Protect your nested/service flows with the Azure API Management Service

apim

Using flows as a web service is very popular. To achieve this you just need to use the trigger When an HTTP request is received and when you save your flow a public ip/url is generated. Easy.

whenhttp

However :

  • the url might change
  • you might need to protect it : authentication, throttling, restricting the callers to some specific network locations, and so on.

So welcome to one of the my favorite Azure tool Azure tool :

Azure Api Management Services

In this post I will show you how to start, but of course it is up to you to read the documentation in order to do more. We will just scratch the surface here.

Let’s start with a very simple service flow that calculates the sum of 2 numbers :

calculationFlow

(set the trigger method to POST)

In order to make sure this flow works as expected, test it in Postman:

postman1

Make sure content-type = application/json has been defined in the Header, click send and you should get some result:

postman2

Let’s go to your Azure Portal and find the (Azure) API Management service :

apim1

We will add a new service that will bind our api (the flow public url) to a specific api host (among others) :

click Add and fill in the following information (see picture below) : the name you provide will define the service url host, so in my case “Flowdemo” will generate the public url Flowdemo.azure-api.net

Also select an existing resource group or create a new resource group, the name is not relevant here, I had an existing one called “flow” :

apim2

Click Create. The service creation can take up to 30 minutes !

When the service is created, click the service (here Flowdemo) and click the API menu to create a new API

apims2

Click on Add API and select Blank API :

blankapi

Fill in the following fields (and paste your flow public url in the Web service URL field )

blankapi2

Click Create.

Select your API and click Add operation:

addoperation1

The display name can be Add2Numbers , select Post and add a ‘/‘ in the URL:

addoperation2

We now need to associate our api to an object called “product”; policies will be associated to this product. A product can host several apis if needed.

Go to Products:

products1

Create a new Product called Calculator, uncheck Require subscription and select your Calculator Flow API :

product2

Click Create.

Now let’s get back to postman, and instead of using your flow url you can type your new service url; in my case https://flowdemo.azure-api.net . External users should only know this url, not the flow generated url. You can protect this new flow url through Azure API Management that is basically my point.

Let’s go back to postman and replace the raw flow url with the new one : it should work:

newurl

Go back to the product definition and check Requires subscription:

subscription1

Save and test the same call in Postman, you will be required to provide a subscription key :

subscription2

To fix this you can create a subscription :

subscription3

Then watch & copy the key into postman:

Actually you must create a new header entry named “Ocp-Apim-Subscription-Key” associated with your new subscription key value :

subscription4

Send the request and it should work now.

There are so many ways to protect your API that I recommend you to spend more time in the policies :

policies

Let’s say that you want to implement a policy that will only allow IP callers from an IP range :like from 212.68.223.153 to 212.68.223.160

Click the policy Restrict caller IP :

restrictIP

Update the policy with the IP you want:

rectrict2

Save the policy; make sure your postman is in the correct range and you should get a Response. To find out your ip address you can go to https://whatismyipaddress.com/.

Change the policy to remove your postman IP address and you should get an 403 status code :

restrictIP2

Let’s try to limit the number of calls per IP address : max 3 calls every 60 seconds

restrictIP3

Test with Postman, after 4 calls you will get :

throtth

In summary : be very careful when you expose any api in general and in the specific case of Microsoft Flow when you use the When an HTTP request is received trigger. Don’t share the public url generated by flow, but share only the protected url generated and managed by Azure API Management. Also it is good to know that Flow/PowerApps connectors are running under the umbrella of the Azure API Management Service that is the reason why each connector provides throttling. Your custom connectors follow the same logic.

If you are interested, I can train your team in PowerApps and Flow anywhere in the world. My workshops are fully exercises oriented, 0 slide.

Check my web site : https://www.shareql.com

shareqltraining

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s