Grand Tour of Azure API Management

Azure API Management overview

Agenda In-depth look at the API life cycle phases
Design → Develop → Secure → Publish → Scale → Monitor → Analyze
Digital transformation is built on APIs

APIs
API governance and usage defines success

Façade Front door Frictionless consumption

Abstraction Control Onboarding

Aggregate or slice Route and accelerate Discover and learn

Normalize or modernize Secure and protect Try
Decouple life cycle Transform Obtain access
Mock Observe Get started
Azure API Management

API
Developer portal
Discover Abstract
Learn Secure
Try Evolve
Onboard Observe
App Management API
Get help plane Monetize
developers providers
User plane

Gateway

Employees
Partners Data plane
Customers
Apps
on devices
(micro)services
Fully-managed serverless and dedicated tiers
Consumption tier Developer | Basic | Standard | Premium tier
No infrastructure to provision or manage No infrastructure to provision or manage

Built-in auto-scaling down to zero Manual scaling or external auto-scaling

Consumption-based micro billing Billing based on reserved capacity

Variable, usage-based monthly cost Constant, predictable monthly cost

No reserved capacity Reserved capacity

Shared management plane Dedicated management, user, and data planes

On-demand activation Always on

Curated set of features and usage limits Full set of features. Not governed.
Azure Application Platform

Application platform

API Management

Web Function Logic Worker

ML App
App App App App

Integration
Events Messaging
App VS Code GitHub Application
Developer package
Azure Serverless Azure Kubernetes Service

Management

Azure Resource Manager Azure Arc

IT Pro Azure Policy

Hosting
Azure On-premises IoT Edge Multi-cloud
Azure Integration Services – Enterprise iPaaS

Gartner named Microsoft a leader in 2021 Gartner Magic Quadrant for Enterprise iPaaS
API management is key in digital business ecosystem
Marketplace of apps for employees, partners, and customers
End users
More productive and satisfied
Power Apps employees, partners, and customers
Extend innovation with citizen developers through easy
discovery and consumption of custom APIs

Enterprise marketplace for API-based Citizen developers

innovation Able to accelerate app creation
API Management Connectors AI Builder Dataverse
Unified management for custom APIs across
clouds and on-premises

IT pros
Able to govern all APIs and Apps

Other Clouds Azure On-premises

Integrated early on into the API

development process
Professional developers
Able to amplify skills by maximizing
API reuse
Gartner named Microsoft a leader in 2021 Gartner Magic Quadrant for Low Code Application Platform
Value proposition
Mature full life cycle API management solution
Trusted by thousands of enterprise customers
Abstract, secure, observe, and make APIs discoverable in minutes
One solution for APIs across clouds and on-premises
Dependable, secure, scalable, and performant
DevOps and developer-friendly
Azure-native and integrated with other Azure services
Globally available and supported
Low-barrier-to-entry pricing
 840K
4.65T
54 regions worldwide

APIs under management

72% YoY growth 18%

47%

35%

18K
API calls per annum Americas EMEA APAC
87% YoY growth

Customers
38% YoY growth

Gartner named Microsoft a leader in 2021 Gartner Magic Quadrant for Full Life Cycle API Management
Azure API Management Customers
Full API lifecycle
Design

Analyze Develop

Monitor Secure

Scale Publish
 Design

Analyze Develop

API life cycle:

design
Monitor Secure

Scale Publish
Code- and design-first approaches to building APIs
API Management supports both approaches to building APIs:
Code-first approach
Implement the API and generate the API specification as an afterthought (i.e. with Swashbuckle)
Benefits:
More convenient for API developers
The only option for existing APIs

Design-first approach
Create an API specification, review it with stakeholders, and implement the API
Kickstart development by scaffolding the code from the API specification
Benefits:
Better API consumer experience thanks to the deliberate API design
Reduced risk thanks to the API review processes
Create an API

Support for SOAP, REST,

WebSocket and GraphQL APIs

Import an API from OpenAPI (1,

2, or 3), WADL, or WSDL files

Import an API from App Service,

Logic App, Function App, or
Container App

Create a blank API

Code-first approach – use the wildcard proxy mode
Wildcard “*” proxy mode
Use to route all requests through API Management if an accurate API specification doesn’t exist
Use built-in API design features to improve the specification
Design the API

Define the API with form-based or text-

based editors in the Azure portal or the
Visual Studio Code extension

Test the API in the Azure portal and

generate schemas from the API responses
Design-first approach – mock the API
Unblock front-end teams by mocking API responses
Use an example defined in the API definition
Configure with a single-line policy

API

200 OK

{
“message”: “example”
}
WebSocket API support

Gateway

WebSocket WebSocket

Passthrough support for WebSocket APIs

Client applications establish WebSocket connections with APIM
API Management establishes WebSocket connections with backend services
API Management proxies WebSocket messages

Features
CRUD WebSocket APIs
Apply policies to handshake requests
Browse WebSocket APIs in the Developer portal
Test WebSocket APIs in the Azure and Developer portals
Azure Monitor metrics and logs
GraphQL API support (Public preview)
Passthrough support for GraphQL APIs
CRUD existing GraphQL APIs via Azure portal and management API
Explore the schema and run test queries in the Azure and developer portals
Apply existing access control policies
Apply a new 'validate-graphql-request' policy to protect against GraphQL-specific attacks
Query validation
Field-based authorization
Query depth and size restriction
 Design

Analyze Develop

API life cycle:

develop
Monitor Secure

Scale Publish
There’s a policy for that
Encapsulate common API management functions
Access control, Protection, Transformation, Caching, …

Mutate request context or change API behavior

E.g. add a header or throttle

Set in the inbound and outbound directions

Apply at a variety of scopes or on error
Scope determines which APIs are affected
Can define custom scopes in addition to four available b default

Compose into a pipeline from effective scopes

Degree of control over inheritance of scopes, i.e. <base/> element
Don’t delete <base/> inadvertently

[Link]
Policy scopes

GET /foo/bar HTTP/1.1

global
Host: [Link]
Key: 0123456789
0123456789 product
from caller to backend

/foo api

/bar operation

to caller
from backend
C# “snippets” used with policies
Have read-only access to the request context
Use only whitelisted .NET types
Used to configure and conditionally execute policies
53 policies out of the box
Access restriction Transformation Advanced Dapr integration

• Check HTTP header • Convert JSON to XML • Send one way request • Send request to a service
• Limit call rate by subscription • Convert XML to JSON • Send request • Send message to a pub/sub topic
• Limit call rate by key • Find and replace string in body • Set HTTP proxy • Trigger output binding
• Restrict caller Ips • Mask URLs in content • Set variable
• Set usage quota by subscription • Set backend service • Set request method
• Set usage quota by key • Set body • Set status code
• Validate client certificate • Set HTTP header • Control flow
• Validate JWT • Set query string parameter • Emit metric
• Rewrite URL • Log to Event Hub
• Transform XML using XSLT • Trace
• Mock response
• Forward request
• Limit concurrency
• Return response
• Retry
• Wait

Authentication Caching Cross Domain Validation policies

• Authenticate with basic • Get from cache • Allow cross-domain calls • Validate content
• Authenticate with client certificate • Store to cache • CORS • Validate parameters
• Authenticate with managed identity • Get value from cache • JSONP • Validate headers
• Store value from cache • Validate status code
• Remove value from cache • Validate GraphQL request
Integration policies
<send-request/>
Response composition (or gateway aggregation)
One client request -> multiple backend requests
Data lookup, complex content transformation, payload or credential validation
Typical pattern:
1. externalize logic as an HTTP endpoint
2. make a call
3. cache the result

<send-one-way-request/>
Traffic mirroring
Coordinate callouts with <wait> for all or any outstanding requests

<log-to-eventhub/>
Event Hub is widely supported within Azure
Custom reporting, batch analytics, archiving, audit
Customer has full control over what is logged, when it is logged and owns the data
We employ buffering (e.g. 200MB per node in Premium)
Delivery is not guaranteed – comprehensive set of metrics is available
It’s crucial to adequately scale the target Event Hub
Co-location in the region is highly recommended
Request forwarding
<forward-request/>
Usually inherited from the global scope via <base/>
No policy, no forwarding
Timeout can be set to 30 sec – 10 min (default is 5 min)
Can be configured to follow redirects or (default) return them to caller

<retry/>

Retry is triggered when specified expression evaluates as true

Choice of fixed, linear or exponential back off interval
Optional fast first retry
Does NOT retain a copy of the request automatically

<limit-concurrency/>
Caps the number of concurrent requests forwarded to the backend
Can be used with other policies - limits the number of requests entering enclosed policies

<set-backend-service>
Change backend service during runtime
Can be configured with conditional policies for blue/green deployment
Caching
Distributed Redis cache hosted as part of service instance (not available in the Consumption tier)
Shared among all units within a region
Not persistent and thus gets lost during service updates
No preloading

<cache-lookup/> and <cache-store/>

Caches response if it’s smaller than 2MB
Acts as server of origin – ignores cache control headers from backend and replaces them with own
With expressions possible to use cache control settings sent from backend
vary-by-developer and vary-by-group provide additional scope control
Can be configured to cache requests with Authorization header
Properly handles conditional requests (e.g. if-match, if-modified-since)
Cache hit ratio is provided as a metric

<cache-lookup-value> & <cache-store-value>

Entity to cache and a key are specified by expressions
Invalidation
TTL or LRU
Any policy change invalidates cache entries at that scope
<cache-remove-value/> removes an entry with a specified key
Bring your own cache
Add externally provisioned, Redis-compatible cache
Full control over cache configuration and size
Ability to preload and purge cache content
Ability to independently scale cache
Only cache option in the Consumption tier
Cache policies are extended to work with external cache
Added cache-preference attribute
Can be set to “internal”, “external”, (default) “prefer-external”

Can use different cache types at different scopes

Throttling
Accuracy of (distributed) throttling policies is limited by synchronization latency

<rate-limit-by-key/>
Number of calls allowed in short interval (usually 1 sec)
Enforced per region
Key expression specifies throttling semantics, e.g. caller IP, subscription ID, developer ID
Uses sliding time window, i.e. last 5 seconds
Counts every request or only the ones that meet specified condition, e.g. only 200 OK
Different requests can be weighted differently, e.g. based on cost to the backend
Legacy <rate-limit/> == <rate-limit-by-key/> with subscription ID as a key

<quota-by-key/>
Total number of calls and/or bytes per time period (usually hour, day, week, month)
Enforced per service instance
Key expression specifies throttling semantics, e.g. caller IP, subscription ID, developer ID
Uses calendar time
Counts every request or only the ones that meet specified condition, e.g. status < 400
Different requests can be weighted differently, e.g. based on value provided to the caller
Legacy <quota/> == <quota-by-key/> with subscription ID as a key
Authentication
Authentication using subscription keys is supported out-of-the-box without configuring policies

<validate-jwt>
validates JSON Web Tokens
Supports JWS and JWE (RSA256 and HS256)
Supports Open ID Configuration endpoint
Can also check specific claims
Can be configured at any policy scope

<validate-client-certificate>
Enforce that a certificate presented by a client matches the specified validation rules and claims, such as subject, thumbprint, or issuer
Transformation
<set-header> and <set-query-parameter>
Add/remove/modify headers and query parameters of incoming and outgoing requests

<set-body>
Set the payload of incoming and outgoing requests

<rewrite-url>
Convert request URL from its public form to the form expected by the backend service

<xml-to-json> and <json-to-xml>

Convert payload of incoming and outgoing requests between XML and JSON

<find-and-replace>
Find and replace substrings in the payload of incoming and outgoing requests

<xsl-transform>
Applies XSL transformation to XML in the payload of incoming and outgoing requests
Validation
<validate-content>
Validates the size or JSON schema of a request or response body against the API schema

<validate-parameters>
Validates the header, query, or path parameters in requests against the API schema

<validate-headers>
Validates the responses headers against the API schema

<validate-status-code>
Validates the HTTP status codes in responses against the API schema

<validate-graphql-request>
Validates and authorizes a request to a GraphQL API
Visual Studio Code
Designed to increase productivity

Convenient resource explorer

Advanced policy editor

Policy debugging

Syntax check and IntelliSense

Embedded REST client for testing

Integrated with automation tools

Command palette support

Live policy debugging in Visual Studio Code
Postmortem debugging
Rely on logs after requests are processed
Live debugging
Follow the processing of requests in real time
Features
Initiate live debugging session from VS Code
Single-step through policies
Set breakpoints at individual policies
Inspect system-created and user-created variables
Examine errors
Restrictions & limitations
Developer-tier only
One debugging session per instance
Design-first API development

Design an API with OpenAPI spec

Mock API responses to unblock front-
end developers
Scaffold Azure Functions in VS Code
Fill in the business logic
Supported languages
C#
Java
Python
TypeScript
Automate API Management deployments
Context
Multiple deployment environments, e.g. development, QA, production
Some of the environments are shared, e.g. production
Many API development teams each responsible for one or more APIs

Problems
Automate deployment of APIs into API Management
Migrate configurations from one environment to another
Avoid interference between development teams

There is no one-size-fit-all solution

 APIs
PowerShell Cmdlets
Azure CLI
Deployment
Resource Manager Templates
options Bicep
Terraform
SDKs
SOAP-to-REST
One-click modernization of legacy services
Import a WSDL, get a REST API façade instantly
APIM does all the conversions using heuristics
Customers have full control of the conversions through policies
Known restrictions
 Recommended approach

Production Development

API publishers [Link]

API developers

Publisher repository Developer repository

 Design

Analyze Develop

API life cycle:

secure
Monitor Secure

Scale Publish
API Management to the rescue
# OWASP API Top 10 (2019) Mitigations and preventive measures in API Management
1 Broken Object Level Authorization

2 Broken Authentication Key/token/certificate-based authentication

Request transformation
3 Excessive Data Exposure Filtering or masking sensitive data
Request and response validation
4 Lack of Resources & Rate Limiting Throttling and quota limit
Backend concurrency
5 Broken Function Level Authorization Key/token-based authorization
Custom authorization
6 Mass assignment Request and response validation

7 Security misconfigurations TLS enforcement and configuration

CORS
Sanitization of response headers and error messages
Ciphers and protocols management
Coming soon: security configuration recommendations
8 Injection Request and response validation

9 Improper Assets Management Up-to-date API catalog

API lifecycle management
10 Insufficient logging and monitoring Logging
Secure all points of interaction

“User plane” API Management plane

App developers Management API providers

plane

Developer portal

Data plane

Backend APIs

Gateway
Apps on devices
Data plane security

User App on a device Firewall Gateway Backend APIs

OWASP core rule sets Façade HTTP Basic (shared secret)

Bot protection rule set Key
Mutual certificate
Custom rules OAuth 2
OAuth 2 OBO
Client certificate
Managed identity
Custom authN/authZ
IP filter IP filter
Request/response validation Private networking
Throttling
 Expose selected backend APIs
Allow chosen HTTP methods and routes
Façade Enforce TLS and its configuration
Define CORS rules
Restrict client IPs
 Turned on and UUID by default

Can be rotated and set to custom values

Keys Identify developer and app

Roughly equivalent to HTTP Basic

security-wise
 Signed (JWS) and encrypted (JWE)

Validate via policy and expressions

Enforce claims
JWT
Require signatures and expiration time

Provide keys inline or via a metadata

endpoint
 Issued by trusted and untrusted CA

Client Use the validate-client-certificate policy

certificates Require certificate on per host basis

Check or ignore revocation lists

 Integrate with a bespoke or unsupported
Custom
authentication identity or authorization system
and Call out to an external HTTPS endpoint
authorization
Cache the result for efficiency
 Rate limit
Approximate
Per region
Key expression defines throttling semantics
Can count requests with specific status code
Variable increment count

Quota
Throttling Calls and data transfer
Approximate
Per service
Key expression defines throttling semantics
Can count requests with specific status code
Variable increment count

Concurrency limit
Precise
Per node
 Filter or mask confidential data
Response
Standardize error messages
sanitization
Remove sensitive headers
 Use request and response validation
policies to protect your APIs from
Request and vulnerabilities
response
validation
Excessive DoS large
Mass
data Injection payload
assignment
exposure attack
OWASP API Top 10 OWASP API Top 10 OWASP API Top 10
Validation policies
Four policies
Validate content - validates the size or JSON schema of a request or response body against the API schema
Validate parameters - validates the request header, query, or path parameters against the API schema
Validate headers - validates the response headers against the API schema
Validate status code - validates the HTTP status codes in responses against the API schema

Prevention and detection modes

Granular overrides for child elements
Logging of errors to a context variable
Use the tracing policy to send logs to Application Insights
Performance implications and limits
Max body size: 100 kB
Max schema size: 4 MB
The larger the API schema size, the lower the throughput
The larger the payload in a request or response, the lower the throughput
The size of the API schema has a larger impact on performance than the size of the payload
Validation against an API schema that is several megabytes in size may cause request or response timeouts
Mass assignment
Attackers modify object properties they are not supposed to
Usually caused by binding client-provided data (e.g., JSON) to data models, without explicit filtering of properties
Attackers explore other API endpoints, read documentation, or blindly guess additional object properties
Attackers inject additional object properties into request payloads

Mitigation
Set the “additionalProperties” option of request objects’ JSON schemas to false
Precisely define request object schemas in the API specification and enforce them with the validate-content policy

<validate-content unspecified-content-type-action="prevent" max-size="102400" size-

exceeded-action="prevent">
<content type="application/json" validate-as="json" action="prevent" />
</validate-content>
Injection
Malicious data in a request executes unintended commands or accesses data
without proper authorization
For example, SQL or NoSQL injection

Mitigation
Provide format properties, like regex for text fields, in the API specification’s object schemas and enforce them with the
validate-content policy

<validate-content unspecified-content-type-action="prevent" max-size="102400" size-

exceeded-action="prevent">
<content type="application/json" validate-as="json" action="prevent" />
</validate-content>
Excessive data exposure
API responses surface sensitive or excessive data
Developers tend to expose all object properties without considering their individual sensitivity
They rely on clients to perform the data filtering before displaying it to the user

Mitigation
Set the “additionalProperties” option of response objects’ JSON schemas to false
Precisely define response object schemas in the API specification and enforce them with the validate-content policy
Define all allowed response status codes in the API specification and enforce them with the validate-status-code policy
Precisely define all allowed response headers in the API specification and enforce them with the validate-headers policy

<validate-headers specified-header-action="prevent" unspecified-header-

action="prevent"/>

<validate-status-code unspecified-status-code-action="prevent" />

DoS large payload attack
Large-payload requests cause API outages
Malicious requests block the API traffic on system’s bottlenecks
They occupy networking resources and consume excessive computing power

Mitigation
Enforce maximum request content size with the content-validation policy

<validate-content max-size="102400" size-exceeded-action="prevent"

unspecified-content-type-action="prevent" />
Private networking and upstream security
External configuration
Management plane security

API

Management
API providers plane
Azure Resource
Manager
Azure portal
Resource Manager templates
PowerShell Azure account (Azure AD)
Azure CLI Built-in roles
Client SDKs Custom roles
Visual Studio/Code extensions
Terraform templates
“User plane” security

App developers
Developer portal
Employee developers
Partner developers
Customer developers Work and internet accounts
Public developers Integration with Azure AD B2B/B2C
Custom (delegated) authentication
Native and Azure AD groups
Self-service or invite-only onboarding to API products
Auto or manual approval of subscriptions
Limits on the number of subscriptions
Subscription suspension and revocation
Compliance
Meets a multitude of global, regional, country and industry specific regulations

ISO 27001
PCI DSS
HIPAA
FedRAMP High
GDPR
…

Full list and documentation available on [Link]

End-to-end security and compliance

API

App developers Management API providers

plane

Developer portal

Backend APIs

Gateway
Apps on devices

Azure platform + built-in capabilities + Azure services

 Design

Analyze Develop

API life cycle:

publish
Monitor Secure

Scale Publish
Developer portal is a discovery and self-onboarding point for
application developers

Built-in developer portal lets API consumers Discover APIs

Learn how to use them

Test them out with interactive console

Create and manage accounts

Request and manage API access

Analyze API usage

Developer portal is…

Built-into API Management Open the portal within seconds; updates are on us.

Fast go-to-market Rely on default styling and content to minimize customizations.

Easily customizable Author content and brand the portal with a drag-and-drop visual editor.

Open-source Browse the codebase and engage with the community on GitHub.

Extensible Extend the codebase with custom logic and self-host the resulting portal.

Automatable Automate deployments via APIs.

Portal
customizations
Create content with the drag-
and-drop visual editor without
writing any code

Use widgets to connect to the

API Management service (i.e., to
retrieve the list of APIs or sign in
a user)

Customize the portal in a

dedicated style guide panel
API usage reports
Application developers explore
their usage of APIs in the
developer portal

API providers analyze the usage

in the Azure portal

Reports are grouped by time,

response type, bandwidth,
products, subscription keys, APIs,
and API operations
Extensibility of the developer portal
If the out-of-the-box capabilities are insufficient, you can:
• Request a feature on GitHub
• Contribute code on GitHub
• Fork the repository, extend the code base, and self-host the portal

Self-hosting the portal is simple and efficient

Portal generates static files for hosting in the cloud or on premises
Recommended hosting with Azure Storage Account
Developer portal
API versioning

Revisions Versions
For non-breaking changes For breaking changes
Providers choose when to deploy Consumers choose when to adopt
API requests default to current revision Specify with URL path, query, or header param
Test by specifying revision ID, then promote
Versions and revisions
Domain API Version
Operation Revision

;rev=1
/v1
;rev=2
;rev=3
/speakers
;rev=4
[Link] foo /sessions
/days
;rev=1
/v2 /events
;rev=2 /speakers
offline /sessions
online /venues
current
Bundle APIs with products
Developer portal

Browse products and associated APIs

Subscribe to products
API 1
Manage subscriptions and keys

Management plane
API 2
Manage products and API associations
Define product-scoped policies
Approve and manage subscriptions
API 3 Collect and analyze usage data
Monetize access

API 4 Gateway

Authenticate API requests with keys

Execute product-scoped policies
Users, groups, products, APIs, and subscriptions
Products not requiring subscriptions
API Portal
Standalone modern API documentation portal
Customize it through a drag-and-drop, no-code visual editor
Contains REST API reference pages, code samples, and interactive console
Relies on the same technology as the Azure API Management’s developer portal
GitHub-based API ecosystem for communication and collaboration
Track source code changes
Automate portal deployments with GitHub Actions
Host the site for free with GitHub Pages
Sample use cases
Enterprise-wide API catalog for discoverability, deduplication of assets, and business efficiency
Branded API documentation portal for partners or external consumers for discoverability and self-
onboarding
[Link]
Demo
Monetization
Support for common monetization models
Subscriptions with call quotas
Per call fee
Pre-paid calls with overages
API Management collects the data to support these models
Subscription billing – list of active subscriptions in a billing period
Metered billing - # of requests per subscription in the billing period
Customers are responsible for integration with payment providers
Sample solution for Stripe and Ayden
Integration mechanisms
Subscription delegation on the developer portal
Management API
 Design

Analyze Develop

API life cycle:

scale
Monitor Secure

Scale Publish
Worldwide presence
44 public regions in Americas, Europe, Asia, Australia, Africa
6 US Government regions
4 regions in China

Browse all available regions on [Link]

Higher availability with multi-region feature
Improved availability of the data plane – 99.99% vs 99.95% SLA
Reduced latency of API calls
Single Premium instance can be scaled across multiple regions
Additional units can be deployed into the Primary or other Secondary region
Regions can have a different number of units
Regions and units come at an additional cost
Primary region hosts all the components
Gateway, developer portal, management API, …
Developer portal and management API are inaccessible if Primary region becomes unavailable
Secondary region hosts gateway only
Secondaries can operate on a last received configuration while the Primary region is unavailable
They periodically try to reconnect and catch up
All APIs are available in every region
Requests are routed to the closest available region by Azure Traffic Manager
Uses Traffic Manager’s performance routing with 5min TTL
Regional endpoints enable custom traffic management, for example for data sovereignty
Default multi-region topology
Custom multi-region topology
 Obtain 99.99% SLA with two (or more) zones in a
single region
Improve resiliency of the primary region in a
multi-region deployment
Availability Each unit contains all API Management
Zones components
Units must be evenly distributed across zones
Available in the Premium tier in every AZ-
enabled Azure region
Self-hosted API gateway

Functionally equivalent to the managed gateway

Deployable to on-premises or cloud Packaged as a Linux-based Docker container image
Available from the Microsoft Container Registry

Requires only outgoing connectivity to Azure on port 443

Managed and observed from Azure Connects to a “parent” API Management service
Pulls down configuration and pushes up telemetry

Just a single container

Simple to provision and operate Easy to evaluate on a laptop with Docker Desktop or Minikube
Kubernetes provides availability, scaling, rolling upgrades, and more
Self-hosted gateway pricing

Developer tier Premium tier

Pre-production environments Production environments
Unlimited gateway locations Unlimited gateway locations
Single node per location Unlimited nodes per location
No additional charge Paid add-on

Nodes in a gateway location share configuration – e.g., APIs, domain names, certificates
Distributed deployment

Data plane communication

Management plane communication

Virtual network

…
Dapr integration policies

API Managers API Consumers

API Management Self-hosted gateway 1 Self-hosted gateway 2

Sidecar Sidecar

Gateway pod Gateway pod

Sidecar Sidecar Sidecar Sidecar

Legend: User App User App User App User App

Management Plane App 1 pod App 2 pod App 1 pod App 3 pod

Kubernetes cluster 1 Kubernetes cluster 2

Data Plane
Isolated SKU
Same capabilities as the Premium SKU
Ensures compute isolation
Meets US Department of Defense IL5 requirements
In Public Preview
Price TBA, contact support to provision
Backup and restore for disaster recovery
Backup
Usually takes around 10 min
Captures everything but reports and custom domain settings in a blob
Service configuration operations (e.g., scaling, upgrades) are blocked while backup is in progress
Changes applied after backup starts are not included in the backup

Restore
Could take as long as 30 min or more depending on the size
Instance is not available while restore is in progress
Custom domain configuration need to be re-applied manually

Standby failover instance can reduce RTO

Create backup instance in a different region in advance
Configure custom domain identically to the active instance
Sync configuration with the active instance periodically to achieve desired RPO
To fail over update the CNAME to reference backup instance
Scale up if and as required
Troubleshooting and support
SLA
99.95% in all tiers
99.99% in the Premium tier with multi-region configured

Self-troubleshoot
Built-in automated troubleshooting experiences in the Azure portal
Extensive documentation on Azure Docs

Supported by Azure Support

Requires support plan
Available worldwide in nine languages: English, Spanish, French, German, Italian, Portuguese,
Traditional Chinese, Korean, and Japanese
24x7 in English for severity A and B and in Japanese for severity A
 Design

Analyze Develop

API life cycle:

monitor &
analyze Monitor Secure

Scale Publish
 Monitor and analyze features
Tech Reporting Monitoring Debugging Data lag Retention Sampling Data schema Data kind Enabled

Turned on Fixed
API inspector - - Good Instant Last 100 traces Request trace Always
per request can be extended

Built-in Reports
Good - - Minutes Unspecified 100% Fixed Always
reports Logs via API

Azure
93 days
Monitor Basic Good - Minutes 100% Fixed Metrics Always
export to extend
Metrics

Azure 31 day (5GB) 100% Fixed

Good Good Good Minutes Logs Optional
Monitor Logs upgrade to extend adjustable can be extended

Application 90 days (5GB) Choice of

Good Good Good Seconds Custom presets Logs, metrics Optional
Insights upgrade to extend
can be extended

Log to Event
Custom Custom Custom Seconds User managed Custom Custom Logs Optional
Hub
API Inspector
Request scoped trace
Turned on per request
Fixed schema (can be extended)
Azure Monitor
metrics
Aggregated metrics
Always-on
Samples all requests
93-day retention
Alerts and notifications
Azure Monitor logs
Request scoped logs
Opt-in
Adjustable sampling
Fixed schema (can be extended)
31-day retention (5GB)
Built-in query experience
Application Insights
Request scoped traces
Opt-in
Adjustable sampling
90-day retention (5GB)
Distributed tracing
Built-in reports
Out-of-the-box
Always-on
Rich report types
Access via Azure portal or API
Custom analytics and reporting
Machine Learning SQL Database

Event Hub Stream Analytics Power BI

Hadoop Storage
Business users
(Azure account is not required)

Gateway

Data plane
Apps
on devices (micro)services
Event Grid integration
Events publisher Events subscribers

Logic App

Function App

API
Event Grid Webhook
Management

Integration with Event Grid

Send event notifications to Event Grid system topic of type [Link]
Trigger downstream processes on Azure Logic App, Azure Functions or via Webhook
Published events are CRUD of API, Product, Release, Subscriptions, User *

* At the time of GA (Nov. 21)

Self-hosted gateway

Management Gateway Dev portal

plane

Just an example Just an example

(UDP) (UDP, Unix socket)

(librato, dogStatsD, influxDB)

(stdout)
Azure API Management
Mature full life cycle API management solution
Design
Trusted by thousands of enterprise customers

Abstract, secure, observe, and make APIs

Analyze Develop
discoverable in minutes

One solution for APIs across clouds and on-

premises

Dependable, secure, scalable, and performant

Monitor Secure
DevOps- and developer-friendly

Azure-native and integrated with other Azure

services

Globally available and supported Scale Publish

Low-barrier-to-entry pricing
Resources [Link]
Questions

Photo by Ilkka Kärkkäinen on Unsplash

© Copyright Microsoft Corporation. All rights reserved.