Monday, 9 January 2017

What is API Management?

What is API Management?

API Management helps organizations publish APIs to external, partner and internal developers to unlock the potential of their data and services. Businesses everywhere are looking to extend their operations as a digital platform, creating new channels, finding new customers and driving deeper engagement with existing ones. API Management provides the core competencies to ensure a successful API program through developer engagement, business insights, analytics, security and protection.
Watch the following video for an overview of Azure API Management and learn how to use API Management to add many features to your API, including access control, rate limiting, monitoring, event logging, and response caching, with minimal work on your part.
To use API Management, administrators create APIs. Each API consists of one or more operations, and each API can be added to one or more products. To use an API, developers subscribe to a product that contains that API, and then they can call the API's operation, subject to any usage policies that may be in effect.
This topic provides an overview of API Management key concepts.
For more information, see the Cloud-based API Management: Harnessing the Power of APIsPDF whitepaper. This introductory whitepaper on API Management by CITO Research covers:
·         Common API requirements and challenges
·         Decoupling APIs and presenting facades
·         Getting developers up and running quickly
·         Securing access
·         Analytics and metrics
·         Gaining control and insight with an API Management platform
·         Using cloud vs on-premise solutions
·         Azure API Management

APIs and operations

APIs are the foundation of an API Management service instance. Each API represents a set of operations available to developers. Each API contains a reference to the back-end service that implements the API, and its operations map to the operations implemented by the back-end service. Operations in API Management are highly configurable, with control over URL mapping, query and path parameters, request and response content, and operation response caching. Rate limit, quotas, and IP restriction policies can also be implemented at the API or individual operation level.


Products are how APIs are surfaced to developers. Products in API Management have one or more APIs, and are configured with a title, description, and terms of use. Products can be Open or Protected. Protected products must be subscribed to before they can be used, while open products can be used without a subscription. When a product is ready for use by developers it can be published. Once it is published, it can be viewed (and in the case of protected products subscribed to) by developers. Subscription approval is configured at the product level and can either require administrator approval, or be auto-approved.
Groups are used to manage the visibility of products to developers. Products grant visibility to groups, and developers can view and subscribe to the products that are visible to the groups in which they belong.


Groups are used to manage the visibility of products to developers. API Management has the following immutable system groups.
·         Administrators - Azure subscription administrators are members of this group. Administrators manage API Management service instances, creating the APIs, operations, and products that are used by developers.
·         Developers - Authenticated developer portal users fall into this group. Developers are the customers that build applications using your APIs. Developers are granted access to the developer portal and build applications that call the operations of an API.
·         Guests - Unauthenticated developer portal users, such as prospective customers visiting the developer portal of an API Management instance fall into this group. They can be granted certain read-only access, such as the ability to view APIs but not call them.
In addition to these system groups, administrators can create custom groups or leverage external groups in associated Azure Active Directory tenants. Custom and external groups can be used alongside system groups in giving developers visibility and access to API products. For example, you could create one custom group for developers affiliated with a specific partner organization and allow them access to the APIs from a product containing relevant APIs only. A user can be a member of more than one group.


Developers represent the user accounts in an API Management service instance. Developers can be created or invited to join by administrators, or they can sign up from the Developer portal. Each developer is a member of one or more groups, and can be subscribe to the products that grant visibility to those groups.
When developers subscribe to a product they are granted the primary and secondary key for the product. This key is used when making calls into the product's APIs.


Policies are a powerful capability of API Management that allow the publisher to change the behavior of the API through configuration. Policies are a collection of statements that are executed sequentially on the request or response of an API. Popular statements include format conversion from XML to JSON and call rate limiting to restrict the amount of incoming calls from a developer, and many other policies are available.

Developer portal

The developer portal is where developers can learn about your APIs, view and call operations, and subscribe to products. Prospective customers can visit the developer portal, view APIs and operations, and sign up. The URL for your developer portal is located on the dashboard in the Azure Classic Portal for your API Management service instance.
You can customize the look and feel of your developer portal by adding custom content, customizing styles, and adding your branding.

Connecting your on-premises network to Azure

Connecting your on-premises network to Azure
Many organizations have an existing on-premises infrastructure that they wish to integrate with Azure. This enables organizations to migrate existing applications to the cloud, and also to take advantage of the scalability, availability, security, and other enterprise features that Azure offers for new applications. The key part of this scenario is understanding how to establish a secure and robust network connection between your organization and Azure.
The patterns & practices group has created a set of reference architectures to address these scenarios. Each reference architecture demonstrates one approach to creating hybrid networks with Azure, and includes:
·         Recommendations and best practices.
·         Considerations for availability, security, scalability, and manageability.
·         An Azure Resource Manager template that you can modify and deploy.
This article gives a summary of each reference architecture, and helps you to decide which solution will best meet your needs.

Using a virtual private network connection

You can use Azure VPN Gateway to create a virtual private network (VPN) connection for sending network traffic between Azure virtual networks and on-premises locations. The network traffic flows between the on-premises network and an Azure Virtual Network (VNet) through an IPSec VPN tunnel.

This architecture is suitable for hybrid applications where the traffic between on-premises hardware and the cloud is likely to be light, or it is beneficial to trade slightly extended latency for the flexibility and processing power of the cloud.
·         Simple to configure.
·         Requires an on-premises VPN device.
·         Although Microsoft guarantee 99.9% availability for each VPN Gateway, this SLA only covers the VPN gateway, and not your network connection to the gateway.
·         A VPN connection over Azure VPN Gateway currently supports a maximum of 200 Mbps bandwidth. You may need to partition your Azure virtual network across multiple VPN connections if you expect to exceed this throughput.

Using an Azure ExpressRoute connection

ExpressRoute connections are high bandwidth network connections that use a private dedicated link made through a third-party connectivity provider. The private connection extends your on-premises network into Azure providing access to your own IaaS infrastructure in Azure, public endpoints used in PaaS services, and Office365 SaaS services.

This architecture is suitable for hybrid applications with the following characteristics:
·         Applications running large-scale, mission-critical workloads that require a high degree of scalability.
·         Large-scale backup and restore facilities for data that must be saved off-site.
·         Handling Big Data workloads.
·         Using Azure as a disaster-recovery site.
Benefits of using an ExpressRoute connections:
·         Much higher bandwidth available; up to 10 Gbps depending on the connectivity provider.
·         Supports dynamic scaling of bandwidth to help reduce costs during periods of lower demand. However, not all connectivity providers have this option.
·         May allow your organization direct access to national clouds, depending on the connectivity provider.
·         99.9% availability SLA across the entire connection.
Considerations for using an ExpressRoute connection:
·         Can be complex to set up. Creating an ExpressRoute connection requires working with a third-party connectivity provider. The provider is responsible for provisioning the network connection.
·         Requires high bandwidth routers on-premises.

Using Azure VPN Gateway to provide a failover connection for Azure ExpressRoute

Any network can suffer outages. If you are running mission critical services in Azure, you will require a fallback position <!-- option? -->, possibly with reduced bandwidth. For example, you can provide a VPN connection alongside an ExpressRoute circuit. Under normal circumstances, the traffic flows between the on-premises network and an Azure virtual network through the ExpressRoute connection. If there is a loss of connectivity in the ExpressRoute circuit, traffic will be routed through an IPSec VPN tunnel instead.
Benefits of using a failover VPN connection:
·         High availability in the event of an ExpressRoute circuit failure, although the fallback connection is on a lower bandwidth network.
Considerations for using a failover VPN connection:
·         Complex to configure. You need to set up both a VPN connection and an ExpressRoute circuit.
Requires redundant hardware (VPN appliances), and a redundant Azure VPN Gateway connection for which you pay charges.