Integration
Integration Security Baselines
Integration services expose and manage APIs across organizational boundaries. API Management is the gateway that controls authentication, rate limiting, and observability for all API traffic — making it a critical security control point in modern architectures.
API Management Security Architecture
graph TB
subgraph External["External Consumers"]
Client[API Clients]
Partner[Partner Apps]
end
subgraph Edge["Edge Protection"]
FD[Front Door + WAF]
end
subgraph Gateway["API Gateway"]
APIM[API Management
Internal VNet Mode] end subgraph Backend["Backend Services"] ACA[Container Apps] FUNC[Functions] AKS[AKS Cluster] end Client --> FD Partner --> FD FD --> APIM APIM -->|MI Auth| ACA APIM -->|MI Auth| FUNC APIM -->|MI Auth| AKS style External stroke:#f59e0b,stroke-width:2px style Edge stroke:#ec4899,stroke-width:2px style Gateway stroke:#a855f7,stroke-width:2px style Backend stroke:#22d3ee,stroke-width:2px
Internal VNet Mode] end subgraph Backend["Backend Services"] ACA[Container Apps] FUNC[Functions] AKS[AKS Cluster] end Client --> FD Partner --> FD FD --> APIM APIM -->|MI Auth| ACA APIM -->|MI Auth| FUNC APIM -->|MI Auth| AKS style External stroke:#f59e0b,stroke-width:2px style Edge stroke:#ec4899,stroke-width:2px style Gateway stroke:#a855f7,stroke-width:2px style Backend stroke:#22d3ee,stroke-width:2px
API Management
Full-lifecycle API gateway with built-in developer portal, OAuth 2.0 flow management, rate limiting, and policy-based request/response transformation. APIM should be deployed in Internal VNet mode for production — fronted by Application Gateway or Front Door with WAF for external access.
| Property | Value |
|---|---|
| Defender Plan | Defender for APIs |
| Azure Policy Built-in | Yes — VNet deployment, TLS version, private endpoint, named values |
| Recommended Tier | Premium (VNet integration, multi-region, private endpoints) |
| Key Feature | Internal VNet mode with validate-jwt policy for Entra ID token enforcement |
Baseline Controls
| Domain | Feature | Supported | Default | Responsibility |
|---|---|---|---|---|
| NS | Internal VNet Mode | ✓ | Manual | Customer |
| NS | Private Endpoint | ✓ | Manual | Customer |
| IM | OAuth 2.0 + JWT Validation | ✓ | Manual | Customer |
| IM | Managed Identity | ✓ | Manual | Customer |
| DP | TLS 1.2+ Enforcement | ✓ | Manual | Customer |
| LT | Defender for APIs | ✓ | Manual | Customer |
| LT | Diagnostic Logging | ✓ | Manual | Customer |
NS✓ Supported
Internal VNet Mode
○ ManualCustomer
NS✓ Supported
Private Endpoint
○ ManualCustomer
IM✓ Supported
OAuth 2.0 + JWT Validation
○ ManualCustomer
IM✓ Supported
Managed Identity
○ ManualCustomer
DP✓ Supported
TLS 1.2+ Enforcement
○ ManualCustomer
LT✓ Supported
Defender for APIs
○ ManualCustomer
LT✓ Supported
Diagnostic Logging
○ ManualCustomer
Terraform: Secure API Management (Internal VNet)
hcl
resource "azurerm_api_management" "main" {
name = "apim-prod"
resource_group_name = azurerm_resource_group.integration.name
location = azurerm_resource_group.integration.location
publisher_name = "Contoso Security"
publisher_email = "apim-admin@contoso.com"
sku_name = "Premium_1"
# NS-1: Internal VNet mode
virtual_network_type = "Internal"
virtual_network_configuration {
subnet_id = azurerm_subnet.apim.id
}
# IM-3: System-assigned managed identity
identity {
type = "SystemAssigned"
}
# DP-3: TLS 1.2+ enforcement
protocols {
enable_http2 = true
}
security {
enable_backend_ssl30 = false
enable_backend_tls10 = false
enable_backend_tls11 = false
enable_frontend_ssl30 = false
enable_frontend_tls10 = false
enable_frontend_tls11 = false
}
}
# IM-1: Global JWT validation policy
resource "azurerm_api_management_policy" "global" {
api_management_id = azurerm_api_management.main.id
xml_content = <<XML
<policies>
<inbound>
<validate-jwt header-name="Authorization" failed-validation-httpcode="401"
failed-validation-error-message="Unauthorized. Access token required.">
<openid-config url="https://login.microsoftonline.com/{tenant-id}/v2.0/.well-known/openid-configuration" />
<audiences>
<audience>api://{api-app-id}</audience>
</audiences>
<issuers>
<issuer>https://sts.windows.net/{tenant-id}/</issuer>
</issuers>
</validate-jwt>
<rate-limit calls="100" renewal-period="60" />
</inbound>
</policies>
XML
}
# LT-3: Diagnostic Logging
resource "azurerm_monitor_diagnostic_setting" "apim" {
name = "diag-apim-prod"
target_resource_id = azurerm_api_management.main.id
log_analytics_workspace_id = azurerm_log_analytics_workspace.main.id
enabled_log { category = "GatewayLogs" }
enabled_log { category = "WebSocketConnectionLogs" }
metric { category = "AllMetrics" }
}resource "azurerm_api_management" "main" {
name = "apim-prod"
resource_group_name = azurerm_resource_group.integration.name
location = azurerm_resource_group.integration.location
publisher_name = "Contoso Security"
publisher_email = "apim-admin@contoso.com"
sku_name = "Premium_1"
# NS-1: Internal VNet mode
virtual_network_type = "Internal"
virtual_network_configuration {
subnet_id = azurerm_subnet.apim.id
}
# IM-3: System-assigned managed identity
identity {
type = "SystemAssigned"
}
# DP-3: TLS 1.2+ enforcement
protocols {
enable_http2 = true
}
security {
enable_backend_ssl30 = false
enable_backend_tls10 = false
enable_backend_tls11 = false
enable_frontend_ssl30 = false
enable_frontend_tls10 = false
enable_frontend_tls11 = false
}
}
# IM-1: Global JWT validation policy
resource "azurerm_api_management_policy" "global" {
api_management_id = azurerm_api_management.main.id
xml_content = <<XML
<policies>
<inbound>
<validate-jwt header-name="Authorization" failed-validation-httpcode="401"
failed-validation-error-message="Unauthorized. Access token required.">
<openid-config url="https://login.microsoftonline.com/{tenant-id}/v2.0/.well-known/openid-configuration" />
<audiences>
<audience>api://{api-app-id}</audience>
</audiences>
<issuers>
<issuer>https://sts.windows.net/{tenant-id}/</issuer>
</issuers>
</validate-jwt>
<rate-limit calls="100" renewal-period="60" />
</inbound>
</policies>
XML
}
# LT-3: Diagnostic Logging
resource "azurerm_monitor_diagnostic_setting" "apim" {
name = "diag-apim-prod"
target_resource_id = azurerm_api_management.main.id
log_analytics_workspace_id = azurerm_log_analytics_workspace.main.id
enabled_log { category = "GatewayLogs" }
enabled_log { category = "WebSocketConnectionLogs" }
metric { category = "AllMetrics" }
}Azure Portal Instructions
Step-by-step instructions for configuring each API Management control through the Azure Portal.
NS-1 — Internal VNet Mode
- Navigate to your API Management resource in the Azure Portal
- In the left menu under Deployment + infrastructure, select Virtual network
- Change the VNet type to Internal
- Select the VNet and subnet for APIM deployment
- Click Apply and then Save (this may take 30-45 minutes)
- Deploy Application Gateway or Front Door in front of APIM for external access with WAF
IM-1 — OAuth 2.0 + JWT Validation
- In the Azure Portal, open API Management > APIs
- Select an API and click the Inbound processing policy editor
- Add the validate-jwt policy with your Entra ID tenant issuer URL
- Set the required audience to match your API app registration
- Optionally add required-claims to enforce specific roles or scopes
- Apply the policy at the All APIs level for global enforcement
- Test by sending a request without a valid token — it should return 401
IM-3 — Managed Identity
- Navigate to your API Management resource in the Azure Portal
- In the left menu under Security, select Managed identities
- On the System assigned tab, set Status to On and click Save
- Use the managed identity in policies:
<authentication-managed-identity resource="https://target.service.url" /> - Grant the managed identity access to Key Vault for TLS certificate retrieval
- Assign appropriate RBAC roles on backend services
DP-3 — TLS 1.2+ Enforcement
- Navigate to your API Management resource in the Azure Portal
- In the left menu under Security, select Protocols + ciphers
- Under Protocols, disable TLS 1.0 and TLS 1.1 for both client and backend
- Under Ciphers, disable weak ciphers (RC4, triple DES, etc.)
- Keep only strong TLS 1.2+ cipher suites
- Click Save
LT-1 — Defender for APIs
- Navigate to Microsoft Defender for Cloud in the Azure Portal
- In the left menu, select Environment settings
- Select your subscription
- Under Cloud Workload Protection (CWP), find the APIs row
- Toggle the plan to On
- Click Save — API Management APIs will be inventoried and monitored for threats
LT-3 — Diagnostic Logging
- Navigate to your API Management resource in the Azure Portal
- In the left menu under Monitoring, select Diagnostic settings
- Click + Add diagnostic setting
- Select log categories: GatewayLogs, WebSocketConnectionLogs
- Select AllMetrics under Metrics
- Select the destination: Send to Log Analytics workspace
- Select your Log Analytics workspace
- Click Save
APIM + Application Gateway Pattern
The most common production pattern is APIM in Internal VNet mode behind
Application Gateway WAF v2. App Gateway handles TLS termination, WAF rules, and
public-facing traffic, while APIM handles authentication, rate limiting, and API routing —
creating a defense-in-depth API security architecture.