Azure API Management is an Azure service that allows you to implement a consistent and secure access layer to your APIs. Thanks to API Management, you can easily add authentication, throttling, and caching features without changing the API code.
Furthermore, API Management allows you to make protocol changes to your APIs. You can easily publish a SOAP API with a REST protocol without modifying the code.
API Management is the ideal service if your business makes provision for the sale of online services through an API because it allows you to keep track of the uses that customers make of your APIs and thereby enable you to carry out precise billing.
Azure API Management comprises three components:
- API Gateway: This is the endpoint to which you expose your APIs. It accepts external calls from your customers and routes them to the actual API in the backend. It can enforce quotas, rate limits, transform API protocols, add security, and so on. It can also log call metadata for analytics purposes.
- Administrative portal: This is the administrative interface for your exposed APIs. You can use it to define APIs, configure them, create products, and configure subscriptions for your customers. All the administrative portal features are located in the left-hand menu of the API Management blade (in the Azure portal).
- Developer portal: This is the portal that a developer can use to get information about the APIs you expose. The developer portal allows developers to create accounts and to generate the API key to use them, provides an interactive console to test the APIs, and gives them the API documentation:
Before showing how to create an API Management instance, we need to clarify the terminology we will use:
- APIs and operations: APIs represent the fundamental entities managed by Azure API Management. An API is a group of operations available for developers. Each operation can map one or more APIs implemented on backend services. The operations in API Management are highly configurable, and it is possible to add policies concerning URL mapping, caching, security, rate limits, and so on.
- Products: A product is a grouping of APIs and is a way to package a set of APIs to which a developer can subscribe. A product is characterized by a title, a description, and terms of use. A product can be open or protected. An open product can be used by a developer without a subscription, while protected products can only be used following a subscription by the developer. Groups are used to manage product visibility for developers. Developers can view and subscribe to the products visible to the groups they belong to.
- Groups: Groups are used to manage the visibility of products to developers. API Management has three immutable groups:
- Administrators: The users in this group are able to manage the API Management service instance. They can add products, remove products, configure APIs, and so on.
- Developers: The users in this group can log in to the developer portal and call the API using API Gateway.
- Guests: The users in this group can visit the developer portal and can use the open product (without portal registration and subscription), but cannot use the protected products.
Administrators can create custom groups (for example, to identify the developers of a particular customer) and a user can belong to more than one group.
- Developers: Developers are the users that use your API through API Gateway. A developer can sign up from the developer portal or can be invited by an administrator. A developer can subscribe to one or more products (depending on their subscription) and when they subscribe to a product, API Management generates a primary and a secondary key for the developer. The developer must use the keys to call the APIs contained in the specific product.
- Policies: Using policies, you can change the behavior of the APIs exposed by API Management. Policies are a declarative way to add features to all APIs, to a single API, or to a single operation. For example, you can implement a format conversion from XML to JSON, or add a caching policy to an operation or implement throttling.
- Subscriptions: A subscription is a way in which you can secure access to a set of APIs in API Management. When developers need to consume published APIs, they must have a subscription key and they must provide it in the API call. API Management rejects a request from the developer if the key is not valid without routing the request to the backend services. API Management supports OAuth 2.0, client certificates, or IP whitelisting as secure mechanisms.