Skip to content

API Management allows unencrypted traffic to backends#

Security · API Management · Rule · 2020_06 · Critical

Unencrypted communication could allow disclosure of information to an untrusted party.

Description#

When API Management connects to the backend API it can use HTTP or HTTPS. When using HTTP, sensitive information may be exposed to an untrusted party.

Additionally, when configuring backends:

  • Use a newer version of TLS such as TLS 1.2.
  • Use client certificate authentication from API Management to authenticate to the backend.

Recommendation#

Consider configuring only backend services configured with HTTPS-based URLs.

Examples#

Configure with Azure template#

To deploy APIs that pass this rule:

  • Set the properties.serviceUrl property to a URL that starts with https://.

For example:

Azure Template snippet
{
    "type": "Microsoft.ApiManagement/service/apis",
    "apiVersion": "2021-08-01",
    "name": "[format('{0}/{1}', parameters('name'), 'echo-v1')]",
    "properties": {
        "displayName": "Echo API",
        "description": "An echo API service.",
        "path": "echo",
        "serviceUrl": "https://echo.contoso.com",
        "protocols": [
            "https"
        ],
        "apiVersion": "v1",
        "apiVersionSetId": "[resourceId('Microsoft.ApiManagement/service/apiVersionSets', parameters('name'), 'echo')]",
        "subscriptionRequired": true
    },
    "dependsOn": [
        "[resourceId('Microsoft.ApiManagement/service', parameters('name'))]",
        "[resourceId('Microsoft.ApiManagement/service/apiVersionSets', parameters('name'), 'echo')]"
    ]
}

To deploy API backends that pass this rule:

  • Set the properties.url property to a URL that starts with https://.

For example:

Azure Template snippet
{
    "type": "Microsoft.ApiManagement/service/backends",
    "apiVersion": "2021-08-01",
    "name": "[format('{0}/{1}', parameters('name'), 'echo')]",
    "properties": {
        "title": "echo",
        "description": "A backend service for the Each API.",
        "protocol": "http",
        "url": "https://echo.contoso.com"
    },
    "dependsOn": [
        "[resourceId('Microsoft.ApiManagement/service', parameters('name'))]"
    ]
}

Configure with Bicep#

To deploy APIs that pass this rule:

  • Set the properties.serviceUrl property to a URL that starts with https://.

For example:

Azure Bicep snippet
resource api 'Microsoft.ApiManagement/service/apis@2021-08-01' = {
  parent: service
  name: 'echo-v1'
  properties: {
    displayName: 'Echo API'
    description: 'An echo API service.'
    path: 'echo'
    serviceUrl: 'https://echo.contoso.com'
    protocols: [
      'https'
    ]
    apiVersion: 'v1'
    apiVersionSetId: version.id
    subscriptionRequired: true
  }
}

Configure with Azure Verified Modules

A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/res/api-management/service:<version>

To use the latest version:

br/public:avm/res/api-management/service:0.6.0

To deploy API backends that pass this rule:

  • Set the properties.url property to a URL that starts with https://.

For example:

Azure Bicep snippet
resource backend 'Microsoft.ApiManagement/service/backends@2021-08-01' = {
  parent: service
  name: 'echo'
  properties: {
    title: 'echo'
    description: 'A backend service for the Each API.'
    protocol: 'http'
    url: 'https://echo.contoso.com'
  }
}

Configure with Azure Verified Modules

A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/res/api-management/service:<version>

To use the latest version:

br/public:avm/res/api-management/service:0.6.0

Comments