This article is about utilizing Azure API Management Service being used in a context and need was felt when a situation was experienced while working in a project. I am working in a product which is a multi-tenant app. This app uses it’s APIs for different tenants. The difficulty was to restrict access to different tenants with same function key as our APIs were built on top of Azure Functions. Now to mitigate this issue we implemented the API management service. It not only helped us to separate subscription keys for different tenants but also it helped us to restrict API calls and we got insights of its uses. Now we are planning to scale it by analyzing load in insights.
The Microsoft reference for setting up API Management Service is given here.
Overview of API Management
A managed API program can be exposed with backend using the Azure API Management as the Gateway Service.
Instead of clients sending requests directly to individual services, they send them to an API gateway. Creating modern API Gateways with existing backend services hosted in Azure can also protect them from abuse or overuse. This can also give insights of usage and health.
Developer portal helps to onboard partners/ developers API, programming up and running.
Setup of Azure API Management
Create API Management Service
To start with, go to API Management Service and create a new service. Fill in the details as described in the following image.
The provisioning process might require a little wait time to confirm completion. Once provisioning completes, open the resource and click on “APIs” link under APIs section.
On the following screen APIs can be created from multiple sources like WSDL file generated by Swagger, Logic App, Open API etc. This article demonstrates with “Function App”.
Fill in the details to map existing Function App and its APIs.
Click on “Select” to get a list of APIs available under the Function App.
You may also like: Learn how to proactively identify and protect your sensitive information
Select the APIs that should be exposed in API Management and click “Select” to create APIs.
To create subscription, create a Product first and check the following check boxes:
- Requires Subscription
- Requires Approval
Fill in rest of the details and click “Create”. In the APIs section, select from the created APIs. Then select “Settings”. There under “products” select the newly created product.
Policies in Azure API Management
In Azure API Management, policy is an omnipotent capability of the system that allows the publisher to change the behavior of API through configuration. They are applied inside the gateway which sits between the API consumer and the Management APIs.
To set policy, click on any API and click the code icon in the “Inbound processing” section.
Turn on the “Show Snippets” to view the list of available policies.
For example, click on “Limit call rate per subscription” from “Access restriction policies”
In this example, the code snippet shows that the call is restricted upto 5 times in 5 seconds per subscription.
Similarly, other policies can be added in inbound/outbound sections.
Click on “Developer Portal” in the APIs section to open up the developer portal.
First time users require to Sign Up, else Login.
In any case, a login will be required for the Developer Portal.
Now subscribe to the product that was created. Once someone opts for a subscription, it will appear in “Subscriptions” link in Azure. After approving the subscription, developer will be able to see the subscription key which will be used to call the APIs.
By clicking on the name of the API, its details and code snippets in multiple languages can be viewed.
Below is a sample code in C# to call this APIs:
Replace the subscription key with the key available in Profile section under Developer Portal.
We have a multi-tenant application where APIs are being served to different tenants. The problem was previously before implementing API Gateway was that the same function key was being shared by all the tenants. This was a security flaw. Here in this approach, we get different subscription keys for different tenants and we share that key with them so that with the help of that key they can consume our APIs. Another benefit we got that we could limit the usages of APIs for different tenants and could get the insights of the API calls. In the next step we are going to leverage the scaling of this service. In summary, we felt that the API Management Service helped us in few ways.
- Independent development and freedom to choose technology
- Independent deployment and release cycle
- Granular scaling
- Secure and optimize your APIs
- Get insights of your APIs
- Controlled access
- Fault isolation
Download the Datasheet to learn more about Netwoven’s Information Protection and Compliance service.
Download the Solution Brief to learn how Netwoven’s solution proactively identifies and protects your sensitive data.