We have requirement for webpage (similar to this) that need to be available to anonymous public user. The webpage is static and contains spatial information that are updated by backend server. There are also several ways of retrieving this information. Few methods include REST, SOAP etc. We do not want to expose SOAP because we are moving away from SOAP. The APIs and webpage are read-only.
The core backend server is hosted on on-premises . Since the infrastructure is existing there is a requirement not to stand up new instances in cloud. Also, the existing on-premises infrastructure is hosted on trusted zone(internal network) and cannot be moved to DMZ as DMZ layer is running on old hardware that is scheduled to be decommissioned.
One solution I thought was to expose only REST APIs(without webpage) using Azure FrontDoor > Application gateway > API management> on premises API. This poses challenge because there is no REST open API spec available. Since there are 100s of APIs, we don't want to create spec for each API.
The other possible solution that I could think of is bypassing API GW and going directly to on-prem server which can render the webpage(azure front door > application gateway > on-premises). We do have connectivity from Azure to on-premises and hence it is easy to hook app gateway and to on-premises server with mutual authentication. I want to understand if there is any any security risk/threats associated with this design.
