AzureBootcamp2023: Azure API Management by Michael Rüefli

Transcript

1. None

2. Azure API Management More than a façade for your APIs

   Michael Rüefli

3. Michael Rüefli Partner | Solutions Architect scopewyse GmbH [email protected] www.miru.ch

   @drmiru drmiru About me | Tech Azure Cloud Platform & Security Security in focus, MCT (Microsoft Certified Trainer) Community worker About me | Private Father, Husband, Skydiver, Skier

4. Agenda ▪ APIM overview ▪ Deployment models ▪ Publish your

   1st API ▪ Gotchas ▪ Security ▪ Q&A

5. Azure API Management overview

6. What is APIM? Let's ask someone who should know ;-)

7. ▪ Azure API Management is a cloud-based service that enables

   organizations to create, publish, and manage APIs. ▪ With Azure API Management, organizations can secure, scale, and analyze their APIs to better serve their customers and partners. What is Azure API Management

8. Overview

9. ▪ Centralize access to APIs / web services ▪ Version

   control ▪ Authentication & protection ▪ Request & response mods ▪ Performance optimization ▪ API usage tracking Typical use cases

10. ▪ REST ▪ SOAP ▪ oDATA ▪ GraphQL ▪ Websockets

    Protocol support

11. Next Gen Firewall Web Application Firewall Proxy for frontend apps

    What API Management is not

12. SKUs Developer Consumption Basic Standard Premium Private Endpoint Vnet Integration

    SLA Self hosted GWs Policies Availability zones Developer Portal Gitops Multiple custom domains https://learn.microsoft.com/en-us/azure/api-management/api-management-features

13. DEMO

14. Deployment models API Management Self hosted Gateway Backend Service API

    Management Backend Service VPN / ER private API Management Backend Service VPN / ER private App Gateway WAF private public public Backend Service Backend Service HTTPS Backend Service Cloud / Hybrid Hybrid Hybrid Secured

15. Private networking API Management Private Endpoint Private DNS Zone subnet

    vnet Private Ingress Public Egress API Management Private DNS Zone subnet vnet Private Ingress Private Egress Backend Service Backend Service Gateway vNET Integration Private Link

16. Internal / External APIs

17. Publishing an API

18. 1. Create an API definition 2. Create / adapt policies

    3. Create a product 4. Add API to the product 5. Publish product 6. Assign subscription to the product API Publishing

19. ▪ CORS ▪ Rate Limiting ▪ Header ▪ validation ▪

    Manipulation ▪ Cache Policies - define what happens to calls

20. Demo

21. Gotchas

22. ▪ Private Endpoint and vNet injection can't be combined ▪

    APIM delegated subnet needs to be in Hub vNet ▪ vNet integrated APIM + WAF = split DNS config Gotchas (1/2)

23. ▪ UDR on APIM Subnet: 0.0.0.0/0 -> NH: Internet ▪

    Changes on vNet / custom Domain config require instance reboot ~25min ▪ Using NSG on APIM subnet -> https://learn.microsoft.com/en-us/azure/api-management/api-management- using-with-vnet?tabs=stv2#configure-nsg-rules Gotchas (2/2)

24. Security

25. ▪ Use WAF in front of APIM ▪ Be strict

    giving API master keys ▪ Use JWT validation policy for AAD AuthN ▪ Pull named values (secrets) from a Key Vault ▪ Restrict trace functionality to Admins Security Good Practices API Management Networking Authentication Configuration Policies

26. Q&A

27. None