Data exposure to the public internet has been a long-standing concern for most customers and insecure APIs is one of the reasons for that. The infamous Equifax breach incident of 2017 comes to mind. It exposed data of over 150 million customers. Similar security lapses have been reported at Geico, Experian, Facebook and so on. Here are a few predictions from Gartner’s recent prediction in this space:
- By 2025, less than 50% of enterprise APIs will be managed, as explosive growth in APIs surpasses the capabilities of API management tools.
- By 2025, more than 50% of enterprises will use GraphQL in production, up from less than 10% in 2021.
- By 2025, the percentage of third-party APIs used in applications will average 30%, up from less than 10% in 2021, complicating dependency management.
- By 2024, 25% of all insurance transactions involving new ecosystem partners will require open and public APIs, up from less than 5% in 2021.
In this blog, I intend to cover, along with a customer example, how Private Link platform provides a solution to many of the challenges in this space. To start with, it allows access to Azure PaaS services (e.g., Azure Storage, SQL Database etc.) and Azure hosted customer-owned/partner services over a private endpoint in customer’s virtual network. Traffic between customers’ virtual network and the Azure services travels over Microsoft backbone network, which houses the private link platform.
Azure Private Link supports Azure API Management service. With Azure Private Link a private endpoint can be created for the gateway component, which will be exposed through a private IP within virtual network. This will allow inbound traffic coming to the private IP to reach Azure API Management gateway.
With Azure Private Link, communications between virtual network and the Azure API Management gateway travel over the Microsoft backbone network privately and securely, eliminating the need to expose the service to public internet.
Key benefits of Azure Private Link
Through this functionality we will provide the same consistent experience found in other PaaS services with private endpoints:
- Privately access services on the Azure platform
- On-premises and peered networks
- Protection against data leakage
- Global reach
- Extend to your own services
Logging and monitoring
Azure Private Link has integration with Azure Monitor. This combination allows:
- Archival of logs to a storage account.
- Streaming of events to your event hub.
- Azure Monitor logging.
The following information on Azure Monitor can be accessed
- Private endpoint:
- Data processed by the Private Endpoint (IN/OUT)
- Private Link service:
- Data processed by the Private Link service (IN/OUT)
- NAT port availability
Private endpoints and public endpoints
Azure Private Link provides private endpoints to be available through private IPs. In the above case, the dna.azure-api.net gateway has a private IP of 10.0.0.6 which is only available to resources in dna-apim-eastus-vnet. This allows the resources in this virtual network to securely communicate. Other resources may be restricted to resources only within the virtual network.
Public endpoint for the dna.azure-api.net gateway may still be public for the development team. In this release, Azure Private Link will support disabling the public endpoint, limiting access to only private endpoints, configured under Private Link.
We have supported our Azure customers using the Azure Private link platform. Given below is an example of that.
A success story
- Customer profile
The customer is one of the world’s largest integrated oil and gas companies, headquartered in the UK.
- Customer challenges
Several Microsoft PaaS offerings such as Storage accounts, SQL Databases, Azure Key Vault etc. were accessible through public end points. This posed challenges for enterprise consumers at various levels, as enumerated below:
- As the services are accessed over public end points, multiple security controls had to be implemented. Microsoft has a firewall protection for these services.
- Firewall incurs maintenance was overhead of whitelisting the Azure services as well as client IPs.
- Public endpoints are egress type of traffic and hence resulted in additional costs.
- Slower throughput as the traffic was traversing over internet and not using express routes.
- All customer internet gateway IP address/range needed to be whitelisted on the PaaS Service.
- Gateways required for some PaaS services were using non-standard ports like 1433 for SQL and 5432 for Azure PostgreSQL.
- Our solution
HCL recommended and implemented Azure Private Link to overcome customer challenges. The diagram below describes the communication and workflow of how Private link was implemented.
Figure 1: A Sample request flow for the intranet users
While “A” through “G” in the above diagram represent different states and actions by the system, the steps are represented numerically through 1 to 7, as stated below:
step 1. DNS request will flow from on-premises user to on premise DNS server.
step 2. On premise DNS server will forward all *windows.net queries to its closest HUB DNS server as per configured DNS geo routing policy.
step 3. HUB DNS server will send query to Azure recursive resolver (ARR).
step 4. ARR will query HUB private DNS zone to return the private IP. If entry is not there, it will return public IP.
step 5. HUB DNS server will return the retrieved IP to on-premises DNS server.
step 6. On-premises DNS server will return the IP.
step 7. Connection established via express route
- Benefits to the customer
- Services are not exposed to public internet
- Consumption using Azure Private Link is consistent across Azure PaaS, customer-owned, and shared partner services
- Higher throughput
I hope that I have been able to explain through the above example how Azure Private link solves multiple challenges around API security. Since PaaS services keep evolving, I would urge the reader to keep an eye on the upcoming offerings from Microsoft in the API Management space to be able to serve customers with the latest offerings from Microsoft.