-lookup vary-by-developer="false" vary-by-developer-groups="false" allow-private-response-caching="false" must-revalidate="false" downstream-caching-type="none" />
	</inbound>
	<backend>
			<base />
	</backend>
	<outbound>
			<base />
			<cache-store duration="3600" />
	</outbound>
	<on-error>
			<base />
	</on-error>
</policies>

05 Repeat steps no. 3 and 4 for each API managed by the selected Azure API Management service.

06 Repeat steps no. 3 - 5 for each Azure API Management service available within the current Azure subscription.

07 Repeat steps no. 1 – 6 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Dec 26, 2023