Azure API Management Policies

  1. Home
  2. Azure API Management Policies

Go back to AZ-304 Tutorials

In this tutorial, we will learn and understand about the Azure API management policies. Moreover, we will gain knowledge about publishing internal APIs to external consumers.

In Azure API Management, policies are the system that gives access to the publisher to change the behavior of the API through configuration. However, policies are a collection of statements that run sequentially on the request or response of an API. 

Understanding policy configuration

The policy is a simple XML document that explains a sequence of inbound and outbound statements. However, you can edit the XML directly in the definition window. 

Clicking an enabled statement will add the appropriate XML at the location of the cursor in the definition view. However, the configuration is divided into inbound, backend, outbound, and on-error.

API management policies comfiguration
Image Source: Microsoft

If there is an error during the request processing, then execution jumps to the statements in the on-error section. However, by placing policy statements in the on-error section you can review the error by using the context.LastError property. Then, inspect and customize the error response using the set-body policy, and configure what happens if an error occurs. 

Publishing internal APIs to external consumers

In this, an organization hosts multiple APIs using Application Service Environments(ILB ASE) and consolidate these APIs internally. In this, it uses APIM for which the deployment is inside a Virtual Network. The internal API Management instance could also be exposed to external users for allowing utilization of the APIs. However, this external exposure could be achieved using an Application Gateways forwarding requests to the internal API Management service. Further, this consumes the APIs deployed in the ASE.

Architecture

Architecture API
Image Source: Microsoft

The scenario above covers a complete lifecycle of internal APIs getting consumed by the external users.

The data flows as follows:

  • Firstly, the developers check in code to a GitHub repository connected to CI/CD pipeline Agent installed on an Azure VM
  • Secondly, the agent pushes the build to the API application hosted on ILB ASE
  • Thirdly, API Management consumes the above APIs via HOST Headers specified in API Management policy
  • Then, API Management uses the App Service Environment’s DNS name for all the APIs
  • After that, Application Gateway exposes API Management’s developer and API portal
  • Then, Azure Private DNS is used to route the traffic internally between ASE, API Management, and Application Gateway
  • Lastly, External Users uses exposed Dev Portal to consume the APIs via Application Gateway’s public IP
AZ-304 Practice tests

Components

  • Azure Virtual Network: This enables Azure resources to securely communicate with each other, the internet, and on-premises networks.
  • Azure Private DNS: This gives access to domain names for resolving in a virtual network without needing to add a custom DNS solution.
  • API Management: This helps organizations publish APIs to external, partner, and internal developers to use their data and services.
  • Application Gateway: It refers to a web traffic load balancer that enables you to manage traffic to your web applications.
  • Azure DevOps: This service is for managing your development lifecycle and includes features for planning and project management, code management, build, and release.
  • Application Insights: This provides an extensible Application Performance Management (APM) service for web developers on multiple platforms.
  • Azure Cosmos DB: It is Microsoft’s multi-model database service.

Considerations

  • Firstly, the web APIs host over secured HTTPS protocol and will be using a TLS Certificate.
  • The Application Gateway also is configured over port 443 for secured and reliable outbound calls.
  • The API Management service is configured to use custom domains using TLS certificates.
  • Review the suggested network configuration for App Service Environments
  • There needs to be an explicit mention of port 3443 allowing API Management to manage via the Azure portal or PowerShell.
  • Secondly, the leverage policies within APIM add a HOST header for the API hosted on ASE. This is for ensuring that the ASE’s load balancer will properly forward the request.
  • Thirdly, the API Management accepts ASE’s DNS entry for all the apps hosted under App Service Environments. Adding an APIM policy to explicitly set the HOST Header for allowing the ASE load balancer to differentiate between Apps under the App Service Environment.
  • Fourthly, consider Integrating with Azure Application Insights, which also surfaces metrics through Azure Monitor for monitoring.
  • Lastly, if using CI/CD pipelines for deploying Internal APIs, consider building your own Hosted Agent on a VM inside the Virtual Network.

Availability

Azure API Management service deployment can be for Multi-Region deployment with  higher availability and for reducing latencies. However, the API Management service in this specific scenario consumes APIs from App Service Environments. Therefore, one could also use APIM for APIs hosted on the internal on-premises infrastructure.

Scalability

API Management instances scaling out is dependent on a number of factors like number and rate of concurrent connections. Also, the kind and number of configured policies, request and response sizes, and back-end latencies on the APIs. However, scaling out instance options are available in Basic, Standard, and Premium Tiers. The instances here refer to a unit that can scale up to a max of two units in the Basic tier, four units in the Standard tier, and any number of units in the Premium tier. Auto Scaling options are also available to enable scale out based on rules.

App Service Environments are for scaling with limits based on the pricing tier and the apps hosted under the App Service Environments. For this the configuration is scale out (number of instances) or scale up (instance size) depending upon the requirements of the application. However, the Azure Application Gateway auto scaling is available as a part of the Zone redundant SKU in all global Azure regions. 

Pricing

API Management offers four tiers: developer, basic, standard, and premium. Moreover, customers can scale API Management by adding and removing units. And, each unit has capacity that depends on its tier.  For viewing projected costs and customizing deployment needs, you can modify the number of scale units and App Service instances in the Azure Pricing Calculator. 

Az-304 online course

Reference: Microsoft Documentation, Documentation 2

Go back to AZ-304 Tutorials

Menu