Physical Address

304 North Cardinal St.
Dorchester Center, MA 02124

Introduction: Azure API Management

What is it?

Azure API Management is a proxy that sits between calling applications and backend systems. It provides a way to organise and publish API’s for Developers and external Customers in a central and consistent way, regardless of the backend implementation. API’s can be secured using a variety of methods and it allows the setting of policies to control both how and who can access the APIs.

Features

An API Gateway provides many benefits including;

  • Central, uniform way to publish and organise APIs
  • Cross-platform support (and support for on-premise)
  • Secure APIs (subscription keys, certificates, Azure AD, OAuth 2.0)
  • Group APIs into ‘Products’
  • Self-service developer portal
  • Enforce quotas and limits (and more)
  • Transform requests on the fly using policies
  • API documentation with ability to try using the API console
  • Provide mock responses to allow integration to services not yet available
  • Monitoring and Analytics

Overview

Azure API Management is split into 3 components

Developer Portal

This is the customer facing side, from here developers can sign up and subscribe to APIs (bundled as products). This will grant the developers a subscription key required to use the APIs (unless specified as public APIs). There is access to the API console where developers can see the API documentation and try them out. The layout can be customised easily via the Azure Portal.

When combined with mock responses, you can publish the documented API and provide canned responses allowing early integration to occur before the backend services are ready.

Homepage of the Developer portal – can be customised to suit
API Documentation and API Console to allow Developers to try it

Gateway

This is the end point the accepts requests and passes them onto the backend. This is where policies can be applied to enforce quotas and limits, allow response caching as well as transform an API on the fly such as converting XML to JSON.

An example policy might be to throttle the incoming requests by limiting the number of calls to an API in a given period.

Rate Limits protects against short bursts in volume, whereas quotas are used to control the number of calls over time. These policies are created using XML and can be applied to individual APIs or products (groups of APIs).

Policy Example

The following policies restrict a single client 
IP address to only 10 calls every minute, 
with a total of 1,000,000 calls and 10,000 kb of bandwidth per month.

<rate-limit-by-key  calls="10"
          renewal-period="60"
          counter-key="@(context.Request.IpAddress)" />

<quota-by-key calls="1000000"
          bandwidth="10000"
          renewal-period="2629800"
          counter-key="@(context.Request.IpAddress)" />

Management Tools

The admin tools (Azure Portal/Powershell/Azure CLI) are how you set up, import and manage your APIs. Here you can import an API manually, or one that conforms to the OpenAPI spec (much easier). It’s very flexible, you can link to any REST or SOAP endpoint, easy if there’s associated swagger otherwise it will expose as a ‘pass-through’ API. Built in support is available for Azure functions and Logic Apps making it really simple to publish these.

As well as manage users and view analytical data. User management, access policies and subscriptions can be administered here.

Securing APIs

This can be done in a number of ways. I mentioned subscriptions, this allows developers to sign up and request a subscription key, the key is then required to access the protected API.

It also supports client certificates which can be validated using policies to restrict access. In addition to this you can secure your backend API using OAuth 2.0 authorisation with Azure Active Directory. There are many options available and time should be tacked to carefully understand the security requirements to pick the best option or combination of options to provide adequate security for any published APIs.

Analysis

The Azure Portal provides useful insights for monitoring.

Availability

As it’s a managed service, uptime is guaranteed at 99.95% for Basic, Standard and Consumption tiers. This can be increased to 99.99% by scaling across 2 or more Azure regions. Autoscaling is supported on Standard and Premium tiers.

Prices depends on several factors, such as tier and throughput, as with any cloud service, care should be taken to ensure costs are fully understood upfront and that any trade-off is clearly defined to both avoid a large unexpected bill and ensure the cost-benefit is favourable for the service against alternatives.

Trending now

Sprints or Iterations?
Micro:bit Summer Challenge
Why constraints can be a good thing
Hello, World 1975 Style