Skip to content

Latest commit

 

History

History
352 lines (223 loc) · 6.05 KB

Azure_APIM.md

File metadata and controls

352 lines (223 loc) · 6.05 KB

AZURE APIM

Below is a cleaned-up, structured, and expanded version of your Azure API Management (APIM) notes. I’ve corrected terminology, improved flow, and added missing but commonly expected APIM concepts—especially useful for interviews, design discussions, or senior-level documentation.

Azure API Management (APIM) – Consolidated Notes

1. What is Azure API Management?

Azure API Management (APIM) is a fully managed service that acts as a gateway between API consumers and backend services. It helps organizations publish, secure, monitor, transform, and manage APIs at scale.

2. Major Components of Azure API Management

2.1 Management Plane

Used by API publishers and administrators.

  • Configure APIs, Products, Subscriptions

  • Define and manage policies (rate limit, quota, authentication, transformation, etc.)

  • Manage users, groups, and roles

  • Accessible via:

    • Azure Portal
    • Azure CLI
    • PowerShell
    • ARM/Bicep/Terraform

Example Policies:

  • Rate limiting
  • Quotas
  • IP filtering
  • JWT validation
  • Request/response transformation

2.2 API Gateway (Runtime Plane)

The core runtime component that processes every API request.

  • Enforces all policies
  • Authenticates and authorizes requests
  • Routes requests to backend services
  • Transforms request and response payloads
  • Logs metrics and diagnostics

Flow: Client → APIM Gateway → Backend API → APIM → Client

2.3 Developer Portal

A self-service portal for API consumers.

  • Browse available APIs
  • View OpenAPI/Swagger documentation
  • Test APIs directly in the browser
  • Manage subscriptions and keys

⚠️ By default, the Developer Portal must be published by an admin

3. Typical API Management Workflow

Step 1: Create Backend API

  • Create a .NET Core Web API in Visual Studio
  • Add Swagger / OpenAPI
  • Deploy the API to Azure App Service

Step 2: Import API into APIM

  • Copy the OpenAPI (Swagger) URL
  • In Azure Portal → API Management → APIs
  • Select Add API → OpenAPI
  • Paste the Swagger URL

After import:

  • Test APIs directly from APIM
  • Configure backend settings
  • Apply policies

4. Mock Responses in APIM

Used when:

  • Backend API is not ready
  • Frontend or client testing is required

How it works:

  • APIM returns a predefined response without calling the backend
  • Configured using policies

Use cases:

  • Contract-first API development
  • Parallel frontend/backend development
  • Demo or POC environments

5. Policies in Azure API Management

Policies allow you to change API behavior without modifying backend code.

5.1 Policy Scopes

Policies can be applied at:

  • Global (All APIs)
  • Product
  • API
  • Operation

5.2 Common Policy Types

Inbound Policies

Executed before request reaches backend.

  • Rate limit
  • Quota
  • JWT validation
  • IP filtering
  • Header manipulation
  • Request transformation

Outbound Policies

Executed before response is sent to client.

  • Response transformation
  • Header modification
  • Caching

Backend Policies

  • Change backend service
  • Retry and timeout logic

On-Error Policies

  • Custom error handling
  • Logging and tracing

5.3 Commonly Used Policies

  • Rate Limit Policy

    • Limits number of requests per second/minute

  • Quota Policy

    • Limits total calls over a time period

  • IP Filter Policy

    • Allow or deny requests from specific IP ranges

  • Set Header Policy

    • Add, modify, or remove HTTP headers

  • Rewrite URL

  • Cache Response

6. Products & Subscriptions

Product

A logical grouping of related APIs.

  • Defines:

    • APIs included
    • Usage policies
    • Subscription requirements

Examples:

  • Free Product
  • Premium Product
  • Internal APIs Product

Subscription

Controls access to APIs within a Product.

  • Subscription key required in request header

  • Rate limits and quotas applied per subscription

  • Assigned to:

    • Users
    • Groups
    • Applications

7. Developer Portal (Consumer Perspective)

  • External or internal users can register

  • No Azure Portal access required

  • Users can:

    • Subscribe to Products
    • Get subscription keys
    • Test APIs
    • Read documentation

8. JWT Authentication in Azure API Management

Step 1: Microsoft Entra ID (Azure AD)

  • Register an application

  • Define:

    • App roles
    • Scopes

  • Expose an API

  • Assign roles to users or client applications

Step 2: Token Generation

  • Client obtains JWT token from Entra ID

  • Token contains:

    • Issuer
    • Audience
    • Roles / Claims

Step 3: Configure JWT Validation in APIM

  • Add Validate JWT policy in inbound section

  • Configure:

    • Issuer
    • Audience
    • Required claims / roles

Result:

  • Only authorized users/apps can access APIs
  • Backend remains protected

9. Networking – VNET Integration

9.1 VNET (External Mode)

  • APIM has:

    • Public endpoint
    • Access to resources inside VNET

  • Suitable when:

    • APIs need to be public
    • Backend is private

9.2 VNET (Internal Mode)

  • APIM accessible only inside VNET

  • No public endpoint

  • Requires:

    • VPN
    • ExpressRoute
    • Application Gateway / Front Door

Used for:

  • Internal enterprise APIs
  • High-security environments

10. Additional Important APIM Concepts (Missing but Important)

Monitoring & Diagnostics

  • Integrated with Azure Monitor

  • Supports:

    • Application Insights
    • Logs and metrics
    • Request tracing

API Versioning

  • Supported via:

    • URL path
    • Query string
    • HTTP header

Caching

  • Reduce backend load
  • Improve API performance
  • Can be applied at policy level

Security Features

  • Subscription keys
  • OAuth 2.0
  • JWT validation
  • mTLS (client certificates)
  • IP restrictions

11. High-Level APIM Request Flow

Client → APIM Gateway (Auth, Rate limit, Policies) → Backend Service → APIM (Transform, Cache, Log) → Client

image