Zero trust API access on Azure, end to end

Azure rewards a clear edge. Front Door for global ingress, API Management as the policy layer, and a strict vnet boundary that everything sensitive lives inside. Public service endpoints are off by default.

The interesting design choice is not the controls, it is the identity model. Entra ID issues tokens for users and workloads alike. Conditional access decides whether a token can be minted in the first place, based on device, location, risk score, and group.

Requests hit Front Door (WAF + DDoS), proxy to APIM in the home region. APIM enforces rate limits, JWT validation against Entra ID, request schema validation, and IP allowlisting for partner traffic.

APIM is integrated to a private vnet, so backends are not exposed. App Service, Functions, SQL, Storage, and Key Vault are all bound to private endpoints. Outbound DNS resolves to private IPs.

Users authenticate to Entra ID. Conditional access requires managed device, sign in risk low, and group membership matching the API. For privileged operations we use PIM with just in time elevation and approval.

Every layer ships to Log Analytics. We route a subset to Sentinel for detection and Cost Management for budget alerts. The hot path for detection is sign in logs, APIM gateway logs, and Defender alerts.