API Management in Azure Cheatsheets

By Saeed Salehi

5 min read

Authors

Part of series

Developing Solutions for Microsoft Azure (AZ-204) certification exam Cheatsheets

  1. Part 1:

    Introduction to (AZ-204) certification exam Cheatsheets

  2. Part 2:

    Implement IaaS in Azure Cheatsheets

  3. Part 3:

    Azure Functions Cheatsheets

  4. Part 4:

    Azure App Service Cheatsheets

  5. Part 5:

    Develop solutions that use Blob storage Cheatsheets

  6. Part 6:

    Develop solutions that use Azure Cosmos DB Cheatsheets

  7. Part 7:

    Implement Azure Security Cheatsheet

  8. Part 8:

    Microsoft Identity platform Cheatsheet

  9. Part 9:

    Monitoring And logging in Azure Cheatsheets

  10. Part 10:

    Azure Cache for Redis Cheatsheets

  11. Part 11:

    Develop message-based solutions Cheatsheets

  12. Part 12:

    Develop event-based solutions Cheatsheets

  13. Part 13:

    API Management in Azure Cheatsheets

API Management helps organizations publish APIs to external.

Components

  • API gateway

    • Accepts API calls and routes them to your backend(s).
    • Verifies API keys, JWT tokens, certificates, and other credentials.
    • Enforces usage quotas and rate limits.
    • Transforms your API on the fly without code modifications.
    • Caches backend responses where set up.
    • Logs call metadata for analytics purposes.

  • Azure portal: administrative interface

    • Define or import API schema.
    • Package APIs into products.
    • Set up policies like quotas or transformations on the APIs.
    • Get insights from analytics.
    • Manage users.

  • Developer portal:

    • Read API documentation.
    • Try out an API via the interactive console.
    • Create an account and subscribe to get API keys.
    • Access analytics on their own usage.

Products:

  • Open
  • Protected (must be subscribed to before they can be used)

Groups:

  • Administrators: Azure subscription administrators , manage API Management service instances
  • Developers: Authenticated developer portal users,the customers that build applications using your APIs
  • Guests: Unauthenticated developer portal users,can be granted certain read-only access, such as the ability to view APIs but not call them

API gateways

  • Gateway routing: reverse proxy to route requests to one or more backend services using layer 7 routing.
  • Gateway aggregation: Use the gateway to aggregate multiple individual requests into a single request. This pattern applies when a single operation requires calls to multiple backend services
  • Gateway Offloading: Use the gateway to offload functionality from individual services to the gateway, like SSL termination, Authentication, IP allow/block list, Client rate limiting (throttling), Logging and monitoring, Response caching, GZIP compression, Servicing static content

API Management policies

collection of Statements that are executed sequentially on the request or response of an API. simple XML document

inbound, backend, outbound, and on-error

<policies>
  <inbound>
    <!-- statements to be applied to the request go here -->
  </inbound>
  <backend>
    <!-- statements to be applied before the request is forwarded to
         the backend service go here -->
  </backend>
  <outbound>
    <!-- statements to be applied to the response go here -->
  </outbound>
  <on-error>
    <!-- statements to be applied if there is an error condition go here -->
  </on-error>
</policies>

Filter response content

  • Control flow - Conditionally applies policy statements based on the results of the evaluation of Boolean expressions.
  • Forward request - Forwards the request to the backend service. Limit concurrency - Prevents enclosed policies from executing by more than the specified number of requests at a time.
  • Log to Event Hub - Sends messages in the specified format to an Event Hub defined by a Logger entity.
  • Mock response - Aborts pipeline execution and returns a mocked response directly to the caller.
  • Retry - Retries execution of the enclosed policy statements, if and until the condition is met. Execution will repeat at the specified time intervals and up to the specified retry count.

Control Flow (Condition)

<choose>
    <when condition="Boolean expression | Boolean constant">
        <!— one or more policy statements to be applied if the above condition is true  -->
    </when>
    <when condition="Boolean expression | Boolean constant">
        <!— one or more policy statements to be applied if the above condition is true  -->
    </when>
    <otherwise>
        <!— one or more policy statements to be applied if none of the above conditions are true  -->
</otherwise>
</choose>

Forward request

forwards the incoming request to the backend service specified in the request context

<forward-request timeout="time in seconds" follow-redirects="true | false"/>

Limit concurrency

Events enclosed policies from executing by more than the specified number of requests at any time 429 Too Many Requests status code

<limit-concurrency key="expression" max-count="number">
        <!— nested policy statements -->
</limit-concurrency>

Log to Event Hub

saving selected request or response context information

<log-to-eventhub logger-id="id of the logger entity" partition-id="index of the partition where messages are sent" partition-key="value used for partition assignment">
  Expression returning a string to be logged
</log-to-eventhub>

Mock response

Aborts normal pipeline execution and returns a mocked response to the calls

It generates sample responses from schemas, when schemas are provided and examples are not. If neither examples or schemas are found, responses with no content are returned

<mock-response status-code="code" content-type="media type"/>

Retry

The retry policy executes its child policies once and then retries their execution until the retry condition becomes false or retry count is exhausted.

<retry
    condition="boolean expression or literal"
    count="number of retry attempts"
    interval="retry interval in seconds"
    max-interval="maximum retry interval in seconds"
    delta="retry interval delta in seconds"
    first-fast-retry="boolean expression or literal">
        <!-- One or more child policies. No restrictions -->
</retry>

Return response

Aborts pipeline execution and returns either a default or custom response to the caller. Default response is 200 OK with no body

<return-response response-variable-name="existing context variable">
  <set-header/>
  <set-body/>
  <set-status/>
</return-response>

:

Secure APIs

  • subscription keys

    A subscription key is a unique auto-generated key that can be passed through in the headers of the client request or as a query string parameter

    subscription scopes are:

    • All APIs
    • Single API
    • Product

    Every subscription has two keys, a primary and a secondary. Having two keys makes it easier when you do need to regenerate a key

  • OAuth2.0

  • Client certificates

  • IP allow listing

Call an API with the subscription key

must include a valid key in all HTTP request

The default header name is Ocp-Apim-Subscription-Key, and the default query string is subscription-key.

Authentication policies

  • Authenticate with Basic: This policy effectively sets the HTTP Authorization header to the value corresponding to the credentials provided in the policy
  • Authenticate with client certificate: The certificate needs to be installed into API Management first and is identified by its thumbprint or certificate ID (resource name).

Authenticate with managed identity - This policy essentially uses the managed identity to obtain an access token from Azure Active Directory

Secure APIs by using certificates

inspect the certificate contained within the client request and check for properties like:

  • Certificate Authority (CA)
  • Thumbprint
  • Subject
  • Expiration Date

two common ways to verify a certificate::

  • Check who issued the certificate
  • self-signed certificates (If the certificate is issued by the partner, verify that it came from them. )

In the Consumption tier, you must explicitly enable the use of client certificate

inbound processing policy

Check the thumbprint of a client certificate

<choose>
   <when condition="@(context.Request.Certificate == null || context.Request.Certificate.Thumbprint != "desired-thumbprint")" >
       <return-response>
           <set-status code="403" reason="Invalid client certificate" />
       </return-response>
   </when>
</choose>

Check the thumbprint against certificates uploaded to API Management

Usually, each customer or partner company would pass a different certificate with a different thumbprint

Client certificates page in the Azure portal to upload them to the API Management resource

<choose>
    <when condition="@(context.Request.Certificate == null || !context.Request.Certificate.Verify()  || !context.Deployment.Certificates.Any(c => c.Value.Thumbprint == context.Request.Certificate.Thumbprint))" >
        <return-response>
            <set-status code="403" reason="Invalid client certificate" />
        </return-response>
    </when>
</choose>

Create a backend API

Create APIM instance

az apim create -n $myApiName \
    --location $myLocation \
    --publisher-email $myEmail  \
    --resource-group az204-apim-rg \
    --publisher-name AZ204-APIM-Exercise \
    --sku-name Consumptionhk

Upcoming events

  • The Test Automation Meetup

    PLEASE RSVP SO THAT WE KNOW HOW MUCH FOOD WE WILL NEED Test automation is a cornerstone of effective software development. It's about creating robust, predictable test suites that enhance quality and reliability. By diving into automation, you're architecting systems that ensure consistency and catch issues early. This expertise not only improves the development process but also broadens your skillset, making you a more versatile team member. Whether you're a developer looking to enhance your testing skills or a QA professional aiming to dive deeper into automation, RSVP for an evening of learning, delicious food, and the fusion of coding and quality assurance! 🚀🚀 18:00 – 🚪 Doors open to the public 18:15 – 🍕 Let’s eat 19:00 – 📢 First round of Talks 19:45 – 🍹 Small break 20:00 – 📢 Second round of Talks 20:45 – 🍻 Drinks 21:00 – 🙋‍♀️ See you next time? First Round of Talks: The Power of Cross-browser Component Testing - Clarke Verdel, SR. Front-end Developer at iO How can you use Component Testing to ensure consistency cross-browser? Second Round of Talks: Omg who wrote this **** code!? - Erwin Heitzman, SR. Test Automation Engineer at Rabobank How can tests help you and your team? Beyond the Unit Test - Christian Würthner, SR. Android Developer at iO How can you do advanced automated testing for, for instance, biometrics? RSVP now to secure your spot, and let's explore the fascinating world of test automation together!

    | Coven of Wisdom - Amsterdam

    Go to page for The Test Automation Meetup

  • Coven of Wisdom - Herentals - Winter `24 edition

    Worstelen jij en je team met automated testing en performance? Kom naar onze meetup waar ervaren sprekers hun inzichten en ervaringen delen over het bouwen van robuuste en efficiënte applicaties. Schrijf je in voor een avond vol kennis, heerlijk eten en een mix van creativiteit en technologie! 🚀 18:00 – 🚪 Deuren open 18:15 – 🍕 Food & drinks 19:00 – 📢 Talk 1 20:00 – 🍹 Kleine pauze 20:15 – 📢 Talk 2 21:00 – 🙋‍♀️ Drinks 22:00 – 🍻 Tot de volgende keer? Tijdens deze meetup gaan we dieper in op automated testing en performance. Onze sprekers delen heel wat praktische inzichten en ervaringen. Ze vertellen je hoe je effectieve geautomatiseerde tests kunt schrijven en onderhouden, en hoe je de prestaties van je applicatie kunt optimaliseren. Houd onze updates in de gaten voor meer informatie over de sprekers en hun specifieke onderwerpen. Over iO Wij zijn iO: een groeiend team van experts die end-to-end-diensten aanbieden voor communicatie en digitale transformatie. We denken groot en werken lokaal. Aan strategie, creatie, content, marketing en technologie. In nauwe samenwerking met onze klanten om hun merken te versterken, hun digitale systemen te verbeteren en hun toekomstbestendige groei veilig te stellen. We helpen klanten niet alleen hun zakelijke doelen te bereiken. Samen verkennen en benutten we de eindeloze mogelijkheden die markten in constante verandering bieden. De springplank voor die visie is talent. Onze campus is onze broedplaats voor innovatie, die een omgeving creëert die talent de ruimte en stimulans geeft die het nodig heeft om te ontkiemen, te ontwikkelen en te floreren. Want werken aan de infinite opportunities van morgen, dat doen we vandaag.

    | Coven of Wisdom Herentals

    Go to page for Coven of Wisdom - Herentals - Winter `24 edition

  • Mastering Event-Driven Design

    PLEASE RSVP SO THAT WE KNOW HOW MUCH FOOD WE WILL NEED Are you and your team struggling with event-driven microservices? Join us for a meetup with Mehmet Akif Tütüncü, a senior software engineer, who has given multiple great talks so far and Allard Buijze founder of CTO and founder of AxonIQ, who built the fundaments of the Axon Framework. RSVP for an evening of learning, delicious food, and the fusion of creativity and tech! 🚀 18:00 – 🚪 Doors open to the public 18:15 – 🍕 Let’s eat 19:00 – 📢 Getting Your Axe On Event Sourcing with Axon Framework 20:00 – 🍹 Small break 20:15 – 📢 Event-Driven Microservices - Beyond the Fairy Tale 21:00 – 🙋‍♀️ drinks 22:00 – 🍻 See you next time? Details: Getting Your Axe On - Event Sourcing with Axon Framework In this presentation, we will explore the basics of event-driven architecture using Axon Framework. We'll start by explaining key concepts such as Event Sourcing and Command Query Responsibility Segregation (CQRS), and how they can improve the scalability and maintainability of modern applications. You will learn what Axon Framework is, how it simplifies implementing these patterns, and see hands-on examples of setting up a project with Axon Framework and Spring Boot. Whether you are new to these concepts or looking to understand them more, this session will provide practical insights and tools to help you build resilient and efficient applications. Event-Driven Microservices - Beyond the Fairy Tale Our applications need to be faster, better, bigger, smarter, and more enjoyable to meet our demanding end-users needs. In recent years, the way we build, run, and operate our software has changed significantly. We use scalable platforms to deploy and manage our applications. Instead of big monolithic deployment applications, we now deploy small, functionally consistent components as microservices. Problem. Solved. Right? Unfortunately, for most of us, microservices, and especially their event-driven variants, do not deliver on the beautiful, fairy-tale-like promises that surround them.In this session, Allard will share a different take on microservices. We will see that not much has changed in how we build software, which is why so many “microservices projects” fail nowadays. What lessons can we learn from concepts like DDD, CQRS, and Event Sourcing to help manage the complexity of our systems? He will also show how message-driven communication allows us to focus on finding the boundaries of functionally cohesive components, which we can evolve into microservices should the need arise.

    | Coven of Wisdom - Utrecht

    Go to page for Mastering Event-Driven Design

Share

Jobs

Senior Web Developer

Sofia, Sofia, Bulgarije

.Net Developer

Antwerpen, Vlaams Gewest, België

.Net Backend Developer / Software Engineer

Amsterdam, Noord-Holland, Nederland

Lead Developer

Utrecht, Utrecht, Nederland

View all jobs