Az - API Management

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Basic Information

Azure API Management (APIM) is a fully managed service that offers a unified platform for publishing, securing, transforming, managing, and monitoring APIs. It enables organizations to centralize their API strategy and ensure consistent governance, performance, and security across all their services. By acting as an abstraction layer between backend services and API consumers, APIM simplifies integration and enhances maintainability while providing essential operational and security capabilities.

Core Concepts

The API Gateway serves as the single entry point for all API traffic, handling functions such as routing requests to backend services, enforcing rate limits, caching responses, and managing authentication and authorization. This gateway is fully hosted and managed by Azure, ensuring high availability and scalability.

The Developer Portal provides a self-service environment where API consumers can discover available APIs, read documentation, and test endpoints. It helps streamline onboarding by offering interactive tools and access to subscription information.

The Management Portal (Management Plane) is used by administrators to configure and maintain the APIM service. From here, users can define APIs and operations, configure access control, apply policies, manage users, and organize APIs into products. This portal centralizes administration and ensures consistent API governance.

Authentication and Authorization

Azure API Management supports several authentication mechanisms to secure API access. These include subscription keys, OAuth 2.0 tokens, and client certificates. APIM also integrates natively with Microsoft Entra ID, enabling enterprise-level identity management and secure access to both APIs and backend services.

Policies

Policies in APIM allow administrators to customize request and response processing at various granularities, including the service, API, operation, or product level. Through policies, it is possible to enforce JWT token validation, transform XML or JSON payloads, apply rate limiting, restrict calls by IP address, or authenticate against backend services using managed identities. Policies are highly flexible and form one of the core strengths of the API Management platform, enabling fine-grained control over runtime behavior without modifying backend code.

Named Values

The service provides a mechanism called Named Values, which allows storing configuration information such as secrets, API keys, or other values required by policies.

These values can be stored directly within APIM or securely referenced from Azure Key Vault. Named Values promote secure and centralized management of configuration data and simplify policy authoring by allowing reusable references instead of hardcoded values.

Networking and Security Integration

Azure API Management integrates seamlessly with virtual network environments, enabling private and secure connectivity to backend systems.

When deployed inside a Virtual Network (VNet), APIM can access internal services without exposing them publicly. The service also allows the configuration of custom certificates to support mutual TLS authentication with backend services, improving security in scenarios where strong identity validation is required.

These networking features make APIM suitable for both cloud-native and hybrid architectures.

Enumerate

To enumerate the API management service:

# Lists all Named Values configured in the Azure API Management instance
az apim nv list --resource-group <resource-group> --service-name <service-name>

# Retrieves all policies applied at the API level in raw XML format
az rest --method GET \
    --uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/apis/<api-id>/policies/?api-version=2024-05-01&format=rawxml"

# Retrieves the effective policy for a specific API in raw XML format
az rest --method GET \
    --uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/apis/<api-id>/policies/policy?api-version=2024-05-01&format=rawxml"

# Gets the configuration details of the APIM service instance
az rest --method GET \
    --uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<apim>?api-version=2024-05-01"

# Lists all backend services registered in the APIM instance
az rest --method GET \
    --uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/backends?api-version=2024-05-01"

# Retrieves details of a specific backend service
az rest --method GET \
    --uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/backends/<backend-id>?api-version=2024-05-01"

# Gets general information about the APIM service
az rest --method GET \
    --uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>?api-version=2024-05-01"

# Calls an exposed API endpoint through the APIM gateway
curl https://<apim>.azure-api.net/<api-path>

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks