Securely publishing API in Azure

Question

Securely publishing API in Azure

EnterpriseArchitect 6,161

What are the security best practice patterns I can use to publish multiple APIs through Azure APIM https://azure.microsoft.com/en-au/products/api-management ?

Shall I put it behind WAF https://azure.microsoft.com/en-us/products/web-application-firewall or Application Gateway https://learn.microsoft.com/en-us/azure/application-gateway/overview ?

Thank you.

EnterpriseArchitect 6,161 Reputation points

2025-08-04T13:16:08.1333333+00:00
Hi @Anurag Rohikar ,
Thank you, for the update, yes,

Are the APIs publicly exposed to the Internet, or are they for internal use? Publicly Exposed.

Do you require load balancing and routing features at a global or regional scale? Load Balancing where possible.

Are there specific compliance standards (e.g., PCI DSS, HIPAA) that you need to adhere to? PCI/DSS
Anurag Rohikar 205 Reputation points Microsoft External Staff Moderator

2025-08-05T05:05:07.2633333+00:00
Hello EnterpriseArchitect, thank you for confirming your requirements. Given that your APIs are publicly exposed, require load balancing, and must comply with PCI DSS standards, both of the primary security architecture patterns in Azure are excellent choices.

The decision between them depends on whether your APIs are intended for a regional or a global audience.

Option 1: Regional Secure Architecture (Azure Application Gateway)

This is the recommended pattern if your primary need is for a regional deployment with maximum network isolation.

Architecture: Place an Azure Application Gateway with WAF enabled in front of your Azure API Management instance, which is deployed in an internal VNet mode.

Key Benefits:

Defense-in-Depth: Provides multiple layers of security, with WAF protection at the edge and API Management isolated within your virtual network.

PCI DSS Compliance: The WAF component is crucial for meeting PCI DSS requirements, and VNet isolation adds another layer of control.

Regional Load Balancing: Offers Layer 7 load balancing for services within a single region.

Option 2: Global Secure Architecture (Azure Front Door)

This is the recommended pattern if your primary need is for a globally distributed service with edge security.

Architecture: Place Azure Front Door with WAF enabled in front of your Azure API Management instance, which can be deployed in external mode.

Key Benefits:

Global Scalability: Provides global load balancing and intelligent routing to the closest endpoint for your customers, reducing latency.

Edge Protection: WAF protection is applied at the network edge, blocking malicious traffic close to its source.

Performance: Includes a built-in CDN for caching API responses, which improves performance for global users.

PCI DSS Compliance: Front Door's WAF is also a valid tool for meeting PCI DSS requirements.

Both patterns will fully satisfy your security, compliance, and load-balancing needs.
Please do not forget to "Accept the answer” and “upvote it” wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others. Thank you!

Accepted answer

0 additional answers

Your answer

EnterpriseArchitect 6,161 Reputation points

2025-08-04T13:16:08.1333333+00:00

Hi @Anurag Rohikar ,
Thank you, for the update, yes,

Are the APIs publicly exposed to the Internet, or are they for internal use? Publicly Exposed.

Do you require load balancing and routing features at a global or regional scale? Load Balancing where possible.

Are there specific compliance standards (e.g., PCI DSS, HIPAA) that you need to adhere to? PCI/DSS

Answer 1

Hello EnterpriseArchitect, Thanks for reaching out on Microsoft Q&A and really appreciate your patience while we looked into this.

For comprehensive perimeter protection against Layer 7 attacks (e.g., SQL Injection, Cross-Site Scripting), the recommended best practice is to place your APIM instance behind an Azure Application Gateway with Web Application Firewall (WAF) enabled. This approach creates a layered defense-in-depth, ensuring that malicious traffic is inspected and blocked before it can reach your API endpoints.

While APIM provides built-in security features like authentication (OAuth 2.0, JWT validation), rate limiting, and IP filtering, the WAF adds a critical, dedicated layer for web application security.

Recommended Architecture

The most secure and common pattern is:

Azure Application Gateway (with WAF enabled): Acts as the public-facing entry point, terminating SSL/TLS traffic and applying WAF rules.
Azure API Management: Deployed in internal VNet mode, making it inaccessible from the public internet. It receives clean traffic from the Application Gateway and applies API-specific policies.
Backend APIs: The final destination for traffic, often also deployed in a secure VNet.

Alternatively, if you require global-scale load balancing and WAF protection, you can use Azure Front Door instead of Application Gateway.

Documentation for reference:

Secure Azure API Management using Application Gateway with WAF: This article provides the detailed "how-to" guide for integrating APIM in an internal VNet with an Application Gateway.
Architectural best practice to protect APIs with Azure Application Gateway and WAF: This article provides a high-level overview of the recommended architecture.
Azure Application Gateway WAF Overview: Provides an overview of the WAF capabilities within Application Gateway.
Azure security baseline for API Management: The official security baseline for APIM recommends deploying it behind a reverse proxy like Application Gateway for enhanced protection.

For a solution that best suits your requirements, may I ask you to confirm the following details?

Are the APIs publicly exposed to the Internet, or are they for internal use?
Do you require load balancing and routing features at a global or regional scale?
Are there specific compliance standards (e.g., PCI DSS, HIPAA) that you need to adhere to?

Looking forward to your response to assist you further. Thank You!

Anurag Rohikar 205 Reputation points Microsoft External Staff Moderator

2025-08-05T11:42:08.0233333+00:00

Hello EnterpriseArchitect, I have converted the comment to answer. Could you please click on "Accept the answer” this can be beneficial to other community members.it would be greatly appreciated and helpful to others. Thank you!
EnterpriseArchitect 6,161 Reputation points

2025-08-05T12:32:06.63+00:00

Thank you @Anonymous .

Share via

Securely publishing API in Azure

0 additional answers

Your answer