Enforcing all requests to APIM over HTTPS.

Join APIM to a VNET, and then add an NSG on the APIM subnet that blocks all incoming traffic to port 80.

Disabling HTTP settings on the API settings blade. After disabling HTTP access to the API, when any client request is made the to APIM over HTTP, then APIM will return a 404 response. The API settings below is the URL scheme where we are ONLY selecting HTTPS and trying to disable HTTP.

APIs > Settings > URL scheme
URL scheme > Check ONLY HTTPS

The last option is to handle this in policy. By default there is no default inbound policy which can perform HTTP to HTTPS redirection. We have to use combination of Control flow and Return response policies to achieve this functionality.

For the URL scheme setting on the API settings blade you will leave it set to Both, then you will add a <choose> policy to the <inbound> section that will force the client to redirect that HTTP request over to HTTPS using the policy below:

HTTPtoHTTPSAPIMPolicy
GET request via HTTP and the corresponding response (via Policy)
GET request via HTTPS and the corresponding response (via Policy)

--

--

Enterprise Cloud Solutions Architect / Dev Ops Enthusiast.

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store