I currently have numerous web apps which are just webapi's on Azure. I have a gateway web app that is accessible publically as it has its own authentication mechanisms.
However the other web apps I don't want to be accessed publically, only the gateway web app should have access to these API's and possibly my dev machine just to test they are running and operational.
What is the best way to do this on Azure?
On
Since you have web apps you can use Azure Active Directory (AAD) to configure authentication.
A tutorial on how to do so is here: http://blogs.msdn.com/b/waws/archive/2015/04/20/how-i-to-setup-azure-active-directory-with-a-web-app.aspx
If you haven't looked into API Apps, you will find a lot of functionality already existing there. For example, limiting the visibility of the API App is as simple as going to the API App blade -> All Settings -> Application Settings and setting the Visibility to "Internal". This will make the API App only accessible within the same Resource Group
You can find more information here