API Management enables companies to publish APIs to external, partner, and internal developers, allowing their data and services to reach their full potential.
In this article we are going to learn about API Management service’s components and their functions, how API gateways can help in the management of API calls, how Subscriptions and certificates are used to secure API access and how to Create an API for the backend as well.
API Management service
Through developer engagement, business insights, analytics, security, and protection, API Management delivers the basic capabilities to enable a successful API program. Each API is made up of one or more operations and can be used with one or more products. To use an API, developers should first subscribe to a product that includes the API, after which they can call the API’s function, according to any related use policies.
The following components build the system:
- Accepts API requests and forwards them to your backend (s).
- API keys, JWT tokens, certificates, and other credentials are all verified.
- Ensures that use restrictions and rate constraints are followed.
- Transforms your API on the go without requiring any code changes.
- Backend responses are cached if they have been configured.
- Metadata is a term used in logs for the purpose of analytics.
- Create an API schema or import one.
- APIs can be packaged into products.
- Set up policies on the APIs, such as quotas and transformations.
- Analytics can provide you with valuable information.
- Manage your users.
- Examine the API documentation.
- Use the interactive terminal to try out an API.
- To obtain API keys, create an account and subscribe.
- They can have access to data about their own usage.
Groups are used to control which products are accessible to developers. The following system groups are immutable in API Management:
- Administrators – Members of this category are those who manage Azure subscriptions. API Management service instances are managed by administrators, who create the APIs, processes, and products that developers utilize.
- Developers – This category includes persons who have logged in to the developer portal. Customers that use your APIs to create applications are known as developers.
- Guests – This category includes unauthenticated developer portal users, such as potential customers that visit an API Management instance’s developer portal.
It’s possible that a solution will include several front-end and back-end services. How does a client know which endpoints to call in this scenario? When new services are introduced or old services are refactored, what happens? What methods do services use to deal with SSL termination, authentication, and other issues? These issues can be solved with the use of an API gateway.
Between clients and services is an API gateway. It acts as a reverse proxy, forwarding client requests to services. Authentication, SSL termination, and bandwidth limitation are examples of cross-cutting activities it can perform. Clients must make requests straight to front-end services if you don’t implement a gateway. However, there are certain disadvantages of exposing services to customers directly:
- It can lead to complicated client code.
- It creates a connection between the client and the server. The client should understand how the different services are broken down. This makes it more difficult to maintain the client and modify services.
- A single procedure can require many service calls. Multiple network round trips between the client and the server can happen, resulting in substantial delay.
- Authentication, SSL, and client rate restriction are all challenges that must be addressed by every public-facing application.
- A client-friendly protocol, such as HTTP or WebSocket, must be exposed by services. As a result, the number of communication protocols available is limited.
- Services having public endpoints are vulnerable to attack and must be protected.
By decoupling clients from services, a gateway can help with these challenges. Gateways can perform a variety of tasks, and you may not require all of them. The following design patterns can be applied to the functions:
- Gateway routing: Using layer 7 routing, use the gateway as a reverse proxy to redirect requests to one or more backend services.
- Gateway aggregation: To combine many separate requests into a single request, use the gateway.
- Gateway Offloading: Use the gateway to shift cross-cutting issues and functionality from separate services to the gateway.
Some examples of functionality that could be offloaded to a gateway are as follows:
- SSL termination
- IP allow/block list
- Client rate limiting (throttling)
- Logging and monitoring
- Response caching
- GZIP compression
- Servicing static content
Secure APIs with subscriptions
When you use API Management to publish APIs, it’s simple and usual to use subscription keys to secure access to those APIs. When calling the public APIs, developers must provide a valid subscription key in their HTTP queries. Otherwise, the API Management gateway rejects the calls right away. They’re not sent to the back-end services.
A subscription is required to obtain a subscription key for API access. A subscription is a named container that holds a pair of subscription keys. Subscriptions are available for developers that need to use the disclosed APIs. They also don’t require API publishers’ permission. API publishers can also directly build subscriptions for API users.
Subscriptions and Keys
The following are the three primary subscription scopes:
|This rule applies to any APIs that can be accessed through the gateway.
|This scope applies to a single API and all of its endpoints that have been imported.
|In API Management, a product is a collection of one or more APIs that you customise. APIs can be assigned to several products. Different access rules, use limitations, and conditions of use might be applied to different products.
If you think that a key has been shared with unauthorized users, you can regenerate these subscription keys at any point.
Create a backend API
- Login to the Azure portal and open the Cloud Shell.
- Select the Bash environment.
Create an API Management instance
- To limit the amount of retyping, let’s set some variables for the CLI commands to use. <myLocation> should be replaced with an area that makes sense for you. The APIM name must be a globally unique name, which is generated by the script below. Replace myEmail with an accessible email address.
- Create a resource group. The commands below will create a resource group named az204-apim-rg.
- Create an instance of APIM. The instance is created with the az apim create command. The —sku-name Consumption option is used to speed the walkthrough process.