Azure API Management is a hybrid, multicloud management platform for APIs across all environments. This article provides an overview of common scenarios and key components of API Management.
Scenarios
APIs enable digital experiences, simplify application integration, underpin new digital products, and make data and services reusable and universally accessible. With the proliferation and increasing dependency on APIs, organizations need to manage them as first-class assets throughout their lifecycle.
Azure API Management helps customers meet these challenges
Abstract backend architecture diversity and complexity from API consumers
Securely expose services hosted on and outside of Azure as APIs
Protect, accelerate, and observe APIs
Enable API discovery and consumption by internal and external users
Common scenarios include
Unlocking legacy assets
APIs are used to abstract and modernize legacy backends and make them accessible from new cloud services and modern applications. APIs allow innovation without the risk, cost, and delays of migration.
API-centric app integration
APIs are easily consumable, standards-based, and self-describing mechanisms for exposing and accessing data, applications, and processes. They simplify and reduce the cost of app integration.
Multi-channel user experiences
APIs are frequently used to enable user experiences such as web, mobile, wearable, or Internet of Things applications. Reuse APIs to accelerate development and ROI.
B2B integration
APIs exposed to partners and customers lower the barrier to integrate business processes and exchange data between business entities. APIs eliminate the overhead inherent in point-to-point integration. Especially with self-service discovery and onboarding enabled, APIs are the primary tools for scaling B2B integration.
Solution Background
In this scenario, an organization has hosted multiple APIs using Application Service Environments(ILB ASE) and would like to consolidate these APIs internally using Azure API Management (APIM) deployed inside a Virtual Network. The internal API Management instance could also be exposed to external users to allow for utilization of the full potential of the APIs. This external exposure could be achieved using an Application Gateways forwarding requests to the internal API Management service, which in turn consumes the APIs deployed in the ASE.
Architecture
Dataflow
The data flows as follows:
1. Developers check in code to a GitHub repository connected to CI/CD pipeline Agent installed on an Azure VM
2. The agent pushes the build to the API application hosted on ILB ASE
3. API Management consumes the above APIs via HOST Headers specified in API Management policy
4. API Management uses the App Service Environment's DNS name for all the APIs
5. Application Gateway exposes API Management's developer and API portal
6. Azure Private DNS is used to route the traffic internally between ASE, API Management, and Application Gateway
7. External Users uses exposed Dev Portal to consume the APIs via Application Gateway's public IP
Components
Azure Virtual Network enables Azure resources to securely communicate with each other, the internet, and on-premises networks.
Azure Private DNS allows domain names to be resolved in a virtual network without needing to add a custom DNS solution.
Azure API Management helps organizations publish APIs to external, partner, and internal developers to use their data and services.
Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications.
Internal Load Balancer App Service Environment is an Azure App Service feature that provides a fully isolated and dedicated environment for securely running App Service apps at high scale.
Azure DevOps is a service for managing your development lifecycle and includes features for planning and project management, code management, build, and release.
Application Insights is an extensible Application Performance Management (APM) service for web developers on multiple platforms.
Azure Cosmos DB is Microsoft's globally distributed, multi-model database service.
Alternatives
In an Azure lift and shift scenario deployed into an Azure Virtual Network, back-end servers could be directly addressed through private IP addresses.
If using on-premises resources, the API Management instance could reach back to the internal service privately via an Azure VPN gateway and site-to-site IPSec VPN connection or ExpressRoute making a hybrid Azure and on-premises scenario.
Existing or open-source DNS providers could be used instead of the Azure-based DNS Service.
Internal APIs deployed outside of Azure can still benefit by exposing the APIs through API Management Service.
Considerations
The web APIs are hosted over secured HTTPS protocol and will be using a TLS Certificate.
The Application Gateway also is configured over port 443 for secured and reliable outbound calls.
The API Management service is configured to use custom domains using TLS certificates.
Review the suggested network configuration for App Service Environments
There needs to be an explicit mention about port 3443 allowing API Management to manage via the Azure portal or PowerShell.
Leverage policies within APIM to add a HOST header for the API hosted on ASE. This ensures that the ASE's load balancer will properly forward the request.
The API Management accepts ASE's DNS entry for all the apps hosted under App Service Environments. Add an APIM policy to explicitly set the HOST Header to allow the ASE load balancer to differentiate between Apps under the App Service Environment.
Consider Integrating with Azure Application Insights, which also surfaces metrics through Azure Monitor for monitoring.
If using CI/CD pipelines for deploying Internal APIs, consider building your own Hosted Agent on a VM inside the Virtual Network.
Availability
Azure API Management service could be deployed as a Multi-Region deployment for higher availability and also to reduce latencies. This feature is only available in Premium Mode. The API Management service in this specific scenario consumes APIs from App Service Environments. One could also use APIM for APIs hosted on the internal on-premises infrastructure.
App Service Environments could make use of Traffic Manager profiles to distribute the traffic hosted on App Service Environments for higher scale and availability.
Scalability
API Management instances could be scaled out depending upon a number of factors like number and rate of concurrent connections, the kind and number of configured policies, request and response sizes, and back-end latencies on the APIs. Scaling out instance options are available in Basic, Standard, and Premium Tiers but are bound by an upper scale limit in tiers below premium. The instances are referred to as Units and can be scaled up to a max of two units in Basic tier, four units in Standard tier and any number of units in the Premium tier. Auto Scaling options are also available to enable scale out based on rules.
App Service Environments are designed for scale with limits based on the pricing tier and the apps hosted under the App Service Environments can be configured to scale out (number of instances) or scale up (instance size) depending upon the requirements of the application.
Azure Application Gateway auto scaling is available as a part of the Zone redundant SKU in all global Azure regions.
Security
Since the above example scenario is hosted completely on an internal network, API Management and ASE are already deployed on secured infrastructure (Azure VNet). Application Gateways can be integrated with Microsoft Defender for Cloud to provide a seamless way to prevent, detect, and respond to threats to the environment.
Resiliency
This example scenario though talks more about configuration, the APIs hosted on the App Service Environments should be resilient enough to handle errors in the requests, which eventually is managed by the API Management service and Application Gateway. Consider Retry and Circuit breaker patterns in the API design.