Az - API Management

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Taarifa za Msingi

Azure API Management (APIM) ni huduma inayosimamiwa kikamilifu inayotoa jukwaa lililo umeunganishwa kwa kuchapisha, kulinda, kubadilisha, kusimamia, na kufuatilia API. Inawawezesha mashirika kuzuia mkakati wao wa API na kuhakikisha udhibiti, utendaji, na usalama wa kawaida kwa huduma zao zote. Kwa kufanya kazi kama safu ya utoaji kati ya huduma za backend na watumiaji wa API, APIM inarahisisha ujumuishaji na kuboresha uendeshaji wakati ikitoa uwezo muhimu wa kiutendaji na usalama.

Dhana za Msingi

The API Gateway inafanya kama mlango wa kuingilia moja kwa trafiki yote ya API, ikiendesha kazi kama kupeleka maombi kwa huduma za backend, kutekeleza viwango vya kasi (rate limits), kuhifadhi majibu kwa cache, na kusimamia uthibitishaji na idhini. Gateway hii inahostiwa na kusimamiwa kikamilifu na Azure, ikihakikisha upatikanaji mkubwa na uwezo wa kupanuka.

The Developer Portal inatoa mazingira ya self-service ambapo watumiaji wa API wanaweza kupata API zilizopo, kusoma nyaraka, na kujaribu endpoints. Inasaidia kurahisisha kuiingiza kwa watumiaji kwa kutoa zana za mwingiliano na upatikanaji wa taarifa za usajili.

The Management Portal (Management Plane) hutumika na watumiaji wa mfumo kusanidi na kudumisha huduma ya APIM. Kutoka hapa, watumiaji wanaweza kufafanua APIs na operations, kusanidi udhibiti wa upatikanaji, kutumia sera (policies), kusimamia watumiaji, na kupanga APIs ndani ya products. Portal hii inasawazisha utawala na kuhakikisha udhibiti wa API unaoendelea.

Uthibitishaji na Idhini

Azure API Management inaunga mkono mekanisimu kadhaa za uthibitishaji ili kulinda upatikanaji wa API. Hizi ni pamoja na subscription keys, OAuth 2.0 tokens, na client certificates. APIM pia ina muingiliano asilia na Microsoft Entra ID, ikiruhusu usimamizi wa utambulisho wa ngazi ya shirika na upatikanaji salama kwa APIs na huduma za backend.

Sera

Sera ndani ya APIM zinawawezesha wasimamizi kubinafsisha kuendesha ombi na majibu katika viwango tofauti, ikijumuisha ngazi ya service, API, operation, au product. Kupitia sera, inawezekana kutekeleza uthibitishaji wa JWT token, kubadilisha payloads za XML au JSON, kutumia rate limiting, kuzuia simu kwa anwani za IP, au kuthibitisha dhidi ya huduma za backend kutumia managed identities. Sera ni zina ufanisi mkubwa na ni mojawapo ya nguvu kuu za jukwaa la API Management, zikiruhusu udhibiti wa kina wa tabia ya runtime bila kubadilisha code ya backend.

Named Values

Huduma hutoa utaratibu unaoitwa Named Values, unaoruhusu kuhifadhi taarifa za usanidi kama secrets, API keys, au thamani nyingine zinazohitajika na sera.

Thamani hizi zinaweza kuhifadhiwa moja kwa moja ndani ya APIM au kurejeledwa kwa usalama kutoka kwa Azure Key Vault. Named Values zinakuza usimamizi salama na uliobadilishwa katikati wa data za usanidi na kurahisisha uandishi wa sera kwa kuruhusu marejeleo yanayoweza kutumika tena badala ya thamani zilizowekwa kwa waya.

Mitandao na Uunganishaji wa Usalama

Azure API Management inaingiliana kwa urahisi na mazingira ya virtual network, ikiruhusu unganisho wa kibinafsi na salama kwa mifumo ya backend.

Ikitolewa ndani ya Virtual Network (VNet), APIM inaweza kufikia huduma za ndani bila kuzijulisha hadharani. Huduma pia inaruhusu usanidi wa custom certificates ili kuunga mkono uthibitishaji wa mutual TLS na huduma za backend, kuboresha usalama katika matukio ambapo uthibitisho thabiti wa utambulisho unahitajika.

Vipengele hivi vya mitandao vinafanya APIM kuwa inayofaa kwa cloud-native na hybrid architectures.

Orodhesha

Ili orodha huduma ya API management:

# Lists all Named Values configured in the Azure API Management instance
az apim nv list --resource-group <resource-group> --service-name <service-name>

# Retrieves all policies applied at the API level in raw XML format
az rest --method GET \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/apis/<api-id>/policies/?api-version=2024-05-01&format=rawxml"

# Retrieves the effective policy for a specific API in raw XML format
az rest --method GET \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/apis/<api-id>/policies/policy?api-version=2024-05-01&format=rawxml"

# Gets the configuration details of the APIM service instance
az rest --method GET \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<apim>?api-version=2024-05-01"

# Lists all backend services registered in the APIM instance
az rest --method GET \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/backends?api-version=2024-05-01"

# Retrieves details of a specific backend service
az rest --method GET \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/backends/<backend-id>?api-version=2024-05-01"

# Gets general information about the APIM service
az rest --method GET \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>?api-version=2024-05-01"

# Calls an exposed API endpoint through the APIM gateway
curl https://<apim>.azure-api.net/<api-path>

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks