API Management service from Azure helps developers in building consistent and modern API gateways for existing backend services. We can publish API’s to external partners or internal developers to unlock the potential of the REST and Data services. Existing Backend services can be encapsulated behind a powerful API gateway for various reasons:
Azure API Management
- We can secure mobile infrastructure by controlling access to API’s, preventing DDOS attacks by using throttling and rate limitation or using advanced security policies like JWT token validation.
- Enabling Partner eco-systems by offering fast partner onboarding through the developer portal and building an API façade to decouple from internal implementations that are not ready for partner consumption.
- Running an internal API program by offering a centralized location for the organization to communicate about the availability and latest changes to APIs, gating access based on organizational accounts, all based on a secured channel between the API gateway and the backend.
Working of API Management
- It accepts API calls made to an API Management endpoint and routes them to the backend while proxying all the details like request body, query string parameters, path variables to the backend services.
- Seamless integration with microservices built on Azure functions hiding the backend implementation.
- Verifies API Keys, JWT Tokens, certificates and basic credentials in case of Basic Auth.
- Setup Basic Auth, OAuth 2.0 and other security for backend services easily.
- Enforces usage quotas throttling and rate limitation to prevent DDOS Attacks or misuse of API Endpoint.
- Respond back by proxying the response received from the Backend service and optionally adding extra headers if required (enabling CORS) to the client calling invoking the API endpoint.
- Transforms our API on the fly without any code modifications.
- Caches backend responses if set up.
- Log all metadata and monitoring of health automatically for analytical purposes.
API policies provide a powerful capability that allow the admin or the publisher of the API to alter the behaviour of the API Gateway through configuration. Policies correspond to a collection of XML statements that are executed in sequence on the request and response of an API. Popular statements include format conversion from XML to JSON and vice-versa and call rate limiting to restrict the number of calls from a client to the endpoint.
Policies have different sections like inbound, outbound, backend and on-error sections to handle or manipulate the behaviour in each of the above steps in the life cycle of an API Call. Policies also provide a way to reduce overhead of the backend service by performing some actions via a Policy instead of in the backend service. Example usage of policies in API management are below:
- Enforce the existence of an HTTP Header is present in the inbound request body.
- Restriction of Caller IP Addresses to filter calls from specific IP Address or IP Address ranges.
- Control Flow policy statements based on the evaluation of Boolean statements
- Invoke a stored procedure from a Cosmos DB Collection using Policies.
- Limiting concurrency by preventing enclosed policies from executing by more than the specified number of requests in each time period.
- Caching policy statements to store and get values from Cache.
- Transformation policies like format conversion from XML to JSON and vice-versa or Find and replace Strings in request body of inbound API Call.