I have a backend API that is hosted in Azure app service. I want to use Azure API management as the front end to this backend API and have successfully configured this in Azure. I have configured API management to use OAuth when accessing this backend API which works when clients access the API through the Azure API management endpoints, but how do I prevent people from accessing the backend API endpoints directly so that only calls from the API management endpoints are allowed?

There are a few options of various levels of security:

1. Shared secret - set a certain header with a certain value in APIM and check that value at your backend.
2. IP filter - check for APIM IP as a source at backend.
3. Client certificate auth - upload a client cert auth to APIM and attach it to every request to backend. Check for that cert at backend.
4. VNET - put APIM and your backend into same VNET and block access from outside to backend.

I've personally used IP restrictions to great success. APIM is given a static IP, so you can setup an IP restriction in the "root API" that allows only the APIM calls. This results in a 403 if you call the root API directly.

If you don't want a 403 coming from the root API, you can use policies to change that, or you can setup authentication at the APIM level and you'll get a 401 before even hitting that 403.