What does API Management (APIM) provide?
- core functionality to ensure a successful API program through dev engagement, business insights, analytics, security and protection
- devs subscribe to a product that contains an API, then they cna call the APIs operation, subject to any usage policies that may be in effect
What is APIM made up of?
- API gateway, management plane and a dev portal
- all azure hosted and fully managed by default
- available in different tiers which vary in capacity and features
What is API gateway?
Endpoint that…
-Accepts API calls and routes them to appropriate backends
- verifies API keys and other credentials presented with requests
- enforces usage quotas and rate limits
- transforms request and responses specified in policy statements
- caches responses to imrpvoe response latency and minimise the load on the backend service
emits logs, metrics and traces for monitoring, reporting and troubleshooting
What is the management plane on APIM, what can we use it for?
Admin interface where you set up your API program and use it to…
- provision and configure API mgmt service settings
- define or import API schema
- package APIs into products
- set up policies like quotas or transformations on the APIs
- get insights from analytics
- manage users
What is the developer portal in terms of APIM?
Auto generated, fully customisable website with the docs of your API where devs can…
- reads docs
- call API via interactive console
- create an account and sub to get API keys
- access analytics on their own usage
- download API definitions
- manage API keys
What are products in APIM?
- How APIs are surfaced to devs
- Have one or more APIs and are configured with a title, description and T&Cs
- can be open or protected
- protected must be subscribed to before they can be used
- sub approval is configured at the product level and can either require admin approval or be auto approved
What are the 3 groups in APIM?
Used to manage visibility of products to devs
- Admins = Manage API mgmt, create APIs and products
- Developers = Authenticated dev p[ortal users that build apps using APIs, can access dev portal
- Guests = unauthenticated dev portal uses, can be granted read-only access so view APIs but not call them
What are developers in APIM?
- represent the user accounts in APIM instance
- can be created or invited to join by admins or can sign up from dev portal
- each dev is a member of one or more groups and can subscribe to the products that grant visibility to those groups
What are policies in APIM?
- collection of statements which in turn contain expressions that are executed sequentially on the request or response of an API
- e.g. format conversion from XML to JSON or call rate limiting to restrict number of incoming calls from a dev
- can be applied at different scopes (global, product, specific API or specific API operation)
What are policy expressions in APIM?
- can be used as attribute values or test values in any of the APIM policies unless the policy says otherwise
- some policies such as “control flow” and “set var” are based on policy expressions
- single C# statement enclosed in a @(expression) or multi statement C# code block enclosed in a @{expression} that returns a value
What does the API gateway manage?
- responsible for proxying API requests, applying policies and collecting telemetry
- decouples client from the services
- sits between clients and services acting as a reverse proxy by routing requests from clients to services
- may also perform cross-cutting tasks such as auth, SSL termination and rate limiting
- if you dont deploy a gateway clients must send requests directly to back-end services
What are the issues with exposing services directly to clients in relation to APIM?
- can lead to complex client code as client has to keep track of multiple endpoints and handle failures in a resilient way
- creates coupling between client and backend
- single operation might require calls to multiple services
- services with public endpoints are a potential attack surgace
what is the managed APIM gateway?
- default component that is deployed in Azure for every APIM instance in every service tier
- all API traffic flows through azure regardless of where backends implementing the APIs are hosted
what is self hosted APIM gateway?
- optional, containerised version of default gateway thats useful for hybrid and multicloud scenarios
- Enables customers with hybrid IT infra to manage APIs hosted on prem and across clouds from a single APIM service in azure
What do APIM policies allow?
- publisher to change the behaviour of the API through config
- applied inside the gateway that sits between the API consumer and the managed API
- Can apply changes to requests and response inside the gateway before passing onto the API/Client
What is an APIM policy defintion?
- XML that describes a sequence of inbound and outbound statements
<policies>
<inbound>statements to be applied to request go here</inbound>
<backend>statements to be applied before the request is forwarded to backend go here</backend>
<outbound>statements to be applied to the response go here</outbound>
<on-error>statements to be applied if theres an error go here</on-error>
</policies>
what is the context var in terms of policy expressions in APIM?
- each expression has access to the var and an allowed subnet of the .NET framework types
- provides a sophisticated means to control traffic and modify API behaviour without requiring you to write specialised code or modify backend services
Example of a policy statement that adds user data to incoming request
<policies>
<inbound>
<base></base>
<set-header>
<value>@(context.User.Id)</value>
<value>@(context.Deployment.Region)</value>
</set-header>
</inbound>
</policies>
what is the <base></base> tag in policy statement?
- allows for ordering of statements
- anything before that element executes first, then anything after that element executes
What is control flow in APIM policies?
- conditionally applies policy statements based on the results of the evaluation of boolean expressions
- <choose> applies enclosed policy statements based on the outcome of expressions (if-then-else)
</choose>
<choose>
<when>...</choose>
<when>...</choose>
<otherwise>…</otherwise>
</choose>
</when></when></choose>
What is a forward request in APIM policies?
- Forwards the request to the backend service
- backend service URL is specified in the API settings
- policies in the outbound section are evaluated immediately upon the successful completion of the policies in the inbound section
<forward-request></forward-request>
What is the limit concurrency tag in APIM policies?
- Prevents enclosed policies from executing by more than the specified number of requests at a time
- when requests exceed the limit they fail with 429 too many requests
<limit-concurrency>…</limit-concurrency>
What is the log to event hub tag in APIM policies?
- sends msgs in the specified format to an event hub defined by a logger entity
- used to save selected requests or response context info for online or offline access
<log-to-event-hub>Expression returning a string to be logged</log-to-event-hub>
What is the mock response tag in APIM policies?
- Aborts pipeline execution and returns a mock response directly to the caller
- prefers response content example whenever available
- Generates sample responses from schemas when provided and examples if no schemas
<mock-response></mock-response>
-
Explore Azure App Service25
-
Configure Web App Settings19
-
Scale Apps in Azure App Service17
-
Deployment Slots19
-
Explore Azure Functions23
-
Develop Azure Functions13
-
Explore Azure Blob Storage22
-
Manage Azure Blob Lifecycle14
-
Work with Azure Blob Storage11
-
Explore Cosmos DB33
-
Work with Azure Cosmos DB29
-
Manage Container Images in Azure Container Registry18
-
Run Container Images in Container Instances16
-
Implement Azure Container Apps30
-
Explore Microsoft Identity Platform20
-
Authentication By MSAL16
-
Implement User Auth17
-
Explore MS Graph20
-
Implement Azure Key Vault12
-
Implement Managed Identities19
-
Implement Azure App Configuration19
-
Explore API Management26
-
Secure APIs14
-
Explore Azure Event Grid30
-
Explore Azure Event Hubs15
-
Azure Message Queues20
-
Monitor App Performance15
