AZURE API MANAGEMENT (APIM) DOCUMENT

1. APIM introductions
- Api management is a platform-as-a-service that supports the complete API lifecycle.
- APIs enable digital experiences, simplify application integration, underpin new digital
products, and make data and services reusable and universally accessible. With the
proliferation and increasing dependency on APIs, organizations need to manage
them as first-class assets throughout their lifecycle.
- Azure API Management helps customers meet these challenges:
o Abstract backend architecture diversity and complexity from API consumers
o Securely expose services hosted on and outside of Azure as APIs
o Protect, accelerate, and observe APIs
o Enable API discovery and consumption by internal and external users
2. APIM scenarios
- Unlocking legacy assets - APIs are used to abstract and modernize legacy backends
and make them accessible from new cloud services and modern applications. APIs
allow innovation without the risk, cost, and delays of migration
- API-centric app integration - APIs are easily consumable, standards-based, and self-
describing mechanisms for exposing and accessing data, applications, and processes.
They simplify and reduce the cost of app integration.
- API-centric app integration - APIs are easily consumable, standards-based, and self-
describing mechanisms for exposing and accessing data, applications, and processes.
They simplify and reduce the cost of app integration.
- B2B integration - APIs exposed to partners and customers lower the barrier to
integrate business processes and exchange data between business entities. APIs
eliminate the overhead inherent in point-to-point integration. Especially with self-
service discovery and onboarding enabled, APIs are the primary tools for scaling B2B
integration.
3. APIM components: APIM is made up of an API gateway, a management plane,
and a developer portal
a. API gateway: All requests from client applications first reach the API gateway,
which then forwards them to respective backend services. The API gateway acts as a
facade to the backend services, allowing API providers to abstract API
implementations and evolve backend architecture without impacting API consumers.
The gateway enables consistent configuration of routing, security, throttling,
caching, and observability. Specifically, the gateway:
  Acts as a facade to backend services by accepting API calls and routing them
to appropriate backends
 Verifies API keys and other credentials such as JWT tokens and certificates
presented with requests
 Enforces usage quotas and rate limits
 Optionally transforms requests and responses as specified in policy
statements
 If configured, caches responses to improve response latency and minimize
the load on backend services
 Emits logs, metrics, and traces for monitoring, reporting, and troubleshooting
b. Management plane: API providers interact with the service through the
management plane, which provides full access to the API Management service
capabilities. We will use the management plane to:
 Provision and configure API Management service settings
 Define or import API schemas from a wide range of sources, including
OpenAPI, WSDL, and OData definitions, Azure compute services, and
WebSocket, GraphQL, and gRPC backends
 Package APIs into products
 Set up policies like quotas or transformations on the APIs
 Get insights from analytics
 Manage users
c. Developer portal: The open-source developer portal is an automatically
generated, fully customizable website with the documentation of your APIs. Using
the developer portal, developers can:
 Read API documentation
 Call an API via the interactive console
 Create an account and subscribe to get API keys
 Access analytics on their own usage
 Download API definitions
 Manage API keys

These sections above described the detail information about APIM and its
components. Below are the answers for the questions provided in the ticket:
1. How to define a common authentication protocol in APIM and implement it in the APIs ?
 To define a common authentication protocol in Azure API Management, you can use
policies to validate tokens or authenticate with a managed identity. This approach will
use OAuth 2.0 authorization with Microsoft Entra ID to protect an API
  Validate tokens: Use the validate-jwt or validate-azure-ad-token policy to validate a
token before the gateway passes the request to the backend
 Authenticate with a managed identity: Use the authentication-managed-
identity policy to obtain an access token from Microsoft Entra ID. The policy then
sets the token in the Authorization header

2. How to produce Swagger / OpenAPI JSON documentation in each API that are
considered valid and recognizeable by APIM ?
 To get the valid Swagger / OpenAPI JSON documentation we need to the following
steps:
 Create a New Web API in .NET 8.0 with OpenAPI Enabled
 Provide OpenAPI Documentation in Existing Project by install the
Swashbuckle.AspNetCore NuGet package.
 Register some services and add some middlewares to the project
 Enrich Documentation via XML Comments and Attributes (if needed) by
Generate and Read Documentation Comments (XML), define API Responses
(HTTP Codes and Types), Define Media Types (Consumed and Produced),
define Filters, defined API Examples (Request and Response),…
 Deploy this website to Azure App Service or in the containerize. You will get
the url something like this: https://testwebsite.azurewebsites.net?
format=json
 Use this url to import to the APIM

3. Environment-specific deployment strategy / procedures i.e. first deploy API to regular

App Svc, then "register" the API with APIM ?
 We need to store some secret information such as secret, applicationId, tenantId, … in
AzureKeyVault and we will receive these information when application startup in the
Azure App Service. Beside that we also store some information depended on the
environment such as website url in the environment variable.

4. API management and discovery in APIM ?

 To discover APIs in Azure API Management, you can browse the developer portal or use
the API Management REST API
 Developer portal: A web-based portal that lists all available APIs. You can
explore APIs, authenticate against them, and view your changes after
publishing the portal.
 API Management REST API: You can use this API to programmatically discover
APIs
 5. Anything special in APIM with logging / monitoring ?
 To implement this thing we can do the following thing:
 Use the API analytics in Azure API Management to get the information for
logging
 Use the Azure Event Hubs in Azure API Management to log event
 Use the Azure Application Insights integrated with Azure API Management
 Visualize API Management monitoring data using a Managed Grafana
dashboard for monitoring

In conclusion we have some questions for you about how the APIM will be integrated
with CPData project:

1. In CP Data, which method will we use to secure the API, OAuth 2.0: Microsoft Entra,
Azure AD, or other methods?
2. Are there any other Azure services that APIM needs to connect to?
3. Will we set up policies to limit throttling and rate limiting to prevent DDoS attacks?
4. Regarding logging and monitoring, Will we use Azure App Insights?
5. How will APIM be integrated into our CI/CD pipeline to automate the deployment and
management of APIs?