In a multi region azure api management setup there is two different subscription keys for same api. What is the best practice client must use to pass api subscription keys so that api call works properly even if request is processed by any of the apim instance in multiregion setup.
below is response from microsoft
https://feedback.azure.com/forums/248703-api-management/suggestions/34340350-subscription-key-client-should-pass-for-api-deploy
Related
So, I was following this tutorial and successfully published the web API to both Azure App Service and Azure API Management. Then (going beyond tutorial) I added a rate-limit policy to the API in API Management service.
I tested it successfully on API management Test tab. However, if I access the App Service route URL (https://***.azurewebsites.net/) it will not throttle.
What am I missing here?
How do I make the policy active for the App Service URL?
Markus Meyer did a good job explaining how it's supposed to be used.
I think that you might benefit from this diagram showing the differences between calling your service through APIM or directly.
"What am I missing here?"
I think you're missing that API Management is a service, totally separate from you App Service. You do not "extend" the features of the App Service with APIM, you instead put APIM infront of your App Service and call your API through APIM to gain the benefits (of rate limiting in this example).
Requests to https://***.azurewebsites.net/ belong to Azure App Service.
If you want to do requests to API Management, the default hostname is azure-api.net:
https://***.azure-api.net/
If you want to use throttling from API Management, you have to the API Management URL like you did in the test tab:
I am starting with the Azure function in which I am creating API Function. After creating that function, I need to protect it.
Previously, I used the Microsoft.Identity.Platform to protect API's recourses, in which I created a registration in Azure AD for API, exposed the scopes, added the client apps in the list to provide access to the resources. Furthemore, it required to confirmation for 'API permission' in client app's Azure AD registration.
So, is there anything similar can I do, and do you think it would be a good option or if there are other options to pick from?
I read about the function key, but I read it is good for development not good for production.
I read about the function key, but I read it is good for development not good for production.
As you can see in this MS Doc, Microsoft mentioned that Authorization keys along with App Service Authentication is good for securing the HTTP Endpoints on all the stages like dev, testing and production environments in Azure Functions.
Also, there are multiple ways to secure your function API such as Authorization Keys, using APIM, (Front door + WAF) for restricting the incoming requests.
One of my workarounds 72633969 shows in securing the Azure functions in the context of restrict the function app from internet access and allow only from the APIM Instance.
The Steps I followed for the above solution in securing the Azure Function App APIs through APIM is:
Created a Http Trigger Function in the Function App.
Adding the allowed IP Addresses in the Access Restrictions of the Azure Function App Portal Menu > Networking Tab.
Set the Authorization Level of API to the "Function" Level or Custom key-value level that adds more security after adding to APIM Instance.
Added/Imported the Function API in APIM Instance and checked from the allowed IP addresses and also non-allowed IP address (System):
And more information on securing APIs using APIM Instance is given in the above Microsoft Documentation.
Authorization keys are a default security mechanism which is better if keys not published in public applications or publicly shared.
For better security mechanism, choose different options for the production environment. the other ways should be followed from the above-mentioned comment and refer to MS Q&A Forum 801055 provided the same by the user #LohithGN.
I have a REST point say xyz.com/getValues as a back end service. This is not a resouce of azure. I can call this end point from postman with proper BODY as a POST request. It works generally fine. Now I have got an OPEN API specification for this and I imported onto Azure API management. I set the backend service to xyz.com. But while testing it, I received 500 Internal server error. And in traces I found below error.
forward-request (139.450 ms)
{
"messages": [
"Error occured while calling backend service.",
"The remote name could not be resolved: 'xyz.com'"
]
}
There are some points I would like to mention.
I am using consumption tier of Azure API management.
xyz.com is not a public service. It is just an application deployed in company network.
I need suggestion on how to reach this as a solution. I am doing a POC and new to Azure API Management. Any help would be appreciated.
Thank you Melissa. Posting your suggestions as answer to help other community members.
Need to put non-azure API's into VNET and then you can use that in APIM on azure
We can use Non Azure APIM's
Azure Arc enabled API Management allows customers to leverage a self-hosted API gateway, that expands API Management support for hybrid and multi-cloud environments and enables Azure customers to efficiently and securely manage APIs hosted on-premises and across clouds from a single API Management service in Azure.
Click Here for VNET configuration with APIM
Check Non-Azure APIM to use APIs
Open the SO for further inputs.
I have following requirement.
Currently we have different back-end public facing API applications(Not in Azure) for each tenant. We are building a mobile application. for that we have come up with an integration layer where we invoke multiple API's from our Back-end API applications using Azure Logic Apps.
This Logic APP url's further will be integrated with API Management.
But we are looking for the possibility to reroute the request to relevant back-end api application based on tenant id which we pass as query string parameter.
Can any one please help me to understand whether Azure API gateway supports urls rerouting to external public facing applications (Backed applications are Not in Azure) ?
We are planning to move back-end applications to AZURE but not near by. Mean while we wanted to have a solution.
Currently we are storing the Host name and Tenant ID in Table storage. So based on tenant id we are fetching the host name and forming the URL with relevant host name.
Any other alternative ideas are also highly appreciable.If you need any other information please let me know?
I believe the approach you are taking is the right one. The same in APIM can be achieved by using the set-backend-service policy.
You could either fetch the hostname from table storage in APIM using the send-request policy (cache the result for better latency).
Or you can use Named Values to store the mappings and remove table storage altogether.
I have an Azure API Management service communicating with Azure functions runtime v1. Currently when i deploy a new version of the Function App (using CI/CD pipeline in Azure Devops, and using built-in microsoft tasks), the function keys (including master key) change. Consequently, the key that the API Management's api is injecting in the requests to the function is not longer valid, and i get a 401 - Unauthorized. So, i have at the moment a task in the pipeline to update these keys anytime i deploy the Function App. The API Management provides a feature to enable Managed Identity, but when i try to create a role assignment in the Function App to the API Management, under the System assigned managed identity, i don't have the option for API Management service. So i presume it is not possible to setup this role assignment between the two services, right? If not, then is there any suggestion for a workaround to avoid manage keys for the communication between API Management service and Azure Functions?
Thanks
UPDATE
Managed Identity can now be used by leveraging the authentication-managed-identity policy.
Yes. Managed Identity cannot be used here.
One alternative would be to protect your function app with an IP restriction using the APIM Instances IP which guaranteed to be static as long as it isn't recreated and setting the function to be an anonymous function.
Note that you might have problems accessing the function from the portal too for which you would have to allow the public IP of the computer you are using to access if required.
Another option would be to
Setup authentication for your function app
Have APIM get an access token with the Client Credentials Flow using the send-request policy
Set this access token in the header to call the anonymous function
You could probably try caching this access token using the cache policies.