Getting Started with API Management in Azure [APIM]
This article will cover how to set up API Management (APIM) in Azure involves creating the APIM service, configuring network settings, and handling authentication. Start by creating an APIM service in the Azure Portal, integrating Application Insights for monitoring. Manage authentication and authorization with Azure AD by registering the application, creating app roles, and assigning users. Finally add inbound policies for authorization.
1. Create APIM Service
- Go the Azure Portal and click on create resource.
- Search for API Management and click on create.
- Configure the Application Insight for monitoring and logging.
- None:
The API Management service is not connected to any virtual network.
It is publicly accessible over the internet. - External:
The API Management service is connected to a virtual network and is accessible from the internet through an external IP address.
This setting allows you to expose your APIs to external clients while still leveraging the security and control provided by a virtual network. - Internal:
The API Management service is connected to a virtual network but is only accessible from within that virtual network.
This setting is used to restrict access to the API Management instance to internal clients only, providing enhanced security by preventing internet exposure.
To ensure that your APIs can only be accessed through the API Gateway and are not directly accessible over the internet, you should select the “Internal” option for your API Management instance.
Internal: This setting ensures that your API Management instance is only accessible within the Azure Virtual Network. By doing so, you effectively prevent direct internet access to your APIs. This means that external clients must go through the API Gateway to access your APIs, ensuring that the APIs are only exposed through the controlled and secured gateway.
2. Import and Publish API
- Navigate to the API section from the left side menu.
- Click on the OpenAPI.
- Copy the of the OpenAPI sepecification. If you have swagger, you can get it by appending
v1/swagger.jsonto the api url.
- Fill the details.
- Once you import the OpenAPI Specification, you will see the APIs listed as shown below.
- You can also test the endpoints using the Test menu.
Handle Authentication and Authorization through Azure AD / Entra ID
- Go to the Azure AD.
- Go to the App registration and select New registration.
- Create App roles for App registration. Select allowed member types as Both(Users/Groups and Applications)
- Lets add users and groups to the App Roles.
- Navigate to the overview and select the service principal.
- Go the Users and Groups and select Add user/group.
- Select the user and the created role.
- Go back to the app registartion and select Expose and API. Select Add a scope.
- Add the application ID URI.
- Select Admin and Users for consent option.
If you add two app roles to a user, you will find both roles in the claims when you generate the access token.
- Let’s use Azure CLI to generate the token.
az account get-access-token — resource <application-id-uri>
Add Inbound Policy
- Go to the All APIs -> All operations and select the API. Then go to the design and click on Add policy.
- Add Header Name -> Authorization
- For claims: For values give the app role. and click on the save button.
- Like this we can implement authorization for all operations or specific API endpoint.
Set Up Caching Policies
- Select the API for which you want to enable caching.
- Go to the “Design” tab of the API.
- Click on “All operations” or select a specific operation where you want to add caching.
- Click on “Inbound processing” and then “Add policy”.
- Select the “Cache” policy from the list.
<inbound>
<cache-lookup vary-by-developer="false" vary-by-developer-groups="false" vary-by-headers="" vary-by-query-parameters="">
<cache-key>redis-cache-key</cache-key>
<expiration-interval>300</expiration-interval>
<redis>
<connection-string>@(context.Variables["redisConnectionString"])</connection-string>
</redis>
</cache-lookup>
</inbound>Best Practices
1. Secure Your APIs
- Authentication and Authorization: Use Azure AD or other OAuth providers to secure access to your APIs.
- IP Restrictions: Implement IP filtering to restrict access to your APIs from trusted IP addresses only.
- CORS Policy: Configure Cross-Origin Resource Sharing (CORS) to control which domains can access your APIs .
2. Use Virtual Networks
- Connect your APIM instance to a virtual network to ensure internal APIs are not exposed to the internet and can only be accessed through the APIM gateway .
3. Enable Application Insights:
- Integrate Application Insights to monitor and log API usage, performance, and errors. This helps in identifying and troubleshooting issues quickly .
4. Implement Rate Limiting and Throttling
- Use rate limiting and throttling policies to control the number of API requests from clients. This prevents abuse and ensures fair usage of your APIs .
5. Version Your APIs
Implement API versioning to manage changes and ensure backward compatibility. This allows clients to continue using the older versions of APIs while new versions are developed and deployed .
6. Use API Policies for Customization
- Leverage API Management policies to implement custom behaviors such as caching, transformations, and format conversions without changing the backend service .
7. Automate Deployments
- Use infrastructure as code (IaC) tools like Azure Resource Manager (ARM) templates, Terraform, or Azure CLI scripts to automate the deployment and management of your API Management service .
8. Monitor and Analyze API Usage
- Regularly monitor API usage metrics and analyze traffic patterns to optimize performance and identify potential issues. Use built-in analytics and logging features in APIM .
