Azure API Management Introduction
An APIM layer sits between clients and APIs(services). It acts as a reverse proxy, routing requests from clients to services. It may also perform various cross-cutting tasks such as authentication, SSL (Secure Socket Layer) termination, and rate-limiting. Clients must send requests directly to back-end services if you do not deploy a gateway. However, there are some potential problems with exposing services directly to clients:
- It creates a coupling between the client and the backend. The client needs to know how the individual services are decomposed. That makes it harder to maintain the client and harder to refactor services.
- Each public-facing service must handle authentication, SSL, and client rate-limiting concerns.
- Services with public endpoints are a potential attack surface and must be hardened.
A gateway helps to address these issues by decoupling clients from services. Gateways can perform several different functions, and you may not need all of them. The functions can be grouped into the following design patterns:
- Gateway Routing. Use the gateway as a reverse proxy to route requests to one or more backend services, using layer 7 routings. The gateway provides a single endpoint for clients and helps to decouple clients from services.
- Gateway Offloading. Use the gateway to offload functionality from individual services to the gateway, particularly cross-cutting concerns. It can be useful to consolidate these functions into one place, rather than making every service responsible for implementing them. This is particularly true for features that require specialized skills to execute correctly, such as authentication and authorization.
Benefits of a Shared Service Model
- Centralized Governance: Ensures consistent API design, security, and management practices.
- Reduced Redundancy: Eliminates the need for individual teams to set up and manage their own APIM instances.
- Expertise and Efficiency: Leverages the knowledge and skills of the central APIM team for optimal service delivery.
Azure API management technical design
APIM Landing Zone
APIM (Azure API Management) is a service on the Microsoft Azure platform that enables organizations to publish, secure, and manage APIs. An Azure Landing Zone in the context of APIM refers to the initial setup or configuration of Azure resources such as APIM instances and application instances required to host and manage APIs using APIM. APIM will be deployed to a dedicated subscription to enable the shared services/implementation. Each resource group will have resources dedicated to APIM such as Application insight, storage, and Key vault. The Production instance would use a Premium or Standard V2 instance and Non-Production would use Developer editions. Every environment will have a dedicated APIM instance.
An APIM instance should be deployed for each environment, containing APIs only for that environment, for the following reasons :
- Placing APIs for different environments into one Azure API Management Service resource makes it hard to automate the deployment of an API across environments.
- Consequently, a lot of manual changes would have to be done, each time a new version of an API is generated. This takes a lot of time and is error-prone.
- The best Practice is to have security boundaries per environment, so access to production is not permitted for developers and testers.
- Changes in one environment should not impact other environments, for example during load testing etc.
When exposing APIs to the outside world, you usually do not want consumers to connect to your APIs using the default APIM gateway URL (like https://apim-%5Bcustomer%5D-%5Bproject%5D-common-dev.azure-api.net), but you want to expose your APIs using a custom domain. If you use the Application gateway, then the application gateway will have the custom domain name.
The following APIM Instances will be deployed with the following configuration.
| APIM Instance | DNS Name | APIM Plan | Subscription |
| EU-Dev01 | api-dev01.weu.ais.com | DEV | ais-Corp-APIM-DT-EU-001 |
| EU-TST01 | api-tst01.weu.ais.com | DEV | ais-Corp-APIM-DT-EU-001 |
| EU-ACC01 | api-acc01.weu.ais.com | Premium/Standard V2 | ais-Corp-APIM-ACC-EU-001 |
| EU-PRD | api-prd.weu.ais.com | Premium/Standard V2 | ais-Corp-APIM-PRD-EU-001 |
* APIM V2 is in GA : https://azure.microsoft.com/en-us/updates/announcing-general-availability-of-azure-api-management-basic-v2-and-standard-v2-tiers
Networking
There are two possible deployments of APIM within the VNET. The first and recommended option is to deploy the APIM in private mode (premium) and in a VNET. The second option could be to deploy APIM in public mode (APIM V2 standard) with outbound VNET integration to backend APIs.
Recommended Option: Use a premium tier of APIM in private mode and Setup an Application Gateway and WAF in front of APIM
Consider using a premium instance (connected to a VNet) for both acceptance and production, using the application gateway (and WAF) to bridge the gap between public internet and private internet. To protect critical Web/HTTP APIs configure API Management within a Virtual Network (Vnet) in internal mode and configure an Azure Application Gateway (using WAF), due to the following reasons
- It is a Microsoft best practice and in line with the API Management Cloud Adoption Framework design guidelines.
- The API Management service is not a Web Application Firewall. Deploy a WAF such as Azure Application Gateway in front for additional layers of protection (in the connectivity management group).
- Only APIM Premium offers zone redundancy and offers network isolation using VNets.
- When deploying APIM in a VNet (only Premium / Developer tiers), an Application Gateway using WAF in front of APIM is required to transform traffic from public internet to private (internal VNet) traffic and secure incoming requests using the WAF features
- Using the WAF features, you are protected from malicious attacks that exploit commonly known vulnerabilities
- You will be protected from DDoS attacks
Option 2: Use an APIM standard v2 in public mode and secure backends within a VNET
APIM Standard V2 supports Outbound VNet integration. Outbound VNet integration allows your API Management instance to reach API backends isolated in a VNet. The API Management gateway, management plane, and developer portal remain publicly accessible online.
Azure API Management Development Guidelines
APIM Definition Guidelines
Follow the below APIM definition guidelines
- API Naming Conventions: APIs should follow a consistent naming convention that reflects the owning service and its purpose (e.g., CustName-D365FO-Finance or CustName-D365CE-Customer).
- Resource Naming Convention: API endpoints returning collections of resources should always use plural nouns for consistency and clarity in understanding the endpoint’s purpose.
- Enforce HTTPS: Ensure that all APIs are accessible only over HTTPS by enforcing this protocol through Azure Policy within Azure API Management. This enhances security and data integrity.
- API Versioning: Adopt a versioning strategy for APIs from the outset, beginning with version 1. This allows for future updates and changes without disrupting existing consumers.
- Secure Data Handling: Utilize Azure Key Vault to securely store sensitive data such as credentials, keys, and secrets, ensuring their protection from unauthorized access.
- Simplicity in Policies: Refrain from embedding complex business logic or orchestration within API Management policies. Keep policies simple and focused on tasks like authentication, authorization, and transformation.
- Reusable Policy Fragments: Encapsulate common policy configurations into reusable fragments, promoting modularity and efficiency in policy management. This approach enhances maintainability and reduces redundancy.
- Authentication for API Consumers: Require both OAuth tokens and subscription keys for authentication when consuming APIs. This dual-layered approach enhances security by adding an additional layer of protection.
- Secure Backend Connections: Implement a secure authentication mechanism for outbound connections from API Management to backend APIs.
- Whenever feasible, leverage Azure Managed Identity for API Management to streamline authentication and improve security posture.
- Standard APIM V2 plan supports VNET integration for backends. This means you can ensure that all the backends are placed within a VNET.
Enable the Developer portal for APIM
APIM Developer Portal serves as a gateway for developers to explore, understand, and consume APIs offered by an organization. The portal can be used as a Comprehensive API Documentation. It offers documentation for each API, including detailed descriptions, usage instructions, request and response examples, supported parameters, error codes, and authentication requirements. It enables developers to experiment with APIs directly within the Developer Portal by integrating interactive API. This allows developers to test API endpoints, submit requests, and view real-time responses, facilitating faster prototyping and debugging.
Use Named Values for Secrets
Never hard-code secrets like connection strings or passwords in your policy expressions. Instead, use Named Values. Using Named Values for Secrets in Azure API Management (APIM) allows you to securely store and manage sensitive information such as API keys, passwords, or connection strings. Named Values act as placeholders for these secrets within your API Management configuration.
Tagging
Tagging will be used to uniquely identify the APIs in the APIM. The following Tags can be used for APIs.
| Tag | Description | Value |
| Environment | DTAP | T |
| AppName | Application or Component Name | AIS |
| Owner | Owner of the API | AzureInt |
| Department | BU/Department | IT |
| CostCenter | Cost Center | Corporate IT |
| Vendor | Vendor/ISV | AISCons |
| IDD | IDD Number | IDD-09 |
Group APIs into Products
The “Products” functionality within an API Management system offers a method for organizing and controlling access to APIs by grouping them logically. By structuring APIs into products, you can manage how users interact with your API ecosystem.
By structuring APIs into products, you not only streamline access management but also enhance security and scalability. Each product can have its own set of usage limits, authentication requirements, and policies, providing flexibility to cater to diverse business objectives (such as Data APIs).
Security
Security is crucial to safeguard APIs, data, and backend systems. Several key features and practices contribute to securing APIs within APIM:
- Token Validation:
- APIM supports various authentication mechanisms, including OAuth 2.0, API keys, and JWT tokens.
- Token validation ensures that incoming requests are accompanied by valid authentication tokens before granting access to APIs.
- JWT token validation involves verifying the token’s signature, expiration, and issuer against predefined policies.
- Subscription Key:
- APIM issues subscription keys to developers or applications upon subscription to APIs.These keys act as unique identifiers and are included in API requests to authenticate and authorize access.
- Virtual Network (VNET):
- By leveraging the outbound VNET feature, APIM can communicate securely with backend services deployed within a virtual network.
- VNET integration enhances security by enforcing network isolation and enabling private connectivity with backend systems.
- Securing Backends with Managed Identity:
- Managed identities provide an identity for services running on Azure, eliminating the need to store credentials in code or configuration files.
- APIM can leverage managed identities to securely access backend services without exposing sensitive credentials.
- By assigning a managed identity to APIM, it can authenticate itself to backend services using Azure Active Directory (AAD) authentication.
- Subscription keys can be scoped to specific APIs, products, or usage tiers, enabling fine-grained access control.
Implementing these security measures collectively enhances the overall security posture of API Management, safeguarding APIs, data, and backend systems from unauthorized access, data breaches, and other security threats.
Microsoft security baseline for APIM has been mentioned here
Release management
Storing ARM templates in source control (Azure DevOps) allows you to quickly and consistently deploy APIs from one environment to another, in a similar fashion as other Azure resources. While manually creating APIs together for different environments is error-prone and takes a lot of time. By using the Azure API Management DevOps Resource Kit, these ARM templates can be generated quickly without manual intervention and without an API developer having in-depth knowledge of ARM templates. The Extractor tool that is part of this Resource Kit is the fastest way to get started. A developer can do all configuration through the Azure Portal, and once done the Extractor tool can be used by the developer the generate the ARM templates.
When you place APIs for different environments into one Azure API Management Service resource, it is nearly impossible to automate the deployment of an API across environments. Both tools in the Resource Kit do not allow the parameterization of the name or path of an API. Consequently, a lot of manual changes would have to be done, each time a new version of an API is generated. This takes a lot of time and is error-prone.
So the following design principle must be used for APIM release management
- Use ARM templates to deploy APIs from one environment to another, and store these templates in source control.
- Use the Azure API Management DevOps Resource Kit to either extract ARM templates from a Development environment or to create ARM templates from an OpenAPI Specification.
- Use either the Extractor or Creator tool from the Resource Kit, depending on your scenario.
- When knowledge of OpenAPI Specification and ARM templates is limited, import the OpenAPI Specification into the Development environment and use the Extractor tool to generate the ARM templates.
- Use an Azure API Management Service resource per environment, containing APIs only for that environment.
In the above approach, there are two deployment environments: Development and Production, and each has its own API Management instance. The developer version will be a Free Developer version. API developers have access to the Development instance and can use it for developing and testing their APIs. The Production instance is managed by a designated APIM team (called the API publishers).
The key in this proposed approach is to keep all API Management configurations in Azure Resource Manager templates. These templates should be kept in a source control system(Azure DevOps Git). As illustrated in the picture, there is a Publisher repository that contains all configurations of the Production API Management instance in a collection of templates.
- Service template: contains all the service-level configurations of the API Management instance (e.g., pricing tier and custom domains).
- Shared templates: contain shared resources throughout an API Management instance (e.g., groups, products, loggers).
- API templates: include configurations of APIs and their sub-resources (e.g., operations, policies, diagnostics settings).
- Master template: ties everything together by linking to all templates and deploying them in order. If we want to deploy all configurations to an API Management instance, we can just deploy the master template. Meanwhile, each template can also be deployed individually.
API developers will fork the publisher repository to a developer repository and work on the changes for their APIs. In most cases, they will focus on the API templates for their APIs and do not need to change the shared or service templates.
Once API developers have finished developing and testing an API, and have generated the API template, they can submit a pull request to merge the changes to the publisher repository. API publishers can validate the pull request and make sure the changes are safe and compliant. For example, they can check if only HTTPS is allowed to communicate with the API. Most of these validations can be automated as a step in the CI/CD pipeline. Once the changes are approved and merged successfully, API publishers can choose to deploy them to the Production instance either on schedule or on demand. The deployment of the templates will be automated using Azure Pipeline.
With this approach, the deployment of API changes into API Management instances can be automated and it is easy to promote changes from one environment to another. Since different API development teams will be working on different sets of API templates and files, it prevents interference between different teams.
Monitoring
Monitoring Azure API Management services is essential for identifying issues and proactively addressing them. The following settings help APIM monitoring:
- Enable Diagnostic Logs: Capture detailed information about requests, responses, errors, and events to troubleshoot issues and analyze traffic patterns.
- Monitor Backend Health: Configure health probes to check backend services periodically and take corrective actions if needed.
- Enable Application Insights: Gain deeper insights into API usage, performance, and errors by integrating Application Insights with your APIM service.
- Create Alerts: Set up alerts to notify you when predefined thresholds are exceeded, allowing quick issue resolution before significant impact.
- Implement Security Monitoring: Monitor security metrics and events to detect and prevent potential threats or vulnerabilities.
By following these practices, you can effectively monitor Azure API Management services, identify issues promptly, and ensure API reliability.
Governance
Central Team Responsibilities:
A central team will be responsible for deploying, managing, and monitoring the APIM instance, ensuring consistent and secure access to APIs across the organization. This team is entrusted with the following accountabilities:
Deployment and Lifecycle Management:
- Provisioning and configuring API Management instances with settings aligned with Customer’s standards and requirements.
- Implementing deployment pipelines and automation workflows for deployment and updates of APIs using Azure DevOps.
- Deploying and updating APIs based on approved change requests.
- Monitoring API health and performance metrics to ensure the reliability and availability of the APIs.
- Timely application of security patches and updates to the APIM service, in alignment with Customer’s security policies and industry best practices.
Governance and Compliance:
- Enforcing adherence to Customer’s API standards, policies, and guidelines across all APIs hosted within the APIM service.
- Define and enforce API design standards (e.g., Swagger/OpenAPI specification) for consistency and ease of integration.
- Implementing access controls and role-based permissions to restrict unauthorized access to sensitive API data and configurations.
- Periodic reporting on API usage, performance, and outage reports with Customers..
- Maintain a centralized inventory of all APIs exposed through the APIM service.
Onboarding Process for New APIs
- API Proposal and Approval:
- API owners submit a formal proposal outlining the API details (purpose, target audience, functionalities).
- The central APIM team reviews the proposal against governance guidelines and approves/rejects it.
- API Design and Development:
- API owners develop the API adhering to the defined standards and security best practices.
- The central APIM team can provide consultation and support during API development.
- API Definition and Documentation:
- API owners provide a complete API definition (e.g., Swagger/OpenAPI specification) for integration with APIM.
- API owners develop comprehensive API documentation covering functionalities, usage instructions, and error codes.
- API Testing and Staging:
- API owners conduct thorough testing of the API functionality and performance.
- A non-prod environment within APIM can be utilized for testing and validation before production deployment.
- Deployment and Monitoring:
- The central APIM team deploys the approved API into the production environment.
- The central APIM team monitors the deployed API for functionality, performance, and security issues.
Set up Workspaces
The use of an APIM workspace centralizes the management and configuration of APIs, policies, and security features within a dedicated environment. It provides a unified platform for developers and administrators to define, deploy, and monitor APIs securely. Additionally, the APIM workspace enables seamless integration with other Azure services, such as Azure Monitor for logging and analytics, Azure Key Vault for secure key management, and Azure Active Directory for identity and access management. By leveraging the capabilities of the APIM workspace, organizations can ensure consistent security practices across their API ecosystem while benefiting from centralized governance and operational efficiencies.
Cost Management
Azure API Management offers several pricing tiers tailored to different use cases: Consumption, Basic, Standard V2, and Premium. Each tier offers varying features and scalability options.
We recommend the Premium tier due to its robust capabilities, including advanced security features and extensive network isolation options. However, after weighing the Customer’s requirements against the associated costs, we determined that the Standard V2 tier balances functionality and affordability.
One key advantage of the Standard V2 tier is its support for outbound Virtual Network (VNet) connectivity. This feature allows the Customer to integrate its API management solution with its existing network infrastructure, ensuring secure and efficient communication between services.
The following are the cost indications(in Euro)
Developer Edition cost (DevTest)
| Component | Pricing | Remarks |
| APIM Dev Edition | 44 | 200 hours of usage |
| Azure Key vault | 7 | Shared cost with Integration |
| Azure Monitor | 52 | Shared cost with Integration |
Standard V2 (ACC01, PROD)
| Component | Pricing | Remarks |
| APIM Standard V2 Edition | 725 | It includes the cost of workspaces |
| Azure Key vault | 12.84 | |
| Azure Log analytics | 175 |
Conclusion
Implementing Azure API Management in a shared services model offers numerous benefits, including centralized governance, reduced redundancy, and enhanced security. Organizations can ensure reliable and secure API management by following best practices in technical design, development, security, release management, monitoring, and governance. Leveraging Azure DevOps and the APIM DevOps Resource Kit further streamlines the deployment and management process, promoting efficiency and consistency across environments.
- The Integration Gap: Why 95% of Enterprise AI Projects Fail and How Azure Integration Services Solves It
- Microsoft Copilot Studio vs Azure AI Studio: A Feature Overview
- Leveraging Azure OpenAI and Cognitive Search for Enterprise AI Applications
- Logging and Monitoring strategy for Azure Integration Components using OpenAI
- Deploying Azure Logic Apps: PaaS vs. App Service Environment (ASE)
- Triggering a YAML Pipeline in Azure DevOps Automatically After Another Pipeline Completes
Azure Integration services 