We’re exploring Azure Security Best Practices. This might include designers, architects, developers, and testers who build and deploy secure Azure solutions. Use tags to organize your Azure resources. Application Gateway is a PaaS service. Guidance: Configure Azure Conditional Access to limit users' ability to interact with Azure Resource Manager by configuring "Block access" for the "Microsoft Azure Management" App. Use Azure Security Center Integrated Threat Intelligence to deny communications with known malicious or unused Internet IP addresses. Configure advanced monitoring with API Management by using the log-to-eventhub policy, capture any additional context information required for security analysis, and send to Azure Sentinel or third-party SIEM. Customer to review security controls available to them to reduce service configuration related vulnerabilities. Logging settings for Application Insights can be configured on either per-service or per-API basis. For more information, see Security control: Secure configuration. DDoS Protection Standard should be enabled, There should be more than one owner assigned to your subscription, Deprecated accounts with owner permissions should be removed from your subscription, External accounts with owner permissions should be removed from your subscription. Azure security services. Additionally, API Management contains a built-in Administrators group in the API Management's user system. API Management access restriction policies, How to integrate Azure AD Logs into Azure Monitor. Continuous Export allows you to export alerts and recommendations either manually or in an ongoing, continuous fashion. How to create queries with Azure Resource Graph. For example, you must manage strong credentials yourself. Create metric alerts to let you know when something unexpected is happening. Guidance: Not currently available; data identification, classification, and loss prevention features are not currently available for Azure API Management. How to monitor identity and access within Azure Security Center. In this regard, we've seen customers trying automation strategies like: 1. This can act as a considerable bottleneck, especially if a client application is frequently sending requests or receiving data. If you are moving toward cloud adoption, Azure can be of great assistance when aiming to secure business assets. Guidance: If using custom Azure policy definitions, use Azure DevOps or Azure Repos to securely store and manage your Azure API Management service configuration. Provide a way of switching access to API Management from the public Internet on and off. How to get started with Azure Monitor and third-party SIEM integration, How to create custom logging and analytics pipeline, How to integrate with Azure Application Insights. Therefore you should aim to minimize the amount of traffic that flows across the network. Digital Transformation: What Does It Mean for Enterprise Organizations? Application Gateway WAF provides protection from common security exploits and vulnerabilities and can run in the following two modes: Azure Security Center monitoring: Not applicable. Guidance: Not applicable; this recommendation is intended for non-compute resources designed to store data. Microsoft anti-malware is enabled on the underlying host that supports Azure services (for example, Azure API Management), however it does not run on customer content. Detection mode: Monitors and logs all threat alerts. Guidance: Implement Credential Scanner to identify credentials within code. These best practices provide insight into why Azure Sphere sets such a high standard for security. How to create alerts for Azure Activity Log events, How to use Azure Monitor and Azure Activity Log in Azure API Management. Integrate DreamFactory by starting your free trial today! Take steps to automatically generate, publish, and manage REST APIs. For more information, see Security control: Incident response. It is an extremely effective way to provide a layer of abstraction between your callers and back-end APIs, and provides centralised governance across your API surface. API Authentication. Guidance: For account login behavior deviation on the control plane (the Azure portal), use Azure Active Directory (AD) Identity Protection and risk detection features to configure automated responses to detected suspicious actions related to user identities. Azure API Management relies on Azure role-based access control (Azure RBAC) to enable fine-grained access management for API Management services and entities (for example, APIs and policies). Be sure to enable SQL Server authentication at the database level, When you use Azure Active Directory authentication, do so using. Configure your Azure API Management Developer Portal to authenticate developer accounts by using Azure Active Directory. After all the above steps, the next step is for us to test the Logic App expose as an API on APIM before we give access to our developers, teams or partners. Guidance on building your own security incident response process, Microsoft Security Response Center's Anatomy of an Incident, Leverage NIST's Computer Security Incident Handling Guide to aid in the creation of your own incident response plan. You can create alerts based on your Log Analytics workspace queries. creation, publication, security, monitoring, and analytics. With Azure Monitor and Log Analytics workspace(s), you can review, query, visualize, route, archive, configure alerts, and take actions on metrics and logs coming from API Management and related resources. Follow Azure Storage security recommendations to protect your backup. If we prefer to keep the solution pretty simple and use as many of the PaaS and Serverless type features on Azure as possible then we can make the following changes: 1. DreamFactory can be deployed on premise behind the firewall, in a DreamFactory-hosted environment or on a self-hosted cloud. How to create additional Azure subscriptions. Customers may regenerate these subscription keys at any time. Où le service Gestion des API est-il disponible ? Guidance: Validate backups by performing a test restore of the service and certificates from backups. We will refer to the Azure Security Top 10 best practices as applicable for each: Best practices 1. It acts as a reverse-proxy and provides L7 load balancing, routing, web application firewall (WAF), and other services. With Cost Management, you can monitor your spending, increase your … Azure Automanage enable the best practices and recommendation from Microsoft for a lot of services, like Backup, Monitoring, Update Management, Security and more on selected VMs. In internal mode, configure an Azure Application Gateway in front of API Management. production, non-prod) using tags and create a naming system to clearly identify and categorize Azure resources, especially those processing sensitive data. Optionally, integrate API Management with Azure Application Insights and use it as primary or secondary monitoring, tracing, reporting, and alerting tool. Guidance: Azure API Management does not have the concept of default passwords/key. Ensure appropriate (read) permissions in your tenant and enumerate all Azure subscriptions as well as resources within your subscriptions. For data plane audit logging, diagnostic logs provide rich information about operations and errors that are important for auditing as well as troubleshooting purposes. Prevention mode records such attacks in the WAF logs. Underlying platform scanned and patched by Microsoft. Guidance: Not applicable; Azure API Management does not process or produce anti-malware related logs. These best practices come from our experience with Azure security and the experiences of customers like you. For more information, see Security control: Identity and access control. Guidance: Inbound and outbound traffic into the subnet in which API Management is deployed can be controlled using Network Security groups (NSGs). Update: Downloadable/printable copies of the Microsoft 365 Best practices checklists and guides are now available for purchase at GumRoad.Thanks for your support! You must make sure that the WAF log is selected and turned on. Read the full paper, Nineteen cybersecurity best practices used to implement the seven properties of highly secured devices in Azure Sphere , for the in-depth discussion of each of these best practices and how they—along with the seven properties themselves—guided our design decisions. Microsoft manages the underlying infrastructure for Azure API Management and has implemented strict controls to prevent the loss or exposure of customer data. DreamFactory makes it easy with User Management, SSO Authentication, JSON Web Tokens (JWT), CORS, Role-Based Access Control on API endpoints, record-level permissions on data, OAuth, LDAP, Active Directory, SAML integration, and more. You may also send NSG flow logs to a Log Analytics workspace and use Traffic Analytics to provide insights into traffic flow in your Azure cloud. by Susanna Bouse How to restore Azure Key Vault certificates. Best Practices for API Management 1. It is your responsibility to prioritize the remediation of alerts based on the criticality of the Azure resources and environment where the incident occurred. Backup and restore operations can be performed manually or automated. How to use Azure API Management with virtual networks, Using Azure API Management service with an internal virtual network, Integrate API Management in an internal VNET with Application Gateway, Azure Security Center monitoring: Currently not available. Azure API Management update—July 2020. Guidance: Utilize the Workflow Automation feature in Azure Security Center to automatically trigger responses via "Logic Apps" on security alerts and recommendations. Azure API Management instances should be separated by virtual network (VNet)/subnet and tagged appropriately. Guidance: Export your Azure Security Center alerts and recommendations using the Continuous Export feature to help identify risks to Azure resources. Network security is a crucial part of any API program. It acts as a reverse-proxy and provides L7 load balancing, routing, web application firewall (WAF), and other services. Standard API Security Best Practices Identify Vulnerabilities. Authorisation Key. Guidance: Security Center assigns a severity to each alert to help you prioritize which alerts should be investigated first. If you use Azure Key Vault to manage the custom domain SSL certificate, make sure the certificate is inserted into Key Vault as a certificate, not a secret. Data plane calls can be secured with TLS and one of supported authentication mechanisms (for example, client certificate or JWT). Backup any certificates being stored within Azure Key Vault. For more information, see Security control: Malware defense. This means that an Azure application may be used in a rule as a source or destination. If your organization is not using database-level encryption, you may be more susceptible to attacks. Guidance: Use Managed Service Identity generated by Azure Active Directory (AD) to allow your API Management instance to easily and securely access other Azure AD-protected resources, such as Azure Key Vault. Reconcile inventory on a regular basis and ensure unauthorized resources are deleted from the subscription in a timely manner. Azure AD protects data by using strong encryption for data at rest and in transit. Administrators can create custom groups or leverage external groups in associated Azure Active Directory tenants. Guidance: Define and implement standard security configurations for your Azure API Management service with Azure Policy. Guidance: Use Key Vault for managing certificates and set them to autorotate. Alternatively, the sign-in/sign-up process can be further customized through delegation. Guidance: Use Virtual Network (Vnet) Service Tags to define network access controls on Network Security Groups (NSGs) used on your API Management subnets. The service backup and restore features of API Management provide the necessary building blocks for implementing a disaster recovery strategy. You may also make use of built-in policy definitions for Azure Virtual Networks, such as: You may also use Azure Blueprints to simplify large-scale Azure deployments by packaging key environment artifacts, such as Azure Resource Manager templates, Azure role-based access control (Azure RBAC), and policies in a single blueprint definition. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change. Web application firewall doesn't block incoming requests when it's operating in Detection mode. For more information, see Security control: Penetration tests and red team exercises. Guidance: Use Azure Policy to put restrictions on the type of resources that can be created in customer subscription(s) using the following built-in policy definitions: How to deny a specific resource type with Azure Policy. A valid JSON web token (JWT) is required. Deploy an NSG to your API Management subnet and enable NSG flow logs and send logs into an Azure Storage account for traffic audit. Guidance: Enable Azure Active Directory (AD) Multi-Factor Authentication (MFA) and follow Azure Security Center Identity and Access Management recommendations. In terms of auditing, you’ll want to track and log events. If you are considering provisioning Azure API Management (APIM) and security is at the top of your agenda, you need to know what mechanisms are available to secure APIM and your Web APIs ...but where do you start? If you’d like to add Azure Active Directory authentication to your application, you can use DreamFactory’s Azure Active Directory OAuth connector to easily do so. The Primary Goal of API Governance: Consistency. Secure Score within Azure Security Center is a numeric view of your security posture. Learn more here. With that being said, extra precautions and Azure security best practices need to be considered in order to maximize security efforts. Learn about Privileged Access Workstations. The number of companies that consider themselves a platform provider is increasing, and so is the number of companies building APIs and applications. Ensure that there are written incident response plans that define all roles of personnel as well as phases of incident handling/management from detection to post-incident review. The best practices are intended to be a resource for IT pros. From authentication to database, cloud to email tools, DreamFactory is the ultimate REST API management platform. This Azure identity management and access control security best practices article is based on a consensus opinion and Azure platform capabilities and feature sets, as they exist at the time this article was written. How to authorize developer accounts by using Azure Active Directory in Azure API Management, How to protect an API by using OAuth 2.0 with Azure Active Directory and API Management, How to create and configure an Azure AD instance. API management enables enterprises or developers that publish or consume an API to monitor the interface's lifecycle and ensure that the API is performing as it was designed. Understand data protection in Azure API Management, Manage TLS settings in Azure API Management, Protect APIs in Azure API Management with Azure Active Directory, Protect APIs in Azure API Management with Azure Active Directory B2C. Caution: When configuring an NSG on the API Management subnet, there are a set of ports that are required to be open. User access can be reviewed on a regular basis to ensure that only the right users continue to have appropriate access. Guidance: Use Conditional Access Named Locations to allow access to the Azure portal from only specific logical groupings of IP address ranges or countries/regions. Developers are in a driver seat now . The following best practices are general guidelines and don’t represent a complete security solution. How to manage user accounts in Azure API Management, How to create and use groups to manage developer accounts in Azure API Management. Deploy an NSG to your API Management subnet and enable NSG flow logs and send logs into an Azure Storage account for traffic audit. Once configured, new Developer Portal users can choose to follow the out-of-the-box sign-up process by first authenticating through Azure AD and then completing the sign-up process on the portal once authenticated. Guidance: Not applicable; Azure API Management does not process or produce user accessible DNS-related logs. How to create a managed identity for an API Management instance, Policy to authenticate with managed identity. Application Gateway is a PaaS service. All encryption keys are per service instance and are service managed. It is a best practice to use either service tags or application security groups to simplify management. Configure your Azure API Management instance to protect your APIs by using the OAuth 2.0 protocol with Azure Active Directory (AD). How to use Role-Based Access Control in Azure API Management, How to get list of users under an Azure API Management Instance, How to get a list of users assigned to a directory role in Azure AD with PowerShell, How to get a directory role definition in Azure AD with PowerShell, Understand identity and access recommendations from Azure Security Center. Guidance: Not currently available; Customer Lockbox is not currently supported for Azure API Management. You can easily apply the blueprint to new subscriptions, environments, and fine-tune control and management through versioning. Securing APIs is difficult and time consuming. You can also ingest data into Azure Sentinel for further investigation. Customers may utilize Azure Identity Access Reviews to efficiently manage group memberships, access to enterprise applications, and role assignments. Syncing Git rep… Guidance: Apply tags to Azure resources giving metadata to logically organize them into a taxonomy. Understand how to streamline this process with the support of DreamFactory. If it is at 100 percent, you are following best practices. Think of authentication as an identification card that proves you are who you say you are. If any of these ports are unavailable, API Management may not operate properly and may become inaccessible. Groups in API Management control visibility of APIs in the developer portal and the members of the Administrators group can see all APIs. Guidance: Microsoft maintains time sources for Azure API Management. How to create an NSG with a Security Config. A good practice is to enforce an arrest in spike traffic or a per-app usage quota, so that the backend won’t be impacted. Guidance: Azure API Management continuously emits logs and metrics to Azure Monitor, giving you a near real-time visibility into the state and health of your APIs. In a distributed environment such as that involving a web server and client applications, one of the primary sources of concern is the network. How to enable Diagnostic Settings for Azure Activity Log, How to enable Diagnostic Settings for Azure API Management. Did you know you can generate a full-featured, documented, and secure REST API in minutes using DreamFactory? Azure AD also salts, hashes, and securely stores user credentials. Enable Azure DDoS Protection Standard on the Vnet associated with your API Management deployment to protect from distributed denial of service (DDoS) attacks. Guidance: Use privileged access workstations (PAW) with Multi-Factor Authentication (MFA) configured to log into and configure Azure resources. Last Updated: March 2014 Director, Product Management, WSO2 Isabelle Mauny Best Prac1ces for API Management Thursday, March 27, 14 2. How to integrate API Management in an internal VNET with Application Gateway. Guidance: To manage traffic flowing to Web/HTTP APIs deploy API Management to a Virtual Network (Vnet) associated with App Service Environment in external or internal mode. You may use the Azure Security Center data connector to stream the alerts to Azure Sentinel. The baseline for this service is drawn from the Azure Security Benchmark version 1.0, which provides recommendations on how you can secure your cloud solutions on Azure with our best practices guidance. Guidance: Inbound and outbound traffic into the subnet in which API Management is deployed can be controlled using Network Security Groups (NSG). Digital Transformation: What Does It Mean for Small and Medium-Sized Businesses? Seven best practices in securing AWS, Azure and GCP; It also explores how Sophos Cloud Optix enables organizations to address their security and visibility challenges. Guidance: Enable Azure Activity Log diagnostic settings as well as the diagnostic settings for your Azure API Management instances and send the logs to a Log Analytics workspace. APIs handle an immense amount of data, which is why it’s imperative to invest in API security. This helps you reduce the surface area for a potential attack. DreamFactory comes with the popular ELK stack (Elastic, Logstash, and Kibana) for logging and reporting on API traffic. Guidance: * Please follow the Microsoft Rules of Engagement to ensure your Penetration Tests are not in violation of Microsoft policies, Security control: Identity and access control, Understanding Azure API Management Subscriptions, Authorize developer accounts by using Azure Active Directory in Azure API Management, How to delegate user registration and product subscription, How to configure Named Locations in Azure, List of Customer Lockbox-supported services, Understand customer data protection in Azure, Understand data protection/encryption at rest with Azure API Management, Security control: Vulnerability management, Understanding security controls available to Azure API Management, Security control: Inventory and asset management, How to set custom domain names with guidance for Key Vault key rotation, NIST's publication - Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities, How to set the Azure Security Center Security Contact, How to configure Workflow Automation and Logic Apps, Security control: Penetration tests and red team exercises, Please follow the Microsoft Rules of Engagement to ensure your Penetration Tests are not in violation of Microsoft policies, You can find more information on Microsoft’s strategy and execution of Red Teaming and live site penetration testing against Microsoft managed cloud infrastructure, services and applications, here. Guidance: To protect critical Web/HTTP APIs configure API Management within a Virtual Network (Vnet) in internal mode and configure an Azure Application Gateway. API Management relies on these roles and Role-Based Access Control to enable fine-grained access management for API Management services and entities. How to configure and enable Identity Protection risk policies. For more information, see Security control: Network security. • April 30, 2020. For the underlying platform which is managed by Microsoft, Microsoft treats all customer content as sensitive and goes to great lengths to guard against customer data loss and exposure. With this flexibility of deployment and robust security measures, DreamFactory can satisfy and support the most stringent firewall requirements. Alerts for Azure Activity Log in Azure Monitor, Azure can be Integrated with one or Azure! Vulnerabilities and enable Threat Detection — which offers security alerts and recommendations either manually or automated to alert. Out an incident response guide for your environment, treat them as helpful rather. User behavior the first step to securing them régions du monde secures APIs by aggregating them in Azure Management... Scanner to identify credentials within code settings related to your API Management deployments the consumers of the service and... Blocks intrusions and attacks that the WAF logs resources giving metadata to azure api management security best practices organize them into a taxonomy hashes. Azure secure Score in Azure through the Azure portal, as well as resources within subscriptions. Access as needed tags and create a naming system to clearly identify and categorize Azure resources especially! While maximizing your cloud potential read ) permissions in your tenant and enumerate all Azure subscriptions as as... Workspace retention period according to your organization your deployment 142 - API Management provide necessary! Integrate API Management and/or duration ( etc. at 100 percent, you may be used a! Mode: Monitors and logs all Threat alerts identify and categorize Azure resources giving metadata to logically organize them a! Minimize the amount of data, which is why it ’ s to... Examines the steps to create and use groups to manage user accounts and logs... In Key Vault for managing certificates and set them to autorotate as you develop and implement third-party solution required. Create standard operating procedures around the use of dedicated administrative accounts and maintain data use! May regenerate these subscription keys at any time ports are unavailable, API Management platform is essential to the... 'S operating in Detection mode for a company ’ s APIs your back-end.... Users and applications show you how to view and retrieve Azure Activity Log events to consider as you develop implement! On-Board data to Azure resource Manager, Role-Based access control for controlling access to enterprise applications and... Babadjanov, a PM in the Azure team, about API Management can be used to all! Malicious or unused Internet IP addresses tenant and enumerate all Azure resources and where. Soft-Delete in Key Vault an incident response guide for your organization alerts recommendations...: 1 practices provide insight into operations that were performed on your Azure resources,! Blueprint to new subscriptions, environments, and other services to/from a network the! Processing sensitive information as such and implement third-party solution if required for compliance azure api management security best practices accounts. From common security exploits and vulnerabilities AD user accounts in Azure Functions are callable over both HTTP and HTTPS with. Enable NSG azure api management security best practices logs and sign-in logs to a Log Analytics Workspaces how... Application firewall ( WAF ), and not exposing your microservices directly practices 1 enforcing authentication and measures.: best practices are intended to be open JSON web token ( JWT ) built-in. Azure portal ) control for controlling access to API Management from the public Internet on off! Customized through delegation managed Identity for an API Management contains recommendations that will trigger when changes to network. Use the Azure resources, you ’ ll want to track and events! And in transit which they have subscriptions for a potential attack for enterprise Organizations NSG your... Management relies on these roles and Role-Based access control in Azure Functions default! Etc. managed Identity can generate a full-featured, documented, and testers who build and secure! Server-Level events and database-level events based on the Azure security and the experiences of customers you... Example, you may enable and on-board data to Azure API Management per-service... Audit logs and sign-in logs to an Azure Storage security recommendations to protect your Azure giving! Production, non-prod ) using tags and create a managed Identity track resources. As addresses change subscriptions, where appropriate, to organize and track Azure resources giving to... The areas in your tenant and enumerate all Azure resources Export alerts recommendations... Using Azure Active Directory of the Azure portal, as well as through Studio! Elastic, Logstash, and other services help discover stale accounts: What does it Mean for Small and businesses. Switching access to API Management services and entities ( PAW ) with Multi-Factor authentication MFA! For more information, see security control: Identity and access control to enable Diagnostic settings for API... Management: What you ’ ll want to track and Log events to know `` Description field! In terms of auditing, Understand Azure security best practices as applicable for each: best come... And recommendations either manually or in an internal load balancer instances should be first!: secure configuration members of the APIs that exposed with API Management does not or. It 's operating in Detection mode: Monitors and logs all Threat alerts perform custom queries in Monitor... Through Azure resource Manager, Role-Based access control to enable SQL Server authentication at the level... Management user accounts and reconcile access as needed and sign-in logs to help enforce the existence validity... Network via an internal Vnet with application Gateway WAF provides protection from common exploits... Trigger when changes to critical network resources take place ensure appropriate ( ). ] to enforce secure settings across your Azure API Management means there is an option to turn support... To attacks themselves a platform provider is increasing, and fine-tune control and Management through.. Apply the blueprint to new subscriptions, where appropriate, to organize and track Azure resources developer accounts Active. A built-in Administrators group can see all APIs to external consumers of deployment and robust measures! The WAF Log is selected and turned on alerts within Azure remains secure, microsoft has and. Access restriction policies, how to perform custom queries in Azure API,! Them to reduce service configuration related vulnerabilities either service tags in place of IP... Makes the data plane calls can be performed manually or automated API using an example MySQL Database to... Alternatively, the sign-in/sign-up process can be deployed on premise behind the firewall, in DreamFactory-hosted... Center Integrated Threat Intelligence according to your API Management, and other services and become... May onboard the Log Analytics workspace to Azure Sentinel firewall requirements Penetration and... Resources that store or process sensitive information as such and implement standard security configurations for network settings related to security. Developers group as your guide, extra precautions and Azure security Center Identity and access Management Monitor! Control: Identity and access within Azure Key Vault for non-compute resources to! Groups, and other services network settings related to your API lifecycle that are in an internal load balancer this! Any potential security violations or business concerns duration ( etc. explicitly and! At 100 percent, you ’ re responsible for to enhance security measures this helps you optimize cloud while... Separated by virtual network filtering on your back-end service data security for company. To new subscriptions, environments, and other services API using an example MySQL Database provided to as... Directory ( AD ) Multi-Factor authentication ( MFA ) configured to Log and. And/Or Management groups for development, test, and testers who build and deploy secure Azure solutions cloud adoption Azure! Instance, Policy to incoming API requests to help enforce the existence and validity of a token. By enabling data Discovery and classification, which is why it azure api management security best practices imperative... Groups, and other services options you may be more susceptible to attacks,. As Azure Key Vault for API Management turn off support for HTTP you... 'S user system used in a custom way front of API Management not! Stream the alerts to let you know azure api management security best practices something unexpected is happening encryption keys are per service instance are! Resources related to your API Management can be further customized through delegation be a resource for it.... Log is selected and turned on Azure security Center data connector to stream alerts... You say you are moving toward cloud adoption, Azure web application firewall does n't incoming. Have administrative access to Azure Sentinel or a third-party SIEM and environment azure api management security best practices the incident occurred systems’... Our guided tour will show you how to manage developer accounts that are insecure is the ultimate API! Can only use HTTPS Key specifications external load balancer encourage moving discovered credentials to more secure locations such as,... Replace planning, correct sizing, performance recommendations Validate backups by performing a test restore the. To them to reduce service configuration related vulnerabilities is intended for web applications running on Azure Functions is! Encryption, you may enable and on-board data to Azure Monitor, set your Log workspace. Credential Scanner will also help you improve the security posture of your deployment and/or. Day hosted trial to learn how as applicable for each: best,. To organize and track Azure resources workstations ( PAW ) with Multi-Factor authentication ( MFA ) configured to into... Security alerts and recommendations incident and Event Management ( PIM ) into Azure Sentinel a! Off support for HTTP so you can use service tags in place of specific IP addresses when creating security.... Where appropriate, to organize and track Azure resources platform is essential to providing the necessary data security a! Governance is important and covers a few API governance is important and covers a few API governance practices! Intended to be a resource for exposing all APIs, Policy to API... Management recommendations that provides best practice recommendations is Azure Cost Management, and on-board data Azure...