Other Azure Services
Overview of other Azure Services like Serverless, Functions, Logic Apps
Hitesh Sahu
API Management(APIM)
Hybrid, multicloud management platform for APIs across all environments.
Advantage:
- Abstract backend architecture diversity and complexity from API consumers
- Securely expose services hosted on and outside of Azure as APIs
- Protect, accelerate, and observe APIs
- Enable API discovery and consumption by internal and external users
Management plane
API providers interact with the service through the management plane, which provides full access to the API Management service capabilities.
- Customers interact with the management plane through Azure tools: Azure portal, Azure PowerShell, Azure CLI, a Visual Studio Code extension, or client SDKs in several popular programming languages.
Responsibility
- Provision and configure API Management service settings
- Define or import API schemas from a wide range of sources, including OpenAPI specifications, Azure compute services, or WebSocket or GraphQL backends
- Package APIs into products
- Set up policies like quotas or transformations on the APIs
- Get insights from analytics
- Manage users
API gateway
Sits between clients and services. All requests from client applications first reach the API gateway, which then forwards them to respective backend services.
- It acts as a reverse proxy, routing requests from clients to services. Allowing API providers to abstract API implementations and evolve backend architecture without impacting API consumers.
Responsibility
The gateway enables consistent configuration of routing, security, throttling, caching, and observability.
- Gateway Routing(Layer7): Decouple Client from Backend by accepting API calls and routes them to your backend(s).
- Gateway aggregation: Aggregate multiple response from backend service and sends it back to the client. Reduce chattiness between the client and the backend.
- Gateway Offloading: Consolidate common functions into one place, rather than making every service responsible for
implementing them.
- Security : verifies API keys, JWT tokens, certificates, and other credentials, IP allow/block list
- Throttling: Enforces usage quotas and rate limits
- Caching: Servicing static content & caches responses to improve response latency and minimize the load on backend services
- Observability: Emits logs, metrics, and traces for monitoring, reporting, and troubleshooting
- GZIP compression: transforms requests and responses as specified in policy statements
. It may also perform various cross-cutting tasks such as authentication, SSL termination, and rate limiting. If you don't deploy a gateway, clients must send requests directly to front-end services. However, there are some potential problems with exposing services directly to clients:
Self-hosted gateway
customers can deploy the API gateway to the same environments where they host their APIs, to optimize API traffic and ensure compliance with local regulations and guidelines.
-
Hybrid IT infrastructure to manage APIs hosted on-premises and across clouds from a single API Management service in Azure.
-
Packaged as a Linux-based Docker container and is commonly deployed to Kubernetes, including to Azure Kubernetes Service and Azure Arc-enabled Kubernetes.
APIs
API represents a set of operations available to app developers.
- API contains a reference to the backend service that implements the API, and its operations map to backend operations.
API and can be
-
Open: can be consumed freely.
-
Protected: require a subscription key
Subscriptions Keys A subscription key is a unique auto-generated key that can be passed through in the headers of the client request or as a query string parameter.
-
Every subscription has two keys, a primary & a secondary. Eg. if you want to change the primary key and avoid downtime, use the secondary key in your apps.
-
401 Access Denied: API call without sub-key are rejected & not forwarded to the back-end services -
Key are passed in header with each request as
Ocp-Apim-Subscription-Key//With Header curl --header "Ocp-Apim-Subscription-Key: <key string>" https://<apim gateway>.azure-api.net/api/path // WIth Query String curl https://<apim gateway>.azure-api.net/api/path?subscription-key=<key string>
| Scope | Details |
|---|---|
| All APIs | Applies to all API |
| Single API | Single imported API and all of its endpoints |
| Product | Collection of one or more APIs configured in API Management. |
Products
how APIs are surfaced to developers.
- Collection of 1 or more Open or Protected APIs
- You can assign APIs to more than one product.
- Products can have different access rules, usage quotas, and terms of use.
Developer portal
Automatically generated, fully customizable website with the documentation of APIs.
- Read API documentation.
- Try out an API via the interactive console.
- Create an account and subscribe to get API keys.
- Access analytics on their own usage.
Groups
Used to manage the visibility of products to developers.
1. Administrators
Manage API Management service instances and create the APIs, operations, and products that are used by developers.
2. Developers
Authenticated developer portal users that build applications using your APIs.
- Granted access to the developer portal and build applications that call the operations of an API.
3. Guests
Unauthenticated developer portal users, such as prospective customers visiting the developer portal.
- Granted certain read-only access, such as the ability to view APIs but not call them.
Policies
Collection of statements in
XMLthat are executed sequentially on the request or response of an API
- API publisher can change the behavior of an API through configuration.
The configuration is divided into inbound, backend, outbound, and on-error. The series of specified policy
statements is executes in order for a request and a response.
<policies>
<inbound>
<!-- applied to the request -->
</inbound>
<!-- applied before request is forwarded backend service -->
<backend> </backend>
<!-- applied to the response -->
<outbound></outbound>
<!-- applied if there is an error condition -->
<on-error></on-error>
</policies>
Control flow : if-then-else or a switch construct
<choose>
<when condition="Boolean expression | Boolean constant">
<!— one or more policy statements to be applied if the above condition is true -->
</when>
<when condition="Boolean expression | Boolean constant">
<!— one or more policy statements to be applied if the above condition is true -->
</when>
<otherwise>
<!— one or more policy statements to be applied if none of the above conditions are true -->
</otherwise>
</choose>
Limit concurrency: Limit number of times API is called:
-
429Too Many Requests status code.<limit-concurrency key="expression" max-count="number"> <!— nested policy statements --> </limit-concurrency>
Mock response: aborts normal pipeline execution and returns a mocked response to the caller
<mock-response status-code="code" content-type="media type"/>
Retry executes its child policies once and then retries their execution until the retry condition becomes false or retry count is exhausted.
<retry
condition="boolean expression or literal"
count="number of retry attempts"
interval="retry interval in seconds"
max-interval="maximum retry interval in seconds"
delta="retry interval delta in seconds"
first-fast-retry="boolean expression or literal">
<!-- One or more child policies. No restrictions -->
</retry>
Return-response : aborts pipeline execution and returns either a default or custom response to the caller. Default response is 200 OK with no body
<return-response response-variable-name="existing context variable">
<set-header/>
<set-body/>
<set-status/>
</return-response>
Log to Event Hub: sends messages in the specified format to an Event Hub defined by a Logger entity
<log-to-eventhub logger-id="id of the logger entity" partition-id="index of the partition where messages are sent" partition-key="value used for partition assignment">
Expression returning a string to be logged
</log-to-eventhub>