← Back to Dashboard

Design 24: API Management (APIM)

Summary

This design implements Azure API Management (APIM) as a gateway for all backend APIs.

Topology: APIM is deployed in a Spoke VNet (Internal Mode). It is accessed via Application Gateway (Design 18) or internally. It peers to the Hub to reach shared services.

1. Key Design Decisions (ADR)

ADR-01: Deployment Mode

  • Decision: Internal VNet Mode.
  • Rationale: We don't want APIM exposed directly to the internet. We want to front it with App Gateway (WAF) for security.

Design 24: API Management (APIM)

Summary

This design implements Azure API Management (APIM) as a gateway for all backend APIs.

Topology: APIM is deployed in a Spoke VNet (Internal Mode). It is accessed via Application Gateway (Design 18) or internally. It peers to the Hub to reach shared services.

1. Key Design Decisions (ADR)

ADR-01: Deployment Mode

  • Decision: Internal VNet Mode.
  • Rationale: We don't want APIM exposed directly to the internet. We want to front it with App Gateway (WAF) for security.

ADR-02: SKU

  • Decision: Premium (or Developer for POC).
  • Rationale: Only Premium/Developer supports VNet integration. Standard does not.

2. High-Level Design (HLD)

+--------------+           +--------------------------+           +--------------+
|  App Gateway |           |        HUB VNet          |           |  SPOKE VNet  |
|  (Design 18) |           |      (Shared DNS)        |           |  (APIM)      |
|              |           |                          |           |              |
+------+-------+           +------------+-------------+           +------+-------+
       |                                |                                |
       v                                | (Peering)                      |
+------+-------+                        v                                v
|  APIM        |           +------------+-------------+           +------+-------+
|  Internal IP |---------->| VPN Gateway              |<--------->|  APIM        |
|  (10.1.1.5)  |           | (Admin Access)           |           |  (Internal)  |
+--------------+           +--------------------------+           +------+-------+
                                                                         |
                                                                         v
                                                                  +------+-------+
                                                                  | Backend API  |
                                                                  | (Function)   |
                                                                  +--------------+

3. Low-Level Design (LLD)

                               PRIMARY REGION (East US)
+-----------------------------------------------------------------------+
| HUB VNet: vnet-hub (10.0.0.0/16)                                      |
|   +-----------------------+                                           |
|   | VPN Gateway           |                                           |
|   +-----------|-----------+                                           |
|               |                                                       |
|               v (Peering)                                             |
+---------------|-------------------------------------------------------+
                |
+---------------|-------------------------------------------------------+
| SPOKE VNet: vnet-apim-spoke (10.1.0.0/16)                             |
|   +---------------------------------------------------------------+   |
|   | Subnet: snet-apim (10.1.1.0/24)                               |   |
|   | NSG: nsg-apim (Allow Mgmt:3443, Allow LB:6390)                |   |
|   | [API Management]                                              |   |
|   | (Internal Mode: 10.1.1.5)                                     |   |
|   +-----------|---------------------------------------------------+   |
|               |                                                       |
|               v (Internal Traffic)                                    |
|   +-----------|---------------------------------------------------+   |
|   | Subnet: snet-backend (10.1.2.0/24)                            |   |
|   | [Azure Functions / Logic Apps]                                |   |
|   +---------------------------------------------------------------+   |
+---------------|-------------------------------------------------------+
                |
                | (Multi-Region Deployment)
                v
+-----------------------------------------------------------------------+
| SECONDARY REGION (West US) - DR Site                                  |
|                                                                       |
|   +-----------------------+                                           |
|   | APIM Gateway (Unit)   |                                           |
|   | (Active-Active)       |                                           |
|   +-----------------------+                                           |
+-----------------------------------------------------------------------+

4. Component Rationale

  • Developer Portal: Where devs sign up for API Keys.
  • Gateway: The engine that processes requests.

5. Strategy: High Availability (HA)

  • Scale Units: Add multiple units in East US.
  • Zones: Premium supports Availability Zones.

6. Strategy: Disaster Recovery (DR)

  • Implementation: Multi-Region Deployment.
  • Process:

* In APIM Premium, you can click "Add Region" -> West US.

* Configuration (APIs, Policies) syncs automatically.

* If East US fails, traffic routes to West US (via Front Door or Traffic Manager).

7. Strategy: Backup

  • Config: Use the "Backup/Restore" blade to save configuration to a Storage Account.

8. Strategy: Security

  • Throttling: Limit users to 100 calls/minute (Rate Limiting).
  • Auth: Validate JWT tokens from Azure AD B2C (Design 23) before passing to backend.

9. Well-Architected Framework Analysis

  • Reliability: High.
  • Security: High. Centralized auth and throttling.
  • Cost Optimization: Low. Premium is expensive (~$2800/mo). Use Consumption/Standard for non-VNet scenarios.
  • Operational Excellence: High.
  • Performance Efficiency: High. Caching policies reduce backend load.

10. Detailed Traffic Flow

1. User: Calls api.contoso.com/products.

2. App Gateway: Forwards to APIM Internal IP (10.1.1.5).

3. APIM:

* Checks Subscription Key.

* Checks Rate Limit.

* Strips headers.

4. Backend: APIM calls function-products (Internal).

5. Response: Function -> APIM -> User.

11. Runbook: Deployment Guide (Azure Portal)

Phase 1: Create Spoke VNet

1. Search: "Virtual networks" -> + Create.

2. Resource Group: rg-apim-spoke.

3. Name: vnet-apim-spoke.

4. Region: East US.

5. Subnets:

* snet-apim: 10.1.1.0/24.

* snet-backend: 10.1.2.0/24.

6. Create.

Phase 2: Create APIM

1. Search: "API Management services" -> + Create.

2. Name: apim-corp-prod-[uniqueid].

3. Resource Group: rg-apim-spoke.

4. Location: East US.

5. Pricing tier: Developer (For Lab) or Premium (For Prod VNet).

* *Note: Standard V2 also supports VNet now, but check availability.*

6. Create.

* *Warning: This takes 45-60 minutes.*

Phase 3: Configure Network (Internal Mode)

1. Once created, go to Network (left menu).

2. Virtual network: Click Enable.

3. Connectivity type: Internal (Only accessible from VNet/Peered).

4. Virtual network: vnet-apim-spoke.

5. Subnet: snet-apim.

6. Save.

* *Warning: This triggers a 15-30 minute update.*

Phase 4: Add API

1. Go to APIs -> + Add API.

2. HTTP:

* Display name: Echo API.

* Web service URL: http://echo.jsontest.com.

* API URL suffix: echo.

3. Create.

Phase 5: Test (from Internal VM)

1. Since APIM is Internal, you cannot test from the Portal "Test" tab unless you are on a VM in the VNet (or have VPN).

2. Login to a VM in the Hub or Spoke.

3. Curl: curl http://10.1.1.5/echo/key/value.

* *Note: You might need to uncheck "Subscription required" in Settings for simple testing.*