Exam AZ-204 topic 1 question 26 discussion

This is scenario questions. If backend is accepts HTTP(S) Then Basic AUTH or Certificate will work. so Basic + HTTPS Yes

The correct answer is Yes. https://docs.microsoft.com/en-us/azure/api-management/api-management-authentication-policies#ClientCertificate

Client Cert Gateway Credentials: Can be used with both HTTP endpoints and Azure resources if both are configured to handle and validate client certificates. Provides strong security and is suitable for high-security scenarios, but involves a more complex setup. Basic Gateway Credentials: Suitable for HTTP endpoints that support Basic Authentication but not suitable for Azure resources like Azure App Service. Basic Authentication is less secure and generally not used for Azure resources, which typically require Azure AD, OAuth tokens, or managed identities for authentication. For a public-facing API, client certificate authentication is generally preferred if both APIM and the backend API are properly configured to use and validate client certificates. Basic Authentication is simpler but less secure and not suitable for most Azure resources. Azure App Service does not support Basic Authentication (Basic gateway credentials) for securing access to the service itself. For securing Azure App Service, you should use Azure AD, OAuth 2.0, or other more secure authentication methods

No, the solution does not meet the goal. Configuring Basic gateway credentials for the HTTP(s) endpoint provides authentication for clients accessing the API through the API Management gateway, but it does not specifically address back-end authentication for the API Management service instance. Back-end authentication typically involves authenticating requests between the API Management service instance and the back-end hosted in Azure App Service. Basic gateway credentials are more commonly used for authenticating clients accessing the API through the API Management gateway, rather than for securing communication between the gateway and the back-end service.

Answer is B - NO

Answer is YES. Based on this: https://learn.microsoft.com/en-us/azure/api-management/authentication-basic-policy

This is not the preferred way, Basic authentication is unsecure because of sending the username/password in the header. You must use TLS to protect the credentials. The preferred way is using a client certificate. Which can be re-used for all backends that are residing in the same api management service

No. Configuring Basic gateway credentials for the HTTP(s) endpoint in a public-facing API scenario is not ideal for security reasons. Basic credentials involve sending a username and password with each request, which can expose sensitive information and is less secure. It's recommended to use more robust authentication mechanisms like API keys, OAuth tokens, or client certificates for enhanced security in such scenarios.

Correct answer is Yes, Admin change the answer: Configuring Basic gateway credentials for the HTTP(s) endpoint is a valid solution for back-end authentication in API Management. Basic authentication involves sending a username and password with each request.

API Management gateway supports basic authentication. You have a RESTful service, so there is an HTTP(s) endpoint. App Service doesn't have built-in support fot basic authentication, but you can use the security features of the framework the service is built on (https://learn.microsoft.com/en-us/azure/app-service/overview-authentication-authorization#why-use-the-built-in-authentication) The question only says "you must configure authentication". It doen't says it has to be the best solution or the most secure. Maybe Microsoft is expecting No in this question, but the solution meets the goal, so the answer should be Yes.

No, configuring Basic gateway credentials for the HTTP(s) endpoint does not fully meet the goal of configuring backend authentication for the API Management service instance, especially if this API is public-facing and needs to be secure. Basic gateway credentials refer to HTTP Basic Authentication, where a client sends a username and password with each request.

Configuring Basic gateway credentials for the HTTP(s) endpoint in API Management is not typically used for back-end authentication. Basic gateway credentials are used to secure access to the API Management gateway itself, allowing clients to authenticate when making requests to the API Management layer. It does not secure the communication between API Management and the back-end Azure App Service.

The solution mentioned, which is configuring Basic gateway credentials for the HTTP(s) endpoint, does meet the goal of configuring back-end authentication for the API Management service instance. Configuring Basic gateway credentials means that the API Management service will authenticate requests sent to the back-end service using basic authentication. Basic authentication requires clients to include a username and password in the request headers. By configuring Basic gateway credentials for the HTTP(s) endpoint, you can enforce authentication for incoming requests and ensure that only authorized clients can access the API back end hosted in the Azure App Service instance. Therefore, the correct answer is: A. Yes

Answer should be YES according to this link: https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-mutual-certificates#configure-an-api-to-use-client-certificate-for-gateway-authentication

Selected Answer: B Because the Backend is an App Service the Microsoft security recommendations to protect back-end resources are: User/Application Identity and/or require client certificate authentication APIM would support Basic & Client, but it also depends on which kind of backend application you are using https://learn.microsoft.com/en-us/azure/app-service/security-recommendations#identity-and-access-management

B. No Configuring Basic gateway credentials for the HTTP(s) endpoint would not provide a secure solution for back-end authentication for the public facing API. Basic authentication sends the user's credentials in plain text over the network, making it vulnerable to eavesdropping and man-in-the-middle attacks. This is not suitable for public facing APIs.

The backend is App Service. Afaik it doesn't allow basic auth, so your only choice is client cert or managed identity. It shouldn't matter if you have the option to enable basic auth at the frontend settings, you won't be able to make it work at the backend. So I'd say NO.