Session tilte: Azure API Management: Architecting for Performance and Security
Description:
This session will provide a comprehensive deep dive into Azure API Management, focusing on optimizing API performance and security. It is designed for developers, architects, and IT professionals who want to leverage Azure's capabilities for efficient API management. The session will blend theoretical insights with practical demonstrations, highlighting how to architect APIs for optimal performance and robust security in the Azure environment.
2. Hello!
Instructor: Hamida Rebai
Microsoft MVP , Microsoft Certified Trainer
Docker Captain
Cloud Solutions Architect
More than 14 years experience in IT
Thank you for joining me today
https://twitter.com/rebaihamida
https://www.linkedin.com/in/hamida-rebai-trabelsi/
rebai.hamida@gmail.com
Blog: https://didourebai.medium.com/
3. Contents
You will learn the following concepts:
1 Section 1
• The first topic we’ll cover here the API
requirements and challenges ,and the
different advantages of using an API
management platform
2 Section 2
• This section present an overview of API
Management and the advanced features
3 Section 3
• This section presents the build of a Robust,
Secure, and Scalable APIs.
4 Section 4
• This section present the security best
practices
4. • APIs play a crucial role in connecting applications and enabling seamless interactions.
• To engage in the API economy effectively, addressing several requirements and challenges related to monitoring,
managing, and securing APIs is imperative. This includes:
API requirements and challenges
Reuse
Easy
access
Security Visibility
Establishing API
facades empowers
IT organizations to
maintain support
for legacy
backends.
5. Responsibility for Evolution: Companies publishing APIs must evolve them systematically.
Developer Impact: Changes in APIs often require developers to rewrite programs, causing unnecessary disruptions.
Simplified Facades: IT organizations use simpler facades to decouple internal implementation from the API consumer experience.
Benefits of Facades:
• Developer Independence: Simplified APIs allow changes in the underlying implementation without affecting developers' applications.
• Legacy Support: Facades enable seamless transition from legacy APIs (XML, SOAP) to newer standards (JSON, REST) without recoding.
• Justification for Investment: The efficiency gained through reuse and legacy support justifies investing in an API management
platform.
API Support: Decoupling through Facades
6. • API management Platform is a proxy between the API and the customer, partner or developer using the API.
• Definition: The API management pertains to software facilitating API life cycle stages: planning, design, implementation,
testing, deployment, operation, versioning, and retirement.
• Purpose: Organizations utilize APIs to modernize architectures, integrate systems, services, and partners efficiently, and
monetize data and services.
• Benefits: API management platform aids in discovering, designing, building, managing, and securing APIs, irrespective of
organizational size, location, or industry.
• Advantages: Enhances composability, security, and business resilience, accelerating organizational growth.
API management platform
Challenges and requirements
7. Azure API Management
Architecture and features
The role of API management
• API management provides core functions to
ensure a successful API program through
developer participation, business insight,
analysis, security, and protection.
• Each API consists of one or more operations,
and each API can be added to one or more
products.
The system is made up of the following
components:
• API gateway (in Azure or Self-hosted
gateway)
• Azure portal
• The Developer portal
8. Azure API Management
Architecture and features
Control plane Data plane
Developer Portal
User Plane
Azure API Admin Portal
Admin Plane – management
Plane
API Gateway
API API API
API Gateway
API API API
App
Developers
API Owner –
Admin role
monitoring
policies (metrics)
Hosted service
implementations
in Azure
Self-Hosted On-
Premises Service
Implementations
9. Build of a Robust, Secure, and Scalable APIs
Problem
Importance of API
Delivery
Ensuring API
Sustainability
Role of API
Providers
Expectations from
API Consumers
Consequences of
Poor API Delivery
10. Build of a Robust, Secure, and Scalable APIs
Best practises and Consumer-Centric API Portfolio Excellence
Consumer-Centric Approach
Contrast with Provider-Centric Approach
Provider-Centric Anti-Pattern
Sustainable APIs
11. Security best practices
Implement IAM and Security
Configure Endpoint Protection Capabilities
Implement API Mediation
Configure Analytics and Reporting
1
2
3
4
12. Secure APIs in Azure API Management
by using subscriptions or by using certificates?
Subscription Keys or plans
Access control policies
Monitoring and analytics
Certificate Management
Certificates in Azure Key Vault
Configure API Management Policies
13. Secure APIs by using subscriptions
Subscription key scopes
Scope Details
All APIs Applies to every API accessible from the gateway
Single API This scope applies to a single imported API and all of its endpoints
Product A product is a collection of one or more APIs that you configure in API
Management. You can assign APIs to more than one product. Products can have
different access rules, usage quotas, and terms of use.
14. Applications that call protected
APIs
• Must include the key in every
request
• You can regenerate these
subscription keys at any time.
• Every subscription has two keys, a
primary and a secondary.
Secure APIs by using subscriptions
Applications that call protected APIs
15. Keys can be passed in the request header, or
as a query string in the URL.
• The default header name is Ocp-Apim-
Subscription-Key.
• Use the developer portal to test out API
calls
Secure APIs by using subscriptions
Call an API with the subscription key
16. Secure APIs by using certificates
Certificates can be used to provide Transport Layer Security (TLS) mutual authentication
between the client and the API gateway.
You can configure the API Management gateway to allow only requests with certificates
containing a specific thumbprint.
The authorization at the gateway level is handled through inbound policies.
1
2
3
17. • Accepting client certificates in the
Consumption tier
• Certificate Authorization Policies
• Check the thumbprint of a client certificate
• Check the thumbprint against certificates
uploaded to API Management
• Check the issuer and subject of a client
certificate
Secure APIs by using certificates