Azure API Management: How it helps us manage business APIs

Azure API Management: an introduction

The transition to cloud-based services by modern companies and organizations opens up a new way and need for publishing and consuming data, to enable new services, digital experiences and applications, both for internal and external use, which leads to a growing dependence on APIs.

To address this situation, it is important to have effective tools to manage these APIs and applications and their entire lifecycle in a more centralized and secure way, and this is where Azure API Management comes into play: the service fully managed by Microsoft that allows you to create, publish and manage APIs for your applications.

API Management is an offer PaaS (Platform as a Service) that provides a secure way to publish and manage APIs created by on-premise or cloud-based backend services and acts as an intermediate layer between the backend applications that contain the code behind the API endpoints and the consumers of the API endpoints.

But how does it work? What are the advantages it offers? Let's see it in the next sections.

What is an API and what does API management mean

Before starting, let's take a moment to explain to those who don't chew technical language too well what an API is in practice.

An API, or Application Programming Interface, is a set of rules and protocols that allows different software applications to communicate with each other. APIs define the methods and data that developers can use to interact with a service, operating system, or other application, without needing to know the internal details of how the service is implemented.

APIs are used by software developers for various purposes, such as:

1. Accessing Web Services: They allow you to interact with web services such as social media, payment services, maps, etc.
   ‍
2. System Integration: They facilitate integration between different applications and systems, allowing them to share data and functionality.
   ‍
3. Process Automation: They allow you to automate operations that would otherwise require manual intervention.
   ‍
4. Software extensibility: They offer developers the possibility to extend the functionality of a software through plugins or additional modules.

Given the way in which software development has evolved in the contemporary landscape, understanding and the correct development of APIs have become a fundamental part of the portfolio of experiences for any developer, regardless of whether he works front-end or back-end.

But the developer's work does not stop at just creating the API and any developer who has worked on a web project is well aware that, once the development is complete, other activities necessary for the correct support of the said project arise.

After the publication of the APIs, when they begin to be consumed, it is in fact necessary to start making some important decisions: how to scale them, how to protect them, how to analyze their use in order to define limits on the frequency with which it is possible to call them, which APIs are for internal use and which for external use. Not to mention the integration of elements such as security, logs and many other features directly into the code of its services.

A long series of concerns is that a complete solution would be needed to be able to manage all these aspects effectively and securely, such as an API Management system, that is, a platform that facilitates the creation, publication, management and protection of APIs within an organization.

These systems offer tools for defining and monitoring API interfaces, enforcing security and access control policies, managing documentation and access keys, and monitoring API performance and usage, as well as functionality to scale the service and ensure its quality, such as caching, load balancing, and error management.

Azure API Management: How does it work?

Here, Azure API Management steps in. As already mentioned in our introduction, the service allows developers and companies to develop, publish, protect, monitor and manage APIs with a single system, simplifying every phase of the API lifecycle, from design to monitoring.

The service, which abstracts all the architecture and complexity of the backend to make it easier for consumers to use, allows a single HTTPS endpoint to be used to access all the APIs that are behind it.

Developers, using API Management, will be able to manage APIs regardless of where they are hosted, whether they are on-premise or cloud environments, and the service offers an integrated platform that guarantees uniform governance and performance, extremely advantageous for multi-cloud and hybrid cloud strategies, allowing the implementation of their APIs through different infrastructure configurations.

In addition, it provides tools to monitor API performance, collect logs, and analyze API usage through Azure Monitor and Azure Application Insights that can help developers identify possible performance issues and optimize the use of APIs.

We can divide API Management into three main components, of which we give a brief description in the list below:

• API Gateway: the first point of contact for each request and acts as a facade that routes the request to the correct backend. It also provides the necessary way to centralize and have a consistent configuration for security, caching, throttling (the intentional limitation of the data transfer rate over a network, often to manage congestion or to impose fair use policies among users) and routing (the process of determining the path that data packets must follow through a network to reach their destination). Apply the different centralized policies for usage quotas and limits, verifying JWT tokens and API tokens, and so on.
  ‍
• Management plan: offers full access to the capabilities of the service. It is the resource management interface on the Azure portal that can also be used through command line interfaces such as Powershell, Azure CLI, etc.
  ‍
• Developer portal: a customizable global portal where you can explore all the available APIs, verify their documentation and learn how to integrate and use them.
  ‍

Azure API Management then works by providing a layer between the API clients and the backend API services they access. When a client sends a request to an API managed by API Management, the request is first sent to the API Management gateway.

The gateway is responsible for enforcing security policies, rate limiting, and other policies on the API. If the request is allowed by the gateway, it is then forwarded to the backend API service. The backend API service processes the request and sends a response to the API Management gateway, which in turn sends the response to the client.

Speaking of security policies, Azure API Management provides various mechanisms to protect APIs, such as authentication and authorization through OAuth 2.0, JWT (JSON Web Tokens), API keys, and other security techniques. In addition, it offers the ability to configure access control to ensure that only authorized users can access APIs.

To better understand what the features of the service are, let's see how it can help the three types of users it is aimed at.

Consumer API

The consumer API is the user of the API who can be another developer or an application that integrates and uses the functionality exposed by the API provider. These users use APIs to access the services, data, or functionality offered by the API provider, building applications or services that depend on these interfaces to work properly.

For API consumers, Azure API Management provides a convenient way to access and use the APIs managed by the service. When an API consumer wants to use an API managed by the service, they must usually follow these steps:

• Find the API: The consumer can discover the API by browsing the developer portal, a web portal provided by API Management that lists all the available APIs. The consumer can also use the API Management REST API to discover APIs programmatically.
  ‍
• Get API credentials: To use an API, the consumer must generally provide some form of credentials, such as an API key or an OAuth token. The consumer can obtain these credentials by signing up for an API Management account and creating an application in the developer portal.
  ‍
• Send a request: The consumer can then send a request to the API by making an HTTP request to the API Management gateway, using the API endpoint and API credentials. The request is forwarded to the backend API service, which processes the request and sends a response to the API Management gateway.
  ‍
• Get a response: The API Management gateway then sends the response to the consumer. If the request was successful, the response will include the requested data or functionality. If there was an error, the response will include an error code and a message.

API provider

The API provider is the entity that develops and makes available the API, defining its functionalities, access points and the documentation necessary for its use.

For API providers, Azure API Management offers a set of tools and services for building, publishing, and managing APIs. When an API provider wants to use API Management to manage their APIs, they generally find themselves following the steps listed here:

• Create an instance of the Management API service: The API provider must create an instance of the API Management service in the Azure portal. This creates a dedicated API Management environment that the vendor can use to manage their APIs.
  ‍
• Define the API: The vendor must specify the API endpoint, the operations supported by the API, and the request and response formats. The vendor can use the API Management portal or the service's REST API to define the API.
  ‍
• Configure security: The vendor configures security for the API by specifying the authentication and authorization methods that the API will use. API Management supports a variety of authentication and authorization methods, including API keys, OAuth, and certificates.
  ‍
• Set policies: The vendor can use policies to specify rules and behaviors for the API. For example, the vendor may use policies to set speed limits, transform requests and responses, or cache responses.
  ‍
• Publish the API: The vendor can make the API available in the developer portal, allowing developers to discover, learn, and interact with the APIs.

Application developer

For application developers, Azure API Management offers a convenient way to access and use APIs in their applications, allowing them to do the following:

• Access API documentation: The developer portal provides detailed documentation for each API, including information about the API endpoint, the operations supported by the API, the request and response formats, and any required parameters or headers. Developers can use this documentation to understand how to use the API and to resolve any issues that may arise.
  ‍
• Test the APIs: The developer portal also includes an integrated test console, which allows developers to submit test requests to the API and view the answers. This can be useful for verifying that the API is working as expected and for debugging any issues.
  ‍
• Perform analysis: API Management includes a set of tools for monitoring and analyzing API usage, performance, and errors. Developers can use these tools to track the use of their APIs, identify any issues that might affect performance, and collect and analyze usage data. This can be useful for understanding how APIs are used and for identifying opportunities for optimization and improvement.

Azure API Management vs. Application Gateway

Due to the amount of services offered by Azure, many novice users and developers find themselves having the common problem of understanding which service is better than others to meet their needs. One of the most common misconceptions is that API Management is confused with services that, although very similar on paper, actually perform different functions and, in some ways, complementary to those of API Management.

One of the most striking examples is that of Azure Application Gateway, a load balancing service offered by Microsoft Azure, designed to manage web application traffic.

Unlike traditional load balancers, which operate at the transport layer, the Application Gateway works at the application level, allowing a more advanced and specific management of HTTP and HTTPS requests and includes features such as URL-based routing, load balancing, SSL/TLS termination, the Web Application Firewall (WAF) to protect applications from common attacks, and integration with other Azure services.

We've seen that Azure API Management provides an API Gateway, so why introduce a new resource that does almost the same job?

Because, first of all, they don't do the same job. API Management, as we have already seen, is designed to manage and publish APIs, offering features such as security, authentication, key management and API monitoring, and allows you to control and optimize how APIs are used by developers and applications. Azure Application Gateway, on the other hand, is an application-based load balancer that manages HTTP/HTTPS traffic to your web applications.

To use a metaphor, you can imagine API Management as the customer service manager of a restaurant and Application Gateway as the Maître. The first concerns that customers can order easily, that their requests are handled properly, and that there are clear rules on how to handle special orders or security requests. The second, on the other hand, deals with directing customers to the available tables, ensuring that the flow of customers is managed in an orderly manner and that the restaurant is not too crowded in a single area.

Second, who said they are mutually exclusive services?

In fact, Application Gateway offers several functionalities that, combined with API Management, can add an additional level of protection and security for your applications developed on the Microsoft cloud platform. For example:

• Protect the public IP address of API Management.
• Selectively expose external APIs and keep other APIs as internal, allowing you to manage complex web applications.
• The WAF (Web Application Firewall) can protect against the most common web vulnerabilities, such as SQL injection, cross-site scripting (XSS), HTTP request smuggling, and other types of cyberthreats.
  ‍

By using these two services together, organizations can create an excellent solution for managing their APIs and web applications, facilitating the work of their developers in creating and managing their services and improving consumer access and use of these services.

Azure API Management Pricing: pricing model and available plans

The Azure API Management pricing model is divided into different categories and levels that offer various plans depending on business needs. As with many cloud services, the pricing model adopted is that of the so-called “pay-as-you-go”, i.e. you pay only for the resources that you actually consume.

Prices may vary depending on the region and the type of service chosen and are generally indicated per hour or per unit of resource. It is therefore advisable to consult the Azure official site for updated rates and use the cost calculator to make a personalized estimate.

Azure API Management offers four main service plans. Support varies depending on the plan chosen, with Premium plans offering advanced support and access to dedicated resources. Let's look at them in more detail in the list below:

• Developer: This plan is designed for the development and testing phases. It has a lower cost and provides all the basic functionality without guaranteed uptime SLA (Service Level Agreement). It is ideal for use in development and test environments, but is not recommended for production environments.
  ‍
• Basic: It offers a limited set of features compared to more advanced plans but is suitable for small and medium-sized businesses that need an API Management solution without the advanced features. It includes SLA and basic support.
  ‍
• Standard: This plan is designed for medium and large businesses and includes all the basic functionality, plus some advanced features such as support for multiple environments and advanced API management. It offers a guaranteed SLA and technical support.
  ‍
• Premium: The Premium plan is intended for large businesses and organizations that need advanced functionality, such as internal connectivity and access to virtual networks (VNet). It includes all the functionality of the other plans, in addition to those specific to the option such as the ability to manage APIs in global environments and scalability on a large scale.

‍

For all non-production environments, it is recommended to use the Developer level, which supports most of the functionality at a low cost. You should be aware that the Developer level does not provide any SLA, scalability is not available and it works in only one region. In addition, it can process a limited number of API requests per second, sufficient for non-production workloads.

For production environments, it's best to use the Basic, Standard, or Premium levels. These levels provide an adequate SLA that meets the requirements of production workloads. The main differences between these levels are:

• Integration with Azure Active Directory: It is supported in the Standard and Premium levels, but not in the Basic level. If you plan to use AAD managed identities for authentication, you should not choose the Basic level because it does not support integration with the latter.
  ‍
• Virtual Network: It is supported only in the Premium level. If you plan to use your APIM exclusively for internal use within the organization, or to host both internal and external APIs in the same instance of APIM, you must opt for the Premium level. The Premium tier allows you to host your APIM instance in an internal, external virtual network or without a virtual network.
  ‍
• Multi-region support: This is only supported in the Premium tier, which allows you to have multiple instances of your APIM account in different regions. Multi-region support is ideal if you have customers around the world submitting API requests. In this case, it's best to provide for multiple APIM instances in different regions to be closer to your customers. Other levels (Basic, Standard) can scale to multiple instances, but all APIM instances must be in the same region.
  ‍
• Maximum number of requests per second (RPS): This is the maximum number of requests your API can handle per second. Sometimes it can be more efficient to have more instances at a lower level than one instance at a higher level. For example, an APIM instance in the Premium tier can only process 4,000 RPS, while 2 APIM instances in the Standard tier can process 5,000 RPS for a much lower price, assuming you don't need virtual and multi-region network support.

Conclusions

Having an efficient and secure API management system should be one of the main prerogatives of any organization that wants to have a cutting-edge digital infrastructure, and Azure API Management could be the answer to this need.

Its smooth integration with other Azure platform services, the ability to scale based on load and the wide variety of tools to monitor and optimize API performance make it a highly valuable tool for developers and IT architects and the complete solution to all those problems that developers have to deal with after the publication of their APIs.

So all we have to do is conclude our overview by inviting you to try it out to see if the API Management service offered by the Microsoft cloud platform can also represent the right answer to your needs.

FAQ on Azure API Management

What is Azure API Management?

‍Azure API Management is a platform by Microsoft that allows organizations to create, publish, manage, and secure APIs, facilitating easier interaction between backend services and client applications.

How does Azure API Management work?

‍It functions as an intermediary between API clients and backend services, handling tasks such as security enforcement, traffic management, and API monitoring.

What are the key components of Azure API Management?

‍The main components include the API Gateway, Management Plane, and Developer Portal.

How does Azure API Management differ from Azure Application Gateway?

‍Azure API Management focuses on managing APIs, including security and monitoring, while Azure Application Gateway primarily handles web traffic management with features like load balancing and SSL termination.

What pricing plans are available for Azure API Management?

‍Plans range from Developer (for testing) to Premium (for large-scale production environments), each offering different features and support levels.