3. What is API Management?
API Management (APIM) is a way to create consistent and modern API gateways for existing back-end services.
API Management helps organizations publish APIs to external, partner, and internal developers to unlock the potential of their data and
services. Businesses everywhere are looking to extend their operations as a digital platform, creating new channels, finding new customers
and driving deeper engagement with existing ones.
• To use API Management, administrators create APIs.
• Each API consists of one or more operations, and each API can be added to one or more products.
• To use an API, developers subscribe to a product that contains that API, and then they can call the API's operation
3
4. Microsoft Azure API Management
Azure
API
MGMT
Project existing
or new services
as APIs
Publish APIs to
developers,
partners and
citizens
View Operational
and Business
insights through
Analytics
Developer
Engagement
4
5. WEB USERS
WEB SITE
YOUR ORGANIZATION
APP DEVELOPERS
USERS
MOBILE APPS
SOCIAL APPS
PARTNERS AND
AFFILIATES
API
AZURE API MANAGEMENT
DEVELOPER PORTAL
REGISTRATION
DOCUMENTATION
INTERACTIVE API CONSOLE
DEVELOPER ANALYTICS
APP GALLERY
FORUMS
NEWS
ISSUES
WIKI
API PROXY
SCALING
CACHING
MONITORING
TRAFFIC MANAGEMENT
ADMIN PORTAL
API PUBLISHING
SUBSCRIPTION MANAGEMENT
SECURITY
MEDIATION
CONTENT PUBLISHING
SITE CUSTOMIZATION
ISSUE MANAGEMENT
ANALYTICS
REPORTS
Azure API Management – High Level Architecture
5
9. Static IP
OAuth 2.0 support
Backup / Restore
Certificate auth
HTTP support
Subscription per app
Performance improvements (DevX and Proxy)
Recent News/Updates
Now in all Azure regions, including Australia!
Delegation
Improved Caching
Custom Subscription Keys
Compression Support
Google Analytics Support
Faster API setup
Check Header Policy
And more
9
10. Microsoft Azure
API Management Components
The system is made up of the following components:
1. The API gateway is the endpoint that:
• Accepts API calls and routes them to your backends.
• Verifies API keys, JWT tokens, certificates, and other credentials.
• Enforces usage quotas and rate limits.
• Transforms your API on the fly without code modifications.
• Caches backend responses where set up.
• Logs call metadata for analytics purposes.
2. The Azure portal is the administrative interface where you set up your API program. Use it to:
• Define or import API schema.
• Package APIs into products.
• Set up policies like quotas or transformations on the APIs.
• Get insights from analytics.
• Manage users.
3. The Developer portal serves as the main web presence for developers, where they can:
• Read API documentation.
• Try out an API via the interactive console.
• Create an account and subscribe to get API keys.
• Access analytics on their own usage.
10
11. Microsoft Azure
APIs and Operations
• Each API represents a set of operations available to developers.
• Each API contains a reference to the back-end service that implements the API, and its operations map to the operations
implemented by the back-end service.
• Operations in API Management are highly configurable, with control over URL mapping, query and path parameters, request
and response content, and operation response caching. Rate limit, quotas, and IP restriction policies can also be implemented
at the API or individual operation level.
• Products are how APIs are surfaced to developers.
• Products in API Management have one or more APIs, and are configured with a title, description, and terms of use.
• Products can be Open or Protected. Protected products must be subscribed to before they can be used, while open products
can be used without a subscription.
Products
11
14. Microsoft Azure
Groups
Groups are used to manage the visibility of products to developers. API Management has the following immutable system groups:
• Administrators - Azure subscription administrators are members of this group. Administrators manage API Management service
instances, creating the APIs, operations, and products that are used by developers.
• Developers - Authenticated developer portal users fall into this group. Developers are the customers that build applications using your
APIs. Developers are granted access to the developer portal and build applications that call the operations of an API.
• Guests - Unauthenticated developer portal users, such as prospective customers visiting the developer portal of an API Management
instance fall into this group. They can be granted certain read-only access, such as the ability to view APIs but not call them.
• The developer portal is where developers can learn about your APIs, view and call operations, and subscribe to products.
Developer portal
14
17. Microsoft Azure
Policies
• Policies are a powerful capability of API Management that allow the Azure portal to change the behavior of the API through
configuration.
• Policies are a collection of statements that are executed sequentially on the request or response of an API.
Access restriction check
Advanced policies
Authentication policies
Caching policies
Cross domain policies
Transformation policies
Types of Policies
17
19. Microsoft Azure
Policies - Access restriction check
HTTP header - Enforces existence and/or value of a HTTP Header.
Limit call rate by subscription - Prevents API usage spikes by limiting call rate, on a per subscription basis.
Limit call rate by key - Prevents API usage spikes by limiting call rate, on a per key basis.
Restrict caller IPs - Filters (allows/denies) calls from specific IP addresses and/or address ranges.
Set usage quota by subscription - Allows you to enforce a renewable or lifetime call volume and/or bandwidth quota, on a per
subscription basis.
Set usage quota by key - Allows you to enforce a renewable or lifetime call volume and/or bandwidth quota, on a per key basis.
Validate JWT - Enforces existence and validity of a JWT extracted from either a specified HTTP Header or a specified query parameter.
19
20. Microsoft Azure
Advanced policies
Control flow - Conditionally applies policy statements based on the evaluation of Boolean expressions.
Forward request - Forwards the request to the backend service.
Limit concurrency - Prevents enclosed policies from executing by more than the specified number of requests at a time.
Log to Event Hub - Sends messages in the specified format to a message target defined by a Logger entity.
Mock response - Aborts pipeline execution and returns a mocked response directly to the caller.
Retry - Retries execution of the enclosed policy statements, if and until the condition is met. Execution will repeat at the specified time
intervals and up to the specified retry count.
Return response - Aborts pipeline execution and returns the specified response directly to the caller.
Send one way request - Sends a request to the specified URL without waiting for a response.
Send request - Sends a request to the specified URL.
Set HTTP proxy - Allows you to route forwarded requests via an HTTP proxy.
Set variable - Persist a value in a named context variable for later access.
Set request method - Allows you to change the HTTP method for a request.
Set status code - Changes the HTTP status code to the specified value.
Trace - Adds custom traces into the API Inspector output, Application Insights telemetries, and Resource Logs.
Wait - Waits for enclosed Send request, Get value from cache, or Control flow policies to complete before proceeding.
20
21. Microsoft Azure
Authentication policies
Authenticate with Basic - Authenticate with a backend service using Basic authentication.
Authenticate with client certificate - Authenticate with a backend service using client certificates.
Authenticate with managed identity - Authenticate with a backend service using a managed identity.
Caching policies
Get from cache - Perform cache look up and return a valid cached response when available.
Store to cache - Caches response according to the specified cache control configuration.
Get value from cache - Retrieve a cached item by key.
Store value in cache - Store an item in the cache by key.
Remove value from cache - Remove an item in the cache by key.
Cross domain policies
Allow cross-domain calls - Makes the API accessible from Adobe Flash and Microsoft Silverlight browser-based clients.
CORS - Adds cross-origin resource sharing (CORS) support to an operation or an API to allow cross-domain calls from
browser-based clients.
JSONP - Adds JSON with padding (JSONP) support to an operation or an API to allow cross-domain calls from JavaScript
browser-based clients.
21
22. Microsoft Azure
Transformation policies
Convert JSON to XML - Converts request or response body from JSON to XML.
Convert XML to JSON - Converts request or response body from XML to JSON.
Find and replace string in body - Finds a request or response substring and replaces it with a different substring.
Mask URLs in content - Re-writes (masks) links in the response body so that they point to the equivalent link via the gateway.
Set backend service - Changes the backend service for an incoming request.
Set body - Sets the message body for incoming and outgoing requests.
Set HTTP header - Assigns a value to an existing response and/or request header or adds a new response and/or request header.
Set query string parameter - Adds, replaces value of, or deletes request query string parameter.
Rewrite URL - Converts a request URL from its public form to the form expected by the web service.
Transform XML using an XSLT - Applies an XSL transformation to XML in the request or response body.
22
23. Microsoft Azure 23
The policy definition is a simple XML document that describes a sequence of inbound and outbound statements. The XML can be
edited directly in the definition window. A list of statements is provided to the right and statements applicable to the current scope
are enabled and highlighted.
The configuration is divided into inbound, backend, outbound, and on-error. The series of specified policy statements is executes in order
for a request and a response
<policies>
<inbound> <!-- statements to be applied to the request go here --> </inbound>
<backend> <!-- statements to be applied before the request is forwarded to the backend service go here -</backend>
<outbound> <!-- statements to be applied to the response go here --> </outbound>
<on-error> <!-- statements to be applied if there is an error condition go here --> </on-error>
</policies>
<policies>
<inbound> <cross-domain /> <base />
<find-and-replace from="xyz" to="abc" />
</inbound> </policies>
<ip-filter action="allow | forbid"> <address>address</address> <address-range from="address" to="address"/> </ip-filter>
<rate-limit-by-key calls="3" renewal-period="15" counter-key="@(context.Subscription.Id)" />
Understanding policy configuration
24. Microsoft Azure 24
<policies>
<inbound> <rate-limit-by-key calls="3" renewal-period="15" counter-key="@(context.Subscription.Id)" /> <base /> </inbound>
<backend> <base /> </backend>
<outbound> <set-header name="X-Powered-By" exists-action="delete" /> <set-header name="X-AspNet-Version" exists-action="delete" />
<find-and-replace from="://conferenceapi.azurewebsites.net:443" to="://apiphany.azure-api.net/conference"/>
<find-and-replace from="://conferenceapi.azurewebsites.net" to="://apiphany.azure-api.net/conference"/> <base />
</outbound>
<on-error> <base /> </on-error>
</policies>
<policies> <inbound> <base /> <rate-limit calls="20" renewal-period="90" /> </inbound> <outbound> <base /> </outbound> </policies>
<choose> <when condition="@(context.Response.StatusCode == 200 && context.Product.Name.Equals("Starter"))"> <set-body>@{ var
response = context.Response.Body.As<JObject>(); foreach (var key in new [] {"minutely", "hourly", "daily", "flags"}) { response.Property
(key).Remove (); } return response.ToString(); } </set-body> </when> </choose>
<log-to-eventhub logger-id="id of the logger entity" partition-id="index of the partition where messages are sent" partition-key="value
used for partition assignment"> Expression returning a string to be logged </log-to-eventhub>
<set-variable name="IsMobile" value="@(context.Request.Headers["User-Agent"].Contains("iPad") || context.Request.Headers["User-
Agent"].Contains("iPhone"))" /
35. Microsoft Azure
Step1 : Publish web service using BizTalk
http://localhost/BizTalkWcfService/EmployeeDetails.svc?singleWsdl
Step2 : Publish the API using BizTalk Admin Console
BizTalk Server Configuration - 1
35