How the Internet of Things is Set to Disrupt the Pharma Industry
December 31, 2021
Capabilities of Azure API’s Select Use Cases
Monitor abnormal activity
With Azure API Management, we can monitor and log abnormal activity happening on the API using IoT Event hubs and leveraging Azure Stream Analytics to query and parse the logs logged by Azure API Management into an event hub.
The following API management policy shows how requests can be logged to Azure Event Hubs and later monitored using Azure Stream Analytics queries.
<inbound>
<log-to-eventhub logger-id =’TaskAPILogger’>
@( String.Join(\”,\,@\”{\”\”DateTime.UtcNow\”\”\”+\”:\”+@\”\”\”\”+DateTime.UtcNow+@\”\”\”\”, @\”\”\”context.Deployment.ServiceName\”\”\”+\”+@\”\”\”\”+ context.Deployment.ServiceName+@\”\”\”\”,@\”\”\”context.RequestId\”\”\”+\”:\”+@\”\”\”+ context.RequestId+@\”\”\”,@\”\”\”context.Request.IpAddress\”\”\”+\”:\”+@\”\”\”\”+ context.Request.IpAddress+@\”\”\”\”,@\”\”\”context.Operation.Name\”\”\”+\”:\”+@\”\”\”\”+ context.Operation.Name+@\”\”\”\”+\”}\”))
</log-to-eventhub>
<base/>
</inbound>
This video demonstrates how to use the log-to-event hub policy to build a custom dashboard with Azure Stream Analytics and PowerBI
Protect against unauthorized access
Client certificate based authentication: API Management provides the capability to secure access to APIs (i.e., client to API Management) using client certificates. Its possible to check the thumbprint of the client certificate against a desired value or existing certificates uploaded to API Management. To protect your API’s using client certificate authentication: How to secure back-end services using client certificate authentication.
Protect API using OAuth 2.0 and Azure Active Directory.
This guide provides the steps to protect your API with OAuth 2.0 access tokens issued by Azure Active Directory The following video provides the steps needed to protect your API backend with Azure Active Directory and API Management.
Protect API using OpenID Connect protocol and Azure Active Directory.
It is also possible to use a industry standard, OpenID Connect protocol (instead of OAuth 2.0) to protect your API using Azure Active Directory. More information on how OpenID Connect with Azure AD works refer this documentation.
Protect against content attacks
Using Azure API management policies, we can protect the API from content attacks such that it rejects requests that exceed a content size limit. The following example shows that inbound requests are rejected if the request content size is more than 4096 bytes in length.
<inbound>
<set-variable name=”contentAsSting” value=’@((string)context.Request.Body.As<String> (preserveContent: true))’ />
<set-variable name=”ALLOWED_CONTENT_LENGTH” value=’@return 4096;)’ />
<choose>
<when condition=’@(((string)context.Variables[“contentAsString”]), Length >= ((int) context.Variables[“ALLOWED_CONTENT_LENGTH]))’>
<set-variable name=”endTimeTicks” value=’@{ return DateTime.UtcNow.Ticks;}’/>
<return-response>
<set-status code=”400” reason=’@{ return “JSON ERROR: Content length is greater than the permissible limit of: “ + (int)context.Variables[“ALLOWED_CONTENT_LENGTH”] + “ byte(s)”;}’ />
</return-response>
</when>
</choose>
<base/>
</inbound>
This article provides details on how to protect your api from Denial of wallet attacks which involves nefariously sending few requests/second to your API increasing the bill on your Azure API Management.
Connect to a virtual network
Azure API Management can connect to an Azure Virtual network and connect and access resources that are private or located customer on-premises.
Azure API Management can be deployed inside the virtual network (VNET), so it can access backend services within the network. The developer portal and API gateway, can be configured to be accessible either from the Internet.
Azure API Management needs to be deployed in its own subnet to be able to successfully connect to the internal/on-premises network.
Transform and protect your API
It is possible to perform transformations on API operations such as removing http headers from the outgoing response and finding and replacing API response content such that the original API urls are replaced with the APIM gateway URLs etc. The API Management also allows you to test these transformations. More information available here.
XML transformation using XSLT
This is possible using inline XSLT transform. For more details on how add a XSLT transformation policy the following link has more details. This link provides additional information on capabilities of transformational policies that help in setting http headers or adding or removing values from the response body.
.Rate Limiting and call Quotas
Azure API Management provides rate and quote throttling to both protect and add value to your API service.
The new rate-limit-by-key and quota-by-key policies provide a more flexible solution to traffic control. These new policies allow you to define expressions to identify the keys that are used to track traffic usage.
With rate limiting and call quotas one can control rate of requests or the total requests/data transferred with an API.
This video provides more details on rate limits and quotas. This video demonstrates how to use the new advanced request throttling policies in Azure API Management.
Access Restriction Policies
API Management provides the following policies to provide for access restrictions:
- Check HTTP header - Enforces existence and/or value of a HTTP Header.
- Limit call rate by subscription - Prevents API usage spikes by limiting call rate, on a per subscription basis.
- Limit call rate by key - Prevents API usage spikes by limiting call rate, on a per key basis.
- Restrict caller IPs - Filters (allows/denies) calls from specific IP addresses and/or address ranges.
- Set usage quota by subscription - Allows you to enforce a renewable or lifetime call volume and/or bandwidth quota, on a per subscription basis.
- Set usage quota by key - Allows you to enforce a renewable or lifetime call volume and/or bandwidth quota, on a per key basis.
- Validate JWT - Enforces existence and validity of a JWT extracted from either a specified HTTP Header or a specified query parameter.
Caching responses
This feature enables to cache responses at the API operation level and will greatly improve the performances of the API.
The following link provides a caching policy sample for adding items to cache for 20 seconds. You can also take advantage of custom caching and fragment caching capabilities where certain parts of the response are cached using cache-store-value policies. The new cache-lookup-value and cache-store-value policies provide the ability to store and retrieve arbitrary pieces of data from within policy definitions.
This video provides more details on how mocked responses work.
Mocking responses
Azure API Management allows setting policies on API operations so that they can return a mocked response. This method enables developers to proceed with implementation and testing of the APIM instance even if the backend is not available to send real responses.
Mocked responses allow parallel development of the API and integration with Azure API Management. Also allows the consumers to get a response even when the backend is not operational or does not scale well.
This video provides more details on how mocked responses work.
Versioning and revisions
Versioning and revisions provide you flexibility and control in how you manage change and the lifecycle of your API.
This video provides an overview of the versioning and revisions feature of Azure API Management.
Versions allow you to
- Publish multiple versions of your API at the same time
- Differentiate multiple versions using a – version number
- Differentiate versions using a url path, query string or http header – versioning scheme
- Show your API versions grouped together on the developer portal
Revisions allow you to
- Make changes to your APIs in a controlled and safe way.
- When you want to make changes, create a new revision. You can then edit and test API without disturbing your API consumers. When you are ready, you can then make your revision current – at the same time.
- Rollback if you find issues.
- Document the changes you make, so your developers can understand what is new.
Monitor published APIs
With Azure Monitor, we can view and monitor activity and diagnostic logs and take automated actions when we find certain entries in the activity or diagnostic logs or if the configured metrics cross a defined threshold.
With Azure monitor we can
- View activity logs
- View diagnostic logs
- View metrics of your API
- Set up an alert rule when your API gets unauthorized calls
Configure a Custom domain
It is possible to configure your API’s exposed by the APIM gateway using custom domain names like contoso.com. Azure assigns a newly created API to a subdomain of azure-api.net (for example, apim-service-name.azure-api.net). However, you can expose your APIM endpoints using your own domain name, such as contoso.com. For more information on how to configure it, refer this link.
Role based Access Control
Azure API Management relies on Azure Role-Based Access Control (RBAC) to enable fine-grained access management for API Management services and entities (e.g., APIs, policies)
The following video provides more details on configuring role based access control for fine grained access to APIs and API policies using built-in and custom roles in Azure API Management.
Cross domain policies
API Management makes it possible to make cross domain calls to the API. Its possible to make cross domain calls from several types of clients like JavaScript clients, flash or Silverlight apps and browser based clients.
- Allow cross-domain calls - Makes the API accessible from Adobe Flash and Microsoft Silverlight browser-based clients.
- CORS - Adds cross-origin resource sharing (CORS) support to an operation or an API to allow cross-domain calls from browser-based clients.
- JSONP - Adds JSON with padding (JSONP) support to an operation or an API to allow cross-domain calls from JavaScript browser-based clients.
Azure API Management Analytics
The built-in analytics capabilities of Azure API Management provide details on the following:
- Operational health and usage level of your API
- How much traffic your APIs are getting
- What sources are causing this traffic being generated
- How this traffic is impacting the performance of your APIs
Best Practices
- The APIs that are being imported should have a WADL or WSDL document available so that they can be imported into Azure API Management
- For REST based API’s its recommended that the API’s have a well defined Open API specification document available or swagger.json file available for import into Azure API Management
Recommended approach for importing API’s into API Management,- external REST base APIs with swagger.json
- external SOAP base API’s with WSDL definition available
- internal REST based API’s
- internal SOAP based APIs with WSDL definition available
- Document thoroughly how developers needs to manage tokens and use SSL for token transportation
- Use JWT (Json Web Tokens) Auth tokens for authentication and authorization
- Need for API versioning
- Need to support API evolution
- While maintaining
- Backward compatibility – Functionality
- Rates/throttling agreements
- Combination of versioning and revisions provide fine grained control over which versions are production ready vs versions that can be part of public previews and those that are part of beta releases
