In this session, we will delve into the advanced features of Azure API Management, with a focus on building robust, secure, and scalable APIs. Attendees will learn about security best practices, policy management, and how to effectively use Azure's tools to enhance API performance and security. The session will combine theoretical knowledge with real-world scenarios to provide a comprehensive understanding of API management in the Azure environment.
Azure Developer YouTube - https://www.youtube.com/watch?v=TZi1AVC10P4
Microsoft Developer YouTube - https://www.youtube.com/watch?v=3MmDd3CR5is
2. Harnessing the Power of
Azure API Management:
Building Robust and
Secure API
APIs in Action, February 2024
Hamida Rebai
Microsoft MVP and MCT, Cloud Solutions Architect,
Docker Captain
4. Azure Developers | APIs in Action
Harnessing the Power of Azure
API Management: Building
Robust and Secure API
5. Azure Developers | APIs in Action
Section 1
The first topic we’ll
cover here the API
requirements and
challenges ,and the
different advantages
of using an API
management
platform
Section 2
This section present
an overview of API
Management and the
advanced features
Section 3
This section presents
the build of a Robust,
Secure, and Scalable
APIs.
Section 4
This section present
the security best
practices
Contents
6. Azure Developers | APIs in Action
• APIs play a crucial role in connecting applications and enabling seamless interactions.
• To engage in the API economy effectively, addressing several requirements and challenges related to monitoring,
managing, and securing APIs is imperative. This includes:
API requirements and challenges
API requirements and challenges
Reuse
Easy
access
Security Visibility
Establishing API
facades empowers
IT organizations to
maintain support
for legacy
backends.
7. Azure Developers | APIs in Action
Responsibility for Evolution: Companies publishing APIs must evolve them systematically.
Developer Impact: Changes in APIs often require developers to rewrite programs, causing unnecessary disruptions.
Simplified Facades: IT organizations use simpler facades to decouple internal implementation from the API consumer experience.
Benefits of Facades:
• Developer Independence: Simplified APIs allow changes in the underlying implementation without affecting developers' applications.
• Legacy Support: Facades enable seamless transition from legacy APIs (XML, SOAP) to newer standards (JSON, REST) without recoding.
• Justification for Investment: The efficiency gained through reuse and legacy support justifies investing in an API management platform.
API Support: Decoupling through Facades
8. Azure Developers | APIs in Action
• API management Platform is a proxy between the API and the customer, partner or developer using the API.
• Definition: The API management pertains to software facilitating API life cycle stages: planning, design, implementation, testing, deployment, operation,
versioning, and retirement.
• Purpose: Organizations utilize APIs to modernize architectures, integrate systems, services, and partners efficiently, and monetize data and services.
• Benefits: API management platform aids in discovering, designing, building, managing, and securing APIs, irrespective of organizational size, location, or
industry.
• Advantages: Enhances composability, security, and business resilience, accelerating organizational growth.
API management platform
Challenges and requirements
9. Azure Developers | APIs in Action
Azure API Management
Architecture and features
The role of API management
• API management provides core functions to
ensure a successful API program through
developer participation, business insight,
analysis, security, and protection.
• Each API consists of one or more operations,
and each API can be added to one or more
products.
The system is made up of the following
components:
• API gateway (in Azure or Self-hosted
gateway)
• Azure portal
• The Developer portal
10. Azure Developers | APIs in Action
Azure API Management
Architecture and features
Control plane Data plane
Developer Portal
User Plane
Azure API Admin Portal
Admin Plane – management
Plane
API Gateway
API API API
API Gateway
API API API
App
Developers
API Owner –
Admin role
monitoring
policies (metrics)
Hosted service
implementations
in Azure
Self-Hosted On-
Premises Service
Implementations
11. Azure Developers | APIs in Action
Build of a Robust, Secure, and Scalable APIs
Problem
Importance of API
Delivery
Ensuring API
Sustainability
Role of API
Providers
Expectations from
API Consumers
Consequences of
Poor API Delivery
12. Azure Developers | APIs in Action
Build of a Robust, Secure, and Scalable APIs
Best practises and Consumer-Centric API Portfolio Excellence
Consumer-Centric Approach
Contrast with Provider-Centric Approach
Provider-Centric Anti-Pattern
Sustainable APIs
13. Azure Developers | APIs in Action
Security best practices
Implement IAM and Security
Configure Endpoint Protection Capabilities
Implement API Mediation
Configure Analytics and Reporting
14. Azure Developers | APIs in Action
Secure APIs in Azure API Management
by using subscriptions or by using certificates?
Subscription Keys or plans
Access control policies
Monitoring and analytics
Certificate Management
Certificates in Azure Key Vault
Configure API Management Policies
15. Azure Developers | APIs in Action
Secure APIs by using subscriptions
Subscription key scopes
Scope Details
All APIs Applies to every API accessible from the gateway
Single API This scope applies to a single imported API and all of its endpoints
Product A product is a collection of one or more APIs that you configure in API
Management. You can assign APIs to more than one product. Products can have
different access rules, usage quotas, and terms of use.
16. Azure Developers | APIs in Action
Applications that call protected
APIs
• Must include the key in every
request
• You can regenerate these
subscription keys at any time.
• Every subscription has two keys, a
primary and a secondary.
Secure APIs by using subscriptions
Applications that call protected APIs
17. Azure Developers | APIs in Action
Keys can be passed in the request header, or
as a query string in the URL.
• The default header name is Ocp-Apim-
Subscription-Key.
• Use the developer portal to test out API
calls
Secure APIs by using subscriptions
Call an API with the subscription key
18. Azure Developers | APIs in Action
Secure APIs by using certificates
Certificates can be used to provide Transport Layer Security (TLS) mutual authentication
between the client and the API gateway.
You can configure the API Management gateway to allow only requests with certificates
containing a specific thumbprint.
The authorization at the gateway level is handled through inbound policies.
19. Azure Developers | APIs in Action
• Accepting client certificates in the
Consumption tier
• Certificate Authorization Policies
• Check the thumbprint of a client certificate
• Check the thumbprint against certificates
uploaded to API Management
• Check the issuer and subject of a client
certificate
Secure APIs by using certificates