Skip to content

APIM

Tldr

API gateway is the entry point for clients. Instead of calling services directly, clients call the API gateway, which forwards the call to the appropriate services on the back end.

Features

  • Cross cutting: The API Gateway can perform other cross-cutting functions such as authentication, logging, SSL termination, and load balancing.
  • Caching
  • Inbound and outbound policies
  • API testing
  • API observability
  • Consolidate various API's to one endpoint

APIM Components

APIM includes

  1. API Gateway: AKA data plane/runtime
  2. Managed: Default setting
  3. Self Hosted: Optional and containerized version for on-prem
  4. Management Portal/Plane
  5. Developer portal: The open-source developer portal.

URL's for APIM endpoints?

We can have 3 URLs - Gateway URL - Management URL - Developer Portal URL

Kinds of APIM

  • On cloud
  • Serverless
  • Self hosted and Federated

API Gateway

  • Facade: Accepts API calls and routes them to your backend APIs.
  • AuthT and AuthZ: Verifies API keys, JWT tokens, certificates, and other credentials.
  • API Throttling: Enforces usage quotas and rate limits by Denial of Service (DOS)
  • Caching: Caches backend responses where set up.
  • Logging:Logs for monitoring and reporting.
  • Policy enforcement:Transforms your API on the fly using policy statements

Management plane

API providers interact with the service through the management plane, which provides full access to the API Management service capabilities.

Customers interact with the management plane through Azure tools including the Azure portal, Azure PowerShell, Azure CLI, a Visual Studio Code extension, or client SDKs in several popular programming languages.

Use of Management portal?

Use the management plane to:

  • Provision and configure API Management service settings
  • Define or import API schemas from a wide range of sources, including OpenAPI specifications, - Azure compute services, or WebSocket or GraphQL backends
  • Package APIs into products
  • Set up policies like quotas or transformations on the APIs
  • Get insights from analytics
  • Manage users

Developer Portal

API providers can customize the look and feel of the developer portal by adding custom content, customizing styles, and adding their branding. Extend the developer portal further by self-hosting.

Using the developer portal, developers can:

  • Read API documentation
  • Call an API via the interactive console
  • Create an account and subscribe to get API keys
  • Access analytics on their own usage
  • Download API definitions
  • Manage API keys

Core concepts

Policy

With policies, an API publisher can change the behavior of an API through configuration. Policies are a collection of statements that are executed sequentially on the request or response of an API. Popular statements include format conversion from XML to JSON and call-rate limiting to restrict the number of incoming calls from a developer.

The policy XML configuration is divided into inbound, backend, outbound, and on-error sections. This series of specified policy statements is executed in order for a request and a response.

Policy definaiton
<policies>
  <inbound>
    <!-- statements to be applied to the request go here -->
  </inbound>
  <backend>
    <!-- statements to be applied before the request is forwarded to 
         the backend service go here -->
  </backend>
  <outbound>
    <!-- statements to be applied to the response go here -->
  </outbound>
  <on-error>
    <!-- statements to be applied if there is an error condition go here -->
  </on-error>
</policies>

The policies can be applied at various scopes, which determine the affected APIs or operations and dynamically configured using policy expressions

Backend API

A service, most commonly HTTP-based, that implements an API and its operations. Sometimes backend APIs are referred to simply as backends. For more information, see Backends.

Frontend API

API Management serves as mediation layer over the backend APIs. Frontend API is an API that is exposed to API consumers from API Management. You can customize the shape and behavior of a frontend API in API Management without making changes to the backend API(s) that it represents

Products

Products are how APIs are surfaced to developers. Products in API Management have one or more APIs, and can be open or protected. Protected products require a subscription key, while open products can be consumed freely.

Version

A version is a distinct variant of existing frontend API that differs in shape or behavior from the original. Versions give customers a choice of sticking with the original API or upgrading to a new version at the time of their choosing. Versions are a mechanism for releasing breaking changes without impacting API consumers.

APIM with AKS

APIM can be used with AKS in various use cases

Should we connect to pods?

In a Kubernetes cluster, containers are deployed in Pods, which are ephemeral and have a lifecycle. When a worker node dies, the Pods running on the node are lost. Therefore, the IP address of a Pod can change anytime. We cannot rely on it to communicate with the pod.

To solve this problem, Kubernetes introduced the concept of Services. A Kubernetes Service is an abstraction layer which defines a logic group of Pods and enables external traffic exposure, load balancing and service discovery for those Pods.

Direct

Services in an AKS cluster can be exposed publicly using Service types of NodePort, LoadBalancer, or ExternalName. In this case, Services are accessible directly from public internet.

After deploying API Management in front of the cluster, we need to ensure all inbound traffic goes through API Management by applying authentication in the microservices.

Using Ingress

If an API Management instance does not reside in the cluster VNet, Mutual TLS authentication (mTLS) is a robust way of ensuring the traffic is secure and trusted in both directions between an API Management instance and an AKS cluster.

Mutual TLS authentication is natively supported by API Management and can be enabled in Kubernetes by installing an Ingress Controller. As a result, authentication will be performed in the Ingress Controller, which simplifies the microservices. Additionally, you can add the IP addresses of API Management to the allowed list by Ingress to make sure only API Management has access to the cluster.

Revision and Version

Version: They are for breaking changes

Revision: They are for non breaking changes


Was this page helpful?
-->