With Azure API Management, we can monitor and log abnormal activity happening on the API using IoT Event hubs and leveraging Azure Stream Analytics to query and parse the logs logged by Azure API Management into an event hub.
The following API management policy shows how requests can be logged to Azure Event Hubs and later monitored using Azure Stream Analytics queries.
<inbound> <log-to-eventhub logger-id =’TaskAPILogger’> @( String.Join(\”,\,@\”{\”\”DateTime.UtcNow\”\”\”+\”:\”+@\”\”\”\”+DateTime.UtcNow+@\”\”\”\”, @\”\”\”context.Deployment.ServiceName\”\”\”+\”+@\”\”\”\”+ context.Deployment.ServiceName+@\”\”\”\”,@\”\”\”context.RequestId\”\”\”+\”:\”+@\”\”\”+ context.RequestId+@\”\”\”,@\”\”\”context.Request.IpAddress\”\”\”+\”:\”+@\”\”\”\”+ context.Request.IpAddress+@\”\”\”\”,@\”\”\”context.Operation.Name\”\”\”+\”:\”+@\”\”\”\”+ context.Operation.Name+@\”\”\”\”+\”}\”)) </log-to-eventhub> <base/> </inbound>
This video demonstrates how to use the log-to-event hub policy to build a custom dashboard with Azure Stream Analytics and PowerBI
Client certificate based authentication: API Management provides the capability to secure access to APIs (i.e., client to API Management) using client certificates. Its possible to check the thumbprint of the client certificate against a desired value or existing certificates uploaded to API Management. To protect your API’s using client certificate authentication: How to secure back-end services using client certificate authentication.
Protect API using OAuth 2.0 and Azure Active Directory.
This guide provides the steps to protect your API with OAuth 2.0 access tokens issued by Azure Active Directory The following video provides the steps needed to protect your API backend with Azure Active Directory and API Management.
Protect API using OpenID Connect protocol and Azure Active Directory.
It is also possible to use a industry standard, OpenID Connect protocol (instead of OAuth 2.0) to protect your API using Azure Active Directory. More information on how OpenID Connect with Azure AD works refer this documentation.
Using Azure API management policies, we can protect the API from content attacks such that it rejects requests that exceed a content size limit. The following example shows that inbound requests are rejected if the request content size is more than 4096 bytes in length.
<inbound> <set-variable name=”contentAsSting” value=’@((string)context.Request.Body.As<String> (preserveContent: true))’ /> <set-variable name=”ALLOWED_CONTENT_LENGTH” value=’@return 4096;)’ /> <choose> <when condition=’@(((string)context.Variables[“contentAsString”]), Length >= ((int) context.Variables[“ALLOWED_CONTENT_LENGTH]))’> <set-variable name=”endTimeTicks” value=’@{ return DateTime.UtcNow.Ticks;}’/> <return-response> <set-status code=”400” reason=’@{ return “JSON ERROR: Content length is greater than the permissible limit of: “ + (int)context.Variables[“ALLOWED_CONTENT_LENGTH”] + “ byte(s)”;}’ /> </return-response> </when> </choose> <base/> </inbound>
This article provides details on how to protect your api from Denial of wallet attacks which involves nefariously sending few requests/second to your API increasing the bill on your Azure API Management.
Azure API Management can connect to an Azure Virtual network and connect and access resources that are private or located customer on-premises.
Azure API Management can be deployed inside the virtual network (VNET), so it can access backend services within the network. The developer portal and API gateway, can be configured to be accessible either from the Internet.
Azure API Management needs to be deployed in its own subnet to be able to successfully connect to the internal/on-premises network.
It is possible to perform transformations on API operations such as removing http headers from the outgoing response and finding and replacing API response content such that the original API urls are replaced with the APIM gateway URLs etc. The API Management also allows you to test these transformations. More information available here.
This is possible using inline XSLT transform. For more details on how add a XSLT transformation policy the following link has more details. This link provides additional information on capabilities of transformational policies that help in setting http headers or adding or removing values from the response body.
.Azure API Management provides rate and quote throttling to both protect and add value to your API service.
The new rate-limit-by-key and quota-by-key policies provide a more flexible solution to traffic control. These new policies allow you to define expressions to identify the keys that are used to track traffic usage.
With rate limiting and call quotas one can control rate of requests or the total requests/data transferred with an API.
This video provides more details on rate limits and quotas. This video demonstrates how to use the new advanced request throttling policies in Azure API Management.
API Management provides the following policies to provide for access restrictions:
This feature enables to cache responses at the API operation level and will greatly improve the performances of the API.
The following link provides a caching policy sample for adding items to cache for 20 seconds. You can also take advantage of custom caching and fragment caching capabilities where certain parts of the response are cached using cache-store-value policies. The new cache-lookup-value and cache-store-value policies provide the ability to store and retrieve arbitrary pieces of data from within policy definitions.
This video provides more details on how mocked responses work.
Azure API Management allows setting policies on API operations so that they can return a mocked response. This method enables developers to proceed with implementation and testing of the APIM instance even if the backend is not available to send real responses.
Mocked responses allow parallel development of the API and integration with Azure API Management. Also allows the consumers to get a response even when the backend is not operational or does not scale well.
This video provides more details on how mocked responses work.
Versioning and revisions provide you flexibility and control in how you manage change and the lifecycle of your API.
This video provides an overview of the versioning and revisions feature of Azure API Management.
With Azure Monitor, we can view and monitor activity and diagnostic logs and take automated actions when we find certain entries in the activity or diagnostic logs or if the configured metrics cross a defined threshold.
With Azure monitor we can
It is possible to configure your API’s exposed by the APIM gateway using custom domain names like contoso.com. Azure assigns a newly created API to a subdomain of azure-api.net (for example, apim-service-name.azure-api.net). However, you can expose your APIM endpoints using your own domain name, such as contoso.com. For more information on how to configure it, refer this link.
Azure API Management relies on Azure Role-Based Access Control (RBAC) to enable fine-grained access management for API Management services and entities (e.g., APIs, policies)
The following video provides more details on configuring role based access control for fine grained access to APIs and API policies using built-in and custom roles in Azure API Management.
API Management makes it possible to make cross domain calls to the API. Its possible to make cross domain calls from several types of clients like JavaScript clients, flash or Silverlight apps and browser based clients.
The built-in analytics capabilities of Azure API Management provide details on the following: