Have you (like most of the IT world) heard about Microsoft’s innovative Azure API Management, but can’t seem to figure out if you should include this new technology in your company’s IT solution? Is this management platform, in fact, worth the hype? And what are the actual functions and tools that come with the service?
According to an article on Microsoft Azure’s website, “API Management (APIM) is a way to create consistent and modern API gateways for existing back-end services.”
In other words, the Azure API Management (hereinafter referred to as APIM) provides an interface for your back-end services and APIs while making sure they’re secured, monitored, maintained, well documented and published in the cloud.
This might be reason enough for some to get APIM. However, if you’re still not quite sure, then let’s take a closer look at some of the many APIM tools and functions.
An overview of what you get with APIM
- API documentation: This is a tool that provides automatic suggestions for documentation of APIs, which allow developers to integrate their solutions much faster. By using modern frameworks and standards, like OpenAPI, you can easily expose the API structure. Furthermore, this tool enables you to have more than one version of your API running at the same time, providing testing, trail and backward compatibility.
- Rate-limiting access: It’s important to control the access of exposed data - especially if a large amount of data is being delivered for the API. Rate limiting is the tool used to secure the optimal response time for every client. It can be handled for the whole API or specific individual clients.
- Health monitoring: It can be difficult to identify any potential issues, like for example, if your backend is down or responding slowly since APIs are consumed by remote clients. However, APIM can track and present you with logs about both errors and different types of responses.
- A broad variety of formats: APIM supports the standard web formats like XML, CSV and of course it has native support for JSON, which is widely used in web technologies to exchange information. You are also able to handle conversion between formats using policies.
- Abstract your back-end implementation: Regardless of where your APIs are being hosted or if they are different applications that serve the same purpose, you can integrate all your APIs in one single interface, making the communication with your clients much easier. APIM works as an orchestration between APIs.
- Analytics: APIM can show you how often your APIs are being called and by which types of systems, in the Azure portal. As you can imagine, it’s integrated with Application Insights for a full dashboard presentation to narrow the data and fit your needs.
- Security: This is without a doubt one of APIM’s most important functions. An unauthorized breach can end up costing your company a lot of money and many working hours. The security tools that you can use with APIM include different approaches to protect your systems. It provides OAuth 2.0 user authorization and integration with Azure Active Directory.
- Data manipulation: Allows you to apply data transformations between your front-end and back-end, wherever you need to apply the policies, including format conversion from XML to JSON, limiting call rate (to restrict the number of incoming calls from a developer), remove unwanted headers, and many other policies.
- Improvement of performance: APIM provides the ability to cache responses of common requests. There’s an improvement of performance when it’s not needed to reach your back-end for static data.
- Cost management: APIM has five different pricing options, from the Developer tier which has a minimum cost to the recently introduced Consumption tier, which is a serverless pay-as-you-go option.
Hopefully, this gave you a somewhat overview of what APIM can do and what the platform has to offer. Now we’re going to dive deeper into the different tools and talk about some of the functions and advantages in detail.
Abstract your back-end implementation & API documentation
As I mentioned earlier, APIM supports several API frameworks and standards, as pictured and listed below. These are options for importing APIs where an API defines the methods and information for them. In case you want to start from scratch, you simply select the Blank API and generate all the information using the APIM.
Once you’ve provided the API information, you can access the Developer Portal, which is a web portal where developers can learn about the APIs. The portal contains the information of all the APIs connected to your APIM service. Some of the content is generated automatically when you configure the APIs, but you can also customize the content and make changes to the look of the page and adapt it according to your company’s standards. This is a very useful feature that will save you a lot of time and provide you with support for one of the most tedious tasks: documentation.
Rate-limiting access & security
The rate-limiting access and security are provided by the combination of the following APIM features. A product is used to subscribe to APIs belonging to the APIM namespace and identifying different security and access measures. Groups are used to manage the visibility of products to developers. Products grant visibility to groups, and developers can view and subscribe to the products that are visible to the groups in which they belong.
APIM has the following immutable system groups:
- Administrators: Members of this group are the Azure subscription administrators. The administrators can manage APIM service instances and create the APIs, operations, and products that are used by the developers.
- Developers: Authenticated developer portal users are members of this group. Developers are the customers that build applications using your APIs. The developers can access the developer portal and build applications that call the operations of an API.
- Guests: Unauthenticated developer portal users, such as prospective customers visiting the developer portal of an API Management instance are members of this group. They can be granted certain read-only access, such as the ability to view APIs but not call them.
You can create your own custom groups or just use the existing ones in Azure Active Directory.
APIM also provides features that allow you to change the behavior of the API through a configuration called policies. These are a collection of statements that are executed sequentially on the request or response of an API. They are related to access restriction going through validation like check HTTP headers or remove them if this information could compromise your backend. Authentication policies, cross-domain validations, and any other security measure could be checked before reaching your back-ends. To learn more about policies in Azure APIM please click here.
A broad variety of formats & data manipulation
The most known standard formats in the web spectrum on the APIM are XML, CSV and JSON. Going back to the policies, they provide a lot of transformations capabilities that could be applied to the inbound or outbound layers. The formats and data manipulation go from a format type conversion to applying an XSLT to a message. Here’s the entire list of available transformations policies in APIM:
Health monitoring & analytics
The APIM contains several tools that can provide you with details about your consumption and usage. It helps you analyze cases, like the impact which you are having to your back-end, or how to improve your responses and reliability of your APIs. Connecting with Azure Monitor services through Diagnostic Settings configurations, you can use tools (pictured below) like Azure Application Insights, Metrics and Alerts or access Logs directly creating your custom queries or connecting them to reporting tools. These tools are built to make the usage of your API more effective.
When creating an APIM gateway, you must choose between the following pricing tiers:
- Developer: You can use the developer tier for evaluating the API management service. Note: You shouldn't use this tier for production deployments.
- Basic, Standard & Premium: These three tiers are production level tiers that go from entry-level production to medium-volume production and finally high-volume or enterprise production use. You can choose the tier that suits your business the best according to your company’s size and the estimated number of requests per second. Note: A scale unit enables you to scale up the service - the more units you have, the more you can upscale the service.
- Consumption: The serverless consumption tier plan lets you pay for what you use, rather than having dedicated resources. You can quickly set up ad-hoc testing and you can upscale your API access when your demand increases. The consumption tier has a built-in high availability and autoscaling. It’s delivered very fast because it doesn’t need to reserve many resources upfront (the hosted tiers have an average delivery time between 30 and 45 min). Note: This plan has limited features.
An important consideration to keep in mind is that the scale between consumption and dedicated SKU tiers (Developer, Basic, Standard, and Premium) is not supported.
You can read more about the APIM pricing details for your specific region here, and if you want to know more about the different features that are included in the different pricing tiers, you can read more here.
Okay, now it’s time to ask yourself once again if APIM is right for your company’s IT solution and if it’s the kind of technology that your company needs?
From my point of view, APIM is a spectacular tool that can provide the framework to set up APIs for the services you want in both an easy and intuitive manner.
Here are some of the best and most important features in my opinion:
- The consumption price tier layer where you only pay for what you use, and you don’t need to worry about scaling issues since it automatically fits the needs of your system. Plus, you get 1M calls for free. However, the tier has limited features, which means that the developer portal for automated documentation is not available. The consumption tier could be a good option if you already have your own API and want to add a security and governance layer like the quota rates or products offered by the API.
- The OpenAPI standard, which creates quick and consistent integrations between APIs and enables you to set up your very first APIM in just minutes.
- Policies are a powerful capability of the system. Security, privacy, authentication and content transformation can all be handled within this feature.
- The developer portal is available and automatically created if you’re running your API in one of the hosted options, and you have the option to customize the portal and adjust it to your company's standards and layouts.
- Revisions and versions. The option to have multiple versions and revisions running at the same time, that allows you to test features without affecting the latest version. Plus flexibility and backward compatibility.