APIs are the common denominator of the digital transformation, and most of the applications run on APIs, so what makes a good API Manager and how to get best out of it? Forrester Wave defines a good API Manager with completeness of 3 features:
- A management portal for API Product Manager where pricing, quotas, and usage of the API can be viewed/managed easily
- A developer portal, where external/internal developers can keep track of the APIs, (by API key), and create/trace issues, and test the apis.
- An API Gateway, to secure the communication via access control, quota and rate limits, versioning, authorization, logging and monitoring.
There are more than 20 API management solutions, but our focus will be Azure. For Gartner’s quadrant, Azure API Manager is (also at Forrester Wave [1]) a contender partly because it supports only Azure, there is no on-prem/out of Azure option, no support for a fully automated deployment out of box[2], and also no support for API retirement policies.
So keeping these in mind, if you need a simple, secure management help for your Azure APIs, API Manager is the right place to start your journey, let’s start!
Why?
<p class="“>As the number of APIs/Functions increase to maintain, you spot a pattern of the similar requirement: each one need throttling, versioning, validation, caching, and logging. Rather than adding these features to each endpoint, you will need a better management solution, possibly a proxy to delegate your workload. Azure API Manager allows to handle all these, and much more, by allowing connectivity to any backend endpoint, either on-prem or on any other cloud. Let’s look at each requirement a bit closer.
You can import any Open API, REST, RESTful, or SOAP to Azure API Manager. On the portal you have the living API documentation, ready to be tested, with all revisions, change logs of the APIs. Let’s see a couple of features of Azure API Manager.
How it works?
a. API Gateway (Azure Portal)
Azure Portal has 2 roles: One is to manage the APIs, i.e. define the Products, import the APIs, and second part is the role of API Gateway.
When you create a new API Manager, you can click APIs on the blade to import from specifications. You can configure your APIs’ products, to define whether they require subscription/approval.
API Management has around 40 policies, which covers most of the scenarios, to control your flow from end user to your back end. You can define policies at three sections:
- inbound (from caller to backend)
- outbound (from backend to the caller)
- backend (from the inbound request)
You can either define at product level, which covers all apis for that product or at specific api level. Any policy defined at product level is executed first, then the api level policies are executed.
Inbound validation is perfect for input validation, such as IP Filtering, which I will show below. When the request successfully arrives backend, you can put policies, such as a timeout for the backend url forward request policy. This would be the url defined at the first place when you import the API, and give a Web Service Url.When the request returns to outbound you can set status code, or use send one way request policy to handle the errors, which I will also show.
Inbound example:
Part of API Gateway’s responsibility is making sure your apis are secure. One of doing this is via throttling. To apply you have 4 options:
- Execution scope: Product level or API level
- Editor: Form based UI or XML editor
As we mentioned, we can define the policies at the product level, which covers all APIs in that group, and is a better option if you have B2B api, with a quota on it. However it does not let granular management as in individual end user limit. This is where key based throttling is helpful, you may want to have rate limit, or quota limit.
You can define basic policies via form based editor. Below is an example for the API subscription level rate limit, because all operations is selected the policy will be applied product level. We simply select All operations and add Inbound policy with Number of calls, and renewal period. The counter key is API Subscription because we can’t get any more granular.
Let’s see an API level In the xml editor, you are flexible to customize your rule, here is checking the IPAddress to throttle the requests.
b. Publisher Portal
Azure’s management portal for API Manager is called Publisher Portal. The configuration for the APIs are done via Azure Portal, such as adding new productions, defining subscriptions, approvals, policies. Azure Publisher Portal does allow to check the usage/health of the APIs, and to give high level of reports.
c. Developer Portal
The developer portal is the place for devs to test their APIs, to see what they have access to, and to create tickets if they have issues with the API. The UI is fully customizable, you can add/remove menu items, content, supported by widgets.
Hope you enjoyed the Azure API Manager over all. It is a shame it was considered in Forrester Wave report, thus got lower ratings, but I know companies using happily in Production. Have you (not)? Please do shoot any questions/post comments you may have.
There are great training material on Pluralsight, MSDocs, Channel9, if you have not done already!
[1] Microsoft did not reference any clients, thus the calculations were based on Forrester’s experience.
continuous learning ... 