In particular I would like to see some mention of how different sections of the api can be secured separately. I can imagine how that is accomplished on the azure api front end but what prevents someone from getting access to the full api surface at the original url if they happen to know it?
@lanatmwan, thanks for the suggestion! Is this related to API Management? Is there a specific article you've read where you think it would make sense for us to incorporate this information?
@deneha Dene, can we find the api management owner and have them review this to see if it's still outstanding?
@davidwrede Can you review this issue and let us know if it is still outstanding?
Sorry for the long delay in responding. Thank you for the feedback. The backend service can be protected using basic authentication or mutual certificate authentication. Either of these methods will prevent a developer from calling directly into the backend API if they were to stumble upon the direct URLs for the backend service. From the API Management side, for each API (that corresponds to a backend service), you can configure the security settings on the Security tab. This process is described in the Configure API settings section in the How to create APIs article here: http://azure.microsoft.com/en-us/documentation/articles/api-management-howto-create-apis/
I will add a little section to the getting started to link to this. I am not sure how different sections of the API could be secured differently - you could have different APIs in a Product, each configured to talk to the backend using a different security protocol. In the Premuim tier, you can also use a VPN to connect securely to a backend service that is not publicly accessible on the internet: http://azure.microsoft.com/en-us/documentation/articles/api-management-howto-setup-vpn/
@lanatmwan Thanks for raising this issue. It looks like we've answered the question and we have not heard from you. We are closing this issue. If you still have any problems, please comment so we can reopen this issue.