No content

Azure API Management More than a façade for your APIs Michael Rüefli

Michael Rüefli Partner | Solutions Architect scopewyse GmbH michael.rueefli@scopewyse.com www.miru.ch @drmiru drmiru About me | Tech Azure Cloud Platform & Security Security in focus, MCT (Microsoft Certified Trainer) Community worker About me | Private Father, Husband, Skydiver, Skier

Agenda ▪ APIM overview ▪ Deployment models ▪ Publish your 1st API ▪ Gotchas ▪ Security ▪ Q&A

Azure API Management overview

What is APIM? Let's ask someone who should know ;-)

▪ Azure API Management is a cloud-based service that enables organizations to create, publish, and manage APIs. ▪ With Azure API Management, organizations can secure, scale, and analyze their APIs to better serve their customers and partners. What is Azure API Management

Overview

▪ Centralize access to APIs / web services ▪ Version control ▪ Authentication & protection ▪ Request & response mods ▪ Performance optimization ▪ API usage tracking Typical use cases

▪ REST ▪ SOAP ▪ oDATA ▪ GraphQL ▪ Websockets Protocol support

Next Gen Firewall Web Application Firewall Proxy for frontend apps What API Management is not

SKUs Developer Consumption Basic Standard Premium Private Endpoint Vnet Integration SLA Self hosted GWs Policies Availability zones Developer Portal Gitops Multiple custom domains https://learn.microsoft.com/en-us/azure/api-management/api-management-features

DEMO

Deployment models API Management Self hosted Gateway Backend Service API Management Backend Service VPN / ER private API Management Backend Service VPN / ER private App Gateway WAF private public public Backend Service Backend Service HTTPS Backend Service Cloud / Hybrid Hybrid Hybrid Secured

Private networking API Management Private Endpoint Private DNS Zone subnet vnet Private Ingress Public Egress API Management Private DNS Zone subnet vnet Private Ingress Private Egress Backend Service Backend Service Gateway vNET Integration Private Link

Internal / External APIs

Publishing an API

1. Create an API definition 2. Create / adapt policies 3. Create a product 4. Add API to the product 5. Publish product 6. Assign subscription to the product API Publishing

▪ CORS ▪ Rate Limiting ▪ Header ▪ validation ▪ Manipulation ▪ Cache Policies - define what happens to calls

Demo

Gotchas

▪ Private Endpoint and vNet injection can't be combined ▪ APIM delegated subnet needs to be in Hub vNet ▪ vNet integrated APIM + WAF = split DNS config Gotchas (1/2)

▪ UDR on APIM Subnet: 0.0.0.0/0 -> NH: Internet ▪ Changes on vNet / custom Domain config require instance reboot ~25min ▪ Using NSG on APIM subnet -> https://learn.microsoft.com/en-us/azure/api-management/api-management- using-with-vnet?tabs=stv2#configure-nsg-rules Gotchas (2/2)

Security

▪ Use WAF in front of APIM ▪ Be strict giving API master keys ▪ Use JWT validation policy for AAD AuthN ▪ Pull named values (secrets) from a Key Vault ▪ Restrict trace functionality to Admins Security Good Practices API Management Networking Authentication Configuration Policies

Q&A

No content