Enforcing all requests to APIM over HTTPS.
Occasionally, your architecture may require that you find a way to disable port 80 in API Management service so that it does NOT respond at all to HTTP requests but only HTTPS requests.
Currently you cannot disable that Http.Sys port 80 listener on the APIM VMs, however this guide will list three options to force all requests to APIM over HTTPS.
OPTION 1
Join APIM to a VNET, and then add an NSG on the APIM subnet that blocks all incoming traffic to port 80.
Refer to this article on how to use Azure API Management with virtual networks. Once that has been configured successfully, then create an NSG and add an inbound security rule that blocks all incoming traffic to port 80, then proceed to associate it to the dedicated APIM Subnet that contains no other resources except for Azure API Management service.
OPTION 2
Disabling HTTP settings on the API settings blade. After disabling HTTP access to the API, when any client request is made the to APIM over HTTP, then APIM will return a 404 response. The API settings below is the URL scheme where we are ONLY selecting HTTPS and trying to disable HTTP.
OPTION 3
The last option is to handle this in policy. By default there is no default inbound policy which can perform HTTP to HTTPS redirection. We have to use combination of Control flow and Return response policies to achieve this functionality.
For the URL scheme setting on the API settings blade you will leave it set to Both, then you will add a <choose> policy to the <inbound> section that will force the client to redirect that HTTP request over to HTTPS using the policy below:
Conclusion
We have been able to find a way to disable port 80 in APIM so that it does NOT respond at all to HTTP requests but only HTTPS.
If you found this guide helpful, please consider following me on Twitter and connecting on LinkedIn. Don’t forget to give this article a 👏 if you enjoyed reading it as a show of support. Thanks! ✌️
