# AZ-204: Implement API Management

In [1]:
import sys
sys.path.append('./../utils')
import ai

## Explore API Management

In [2]:
%%question
The security team of Contoso Inc noticed a particular IP Address is firing thousands of the requests against your API, 
hosted on Azure App Service. What would do?

1. **Identify** the IP address causing the issue.
2. **Block** the IP using Azure App Service's IP restrictions.
3. **Implement** rate limiting to prevent future abuse.
4. **Monitor** traffic for further suspicious activity.
5. **Review** API logs to understand the attack pattern.
6. **Update** security protocols as needed.

In [3]:
%%learn
https://learn.microsoft.com/en-us/training/modules/explore-api-management/

https://learn.microsoft.com/en-us/training/modules/explore-api-management/1-introduction
https://learn.microsoft.com/en-us/training/modules/explore-api-management/2-api-management-overview
https://learn.microsoft.com/en-us/training/modules/explore-api-management/3-api-gateways
https://learn.microsoft.com/en-us/training/modules/explore-api-management/4-api-management-policies
https://learn.microsoft.com/en-us/training/modules/explore-api-management/5-create-advanced-policies
https://learn.microsoft.com/en-us/training/modules/explore-api-management/6-secure-access-api-subscriptions
https://learn.microsoft.com/en-us/training/modules/explore-api-management/7-secure-access-api-certificates


('',
 'https://learn.microsoft.com/en-us/training/modules/explore-api-management/\n')

In [4]:
%%question
What is the purpose of API Management?

The purpose of **API Management** is to help organizations **publish** APIs to external, partner, and internal developers, unlocking the potential of their data and services. It provides core functionality such as developer engagement, business insights, analytics, security, and protection to ensure a successful API program.

In [5]:
%%question
If I dont' use API Management, what are some of the challenges I might face?

If you don't use **API Management**, you might face several challenges, including:

1. **Complex Client Code**: Clients need to manage multiple endpoints and handle failures themselves.
2. **Tight Coupling**: Clients become tightly coupled to backend services, making maintenance and refactoring difficult.
3. **Security Concerns**: Each service must handle authentication, SSL, and rate limiting individually, increasing the risk of vulnerabilities.
4. **Scalability Issues**: It can be challenging to apply consistent policies such as rate limiting and caching across different services.
5. **Increased Attack Surface**: Exposing services directly can increase the potential for attacks.
6. **Protocol Limitations**: Services need to expose client-friendly protocols, which can limit protocol choices.

WSDL? Webservices Description Language - XML SOAP

In [6]:
%%question
What are the different components of API Management Service?

The different components of the **API Management Service** are:

1. **API Gateway**: 
   - Accepts API calls and routes them to appropriate backends.
   - Verifies API keys and enforces usage quotas and rate limits.
   - Transforms requests and responses, and caches responses.
   - Emits logs, metrics, and traces for monitoring.

2. **Management Plane**:
   - Administrative interface for setting up and configuring API programs.
   - Manages API schemas, packages APIs into products, and sets up policies.
   - Provides analytics and user management.

3. **Developer Portal**:
   - Customizable website with API documentation.
   - Allows developers to read documentation, call APIs, manage API keys, and access analytics.

In [7]:
%%question
What is the purpose of API Gateway?

The purpose of an **API Gateway** is to act as a **reverse proxy** that sits between clients and services. It manages API requests by routing them to the correct backend services, applying policies, and handling tasks such as **authentication**, **SSL termination**, and **rate limiting**. It helps **decouple clients from services**, improving security, scalability, and maintainability of the API infrastructure.

In [8]:
%%question
What types of gateways are available in API Management?

In API Management, there are two types of gateways available:

1. **Managed Gateway**:
   - The default gateway component deployed in Azure for every API Management instance.
   - All API traffic flows through Azure.

2. **Self-hosted Gateway**:
   - An optional, containerized version of the managed gateway.
   - Useful for hybrid and multicloud scenarios, allowing gateways to run outside of Azure in the same environments where API backends are hosted.

In [9]:
%%question
What is the cost of running a managed gateway?

The cost of running a **managed gateway** in Azure API Management depends on the **pricing tier** you choose. Azure offers several pricing tiers, each with different capacities and features, such as the **Developer**, **Basic**, **Standard**, **Premium**, and **Consumption** tiers. Each tier has its own pricing structure based on factors like request volume, features, and geographic regions. For specific pricing details, it's best to refer to the [Azure Pricing Calculator](https://azure.microsoft.com/en-us/pricing/calculator/) or the Azure pricing page.

In [10]:
%%question
What is the cost of running a self-hosted gateway?

The cost of running a **self-hosted gateway** in Azure API Management involves licensing fees based on the number of gateway units you deploy. You'll need to purchase a license for each self-hosted gateway instance. Additionally, since self-hosted gateways can run outside of Azure, you may incur infrastructure costs depending on where you host them. Pricing specifics can vary, so it's advisable to consult the [Azure Pricing Calculator](https://azure.microsoft.com/en-us/pricing/calculator/) or the Azure pricing page for the most accurate and up-to-date information.

In [11]:
%%question
Why is SSL termination usefull in API Management?

**SSL termination** is useful in API Management because it helps simplify the process of handling **secure connections**. By terminating SSL at the API gateway, you can:

1. **Reduce Load on Backend Services**: Offload the SSL decryption process from backend services to the gateway, freeing up resources.

2. **Centralize Security Management**: Manage SSL certificates in one place, making it easier to update and maintain them.

3. **Improve Performance**: By handling encryption and decryption at the gateway, you can speed up communication between the gateway and backend services, especially if they communicate over a private network.

4. **Simplify SSL Certificate Management**: Avoid the need to deploy and manage SSL certificates on each backend service separately.

Client SSL <--> API gateway   < --- HTTPS --- > Backend service

- https://petstore3.swagger.io/api/v3/openapi.json
- http://calcapi.cloudapp.net/calcapi.json 
- https://bigconference.azurewebsites.net/  (make sure to update the backend HTTP endpoint as it will be overwritten)

In [21]:
%%question
What is a product?

A **product** in Azure API Management is a container for one or more APIs that are grouped together and offered to developers. Products are configured with details like a title, description, and terms of use. They can be set as **Open** (accessible without a subscription) or **Protected** (requiring a subscription for access). Products help manage API visibility, access rules, usage quotas, and terms of use, allowing API publishers to control how APIs are consumed.

In [22]:
%%question
What is the relationship between "Developers" (accounts) and "Groups"?

**Developers** in Azure API Management represent the user accounts that consume the APIs. They can be created or invited by administrators or can sign up via the Developer portal.

**Groups** are used to manage the visibility and access of products to developers. Each developer account can be a member of one or more groups. By associating developers with groups, administrators can control which products and APIs the developers can access. This setup allows for organized and efficient management of permissions and access rights within the API Management service.

In [12]:
%%question
What is a Policy?

A **Policy** in Azure API Management is a set of configuration statements that modify the behavior of APIs. Policies are applied at the API gateway and can be used to transform requests and responses, enforce security, implement rate limits, and perform other cross-cutting tasks. They are defined using XML and can be applied at different scopes, such as global, product, API, or API operation levels.

In [13]:
%%question
Where are these policies applied?

These **policies** are applied within the **API gateway** that sits between the API consumer and the backend services. They can be configured at different scopes, such as:

- **Global level**: Affecting all APIs in the API Management instance.
- **Product level**: Affecting all APIs within a specific product.
- **Specific API level**: Affecting a particular API.
- **API operation level**: Affecting specific operations within an API.

This flexibility allows you to tailor the behavior of APIs based on your specific needs.

In [14]:
%%question
Policies can be applied at different scopes. What are the different scopes? What is the meaning of <base/>?

Policies in Azure API Management can be applied at the following **scopes**:

1. **Global Level**: Applies to all APIs in the API Management instance.
2. **Product Level**: Applies to all APIs within a specific product.
3. **API Level**: Applies to a specific API.
4. **API Operation Level**: Applies to specific operations within an API.

The `<base/>` element is used in policy definitions to ensure **deterministic ordering**. When policies are combined from different scopes, the `<base/>` element acts as a placeholder, indicating where the next policy from a broader scope should be inserted. This ensures that policies are applied in the correct sequence.

In [15]:
%%question
Policies can be inbound, outbound, backend or on-error. Can you share an example scenario?

Certainly! Let's consider an example scenario where you want to apply policies to an API that provides weather data:

1. **Inbound Policy**: 
   - **Scenario**: You want to validate the API key and limit the request rate.
   - **Policy**: Use a policy to check for a valid API key and apply a rate limit to control how many requests a user can make in a given time period.

2. **Backend Policy**: 
   - **Scenario**: You want to modify the backend service URL based on a specific condition.
   - **Policy**: Use a policy to route requests to a different backend service if the request is coming from a particular region.

3. **Outbound Policy**: 
   - **Scenario**: You want to transform the response format from XML to JSON.
   - **Policy**: Use a policy to convert the response payload from XML to JSON before sending it back to the client.

4. **On-Error Policy**: 
   - **Scenario**: You want to handle errors gracefully and provide a custom error message.
   - **Policy**: Use a policy to catch errors, log them, and return a friendly error message to the client instead of the default error response.

These policies help you manage and control the behavior of your API at various stages of the request and response lifecycle.

In [17]:
%%question
Can you share an example of a XML fragment for this inbound policy that applies rate limiting. 

Certainly! Here's an example XML fragment for an **inbound policy** that applies **rate limiting** to restrict the number of requests a client can make within a specified time period:

```xml
<inbound>
    <base />
    <rate-limit calls="10" renewal-period="60">
        <quota-by-key name="rate-limit-by-key" counter-key="@(context.Request.Headers.GetValueOrDefault("X-Client-Id", "default"))" />
    </rate-limit>
</inbound>
```

In this example:

- The `rate-limit` policy allows **10 calls** per **60 seconds**.
- The `quota-by-key` statement uses a counter key derived from the "X-Client-Id" header to track requests per client.
- If the client exceeds the limit, further requests within the period are blocked until the counter resets. 

This approach helps control traffic and prevent abuse of your API resources.

In [18]:
%%question
Can you share an example of a XML fragment for a backend policy that can route requests to the appropriate server based on the client's geographical location extracted from the request.

Certainly! Here's an example XML fragment for a **backend policy** that routes requests to different servers based on the client's geographical location, which is extracted from the request:

```xml
<backend>
    <base />
    <choose>
        <when condition="@(context.Request.Headers.GetValueOrDefault("X-Geo-Location", "").Contains("US"))">
            <set-backend-service base-url="https://us-api.example.com" />
        </when>
        <when condition="@(context.Request.Headers.GetValueOrDefault("X-Geo-Location", "").Contains("EU"))">
            <set-backend-service base-url="https://eu-api.example.com" />
        </when>
        <otherwise>
            <set-backend-service base-url="https://global-api.example.com" />
        </otherwise>
    </choose>
</backend>
```

In this example:

- The policy checks the "X-Geo-Location" header in the request to determine the client's geographical location.
- It routes requests to different backend services (`us-api.example.com`, `eu-api.example.com`, or a default `global-api.example.com`) based on whether the location is in the US or EU.
- If the location is not specified or doesn't match any conditions, it defaults to the global server. 

This routing helps optimize performance and compliance with regional requirements.

In [19]:
%%question
Can you share an example of a XML fragment for an outbound policy that transform the response format from XML to JSON for consistency across your APIs. 

Certainly! Here's an example XML fragment for an **outbound policy** that transforms the response format from **XML to JSON**:

```xml
<outbound>
    <base />
    <xml-to-json />
</outbound>
```

In this example, the `xml-to-json` policy is applied in the outbound section, which automatically converts the response payload from XML to JSON format. This transformation helps ensure consistent response formats across your APIs.

In [20]:
%%question
Can you share an example of a XML fragment for an outbound policy that 
- adds a custom header to the response, 
- logs the time taken to process the request,
- and also modifies the response to not include any backend urls.

Certainly! Here's an example XML fragment for an **outbound policy** that accomplishes the tasks you've mentioned:

```xml
<outbound>
    <base />
    <!-- Add a custom header to the response -->
    <set-header name="X-Custom-Header" exists-action="override">
        <value>CustomValue</value>
    </set-header>
    
    <!-- Log the time taken to process the request -->
    <log-to-eventhub logger-id="yourLoggerId">
        @{
            var timeTaken = (DateTime.UtcNow - context.Request.Timestamp.UtcDateTime).TotalMilliseconds;
            return $"Request processed in {timeTaken} ms";
        }
    </log-to-eventhub>
    
    <!-- Modify the response to not include any backend URLs -->
    <find-and-replace from="https://backend.example.com" to="" />
</outbound>
```

In this example:

- The `set-header` policy adds a custom header named "X-Custom-Header" with the value "CustomValue" to the response.
- The `log-to-eventhub` policy logs the time taken to process the request by calculating the difference between the current time and the request timestamp. Replace `"yourLoggerId"` with your actual logger ID.
- The `find-and-replace` policy removes any instances of "https://backend.example.com" from the response, effectively removing backend URLs. You can adjust the `from` and `to` values as needed.

These policies help customize the response and provide additional logging and security enhancements.

In [23]:
%%question
At what level would I implement a policy to do rate limiting? Can you share an example?

You would typically implement a **rate limiting policy** at the **product** or **API level**. This allows you to control the number of requests that can be made to a product containing multiple APIs or to a specific API itself.

Here's an example of a rate limiting policy applied at the API level:

```xml
<inbound>
    <base />
    <rate-limit calls="100" renewal-period="60">
        <quota-by-key name="rate-limit-by-key" counter-key="@(context.Request.Headers.GetValueOrDefault("X-Client-Id", "default"))" />
    </rate-limit>
</inbound>
```

In this example:

- The policy limits requests to **100 calls per minute** (60 seconds).
- The `quota-by-key` statement uses a key derived from the "X-Client-Id" header to apply the rate limit per client.

This policy helps ensure that your API or product is not overwhelmed by too many requests from individual clients.

In [24]:
%%question
What is mocking? How can it be useful? Can you share an example?

**Mocking** in API Management refers to the practice of simulating the API responses without calling the actual backend service. This is useful for testing and development purposes, allowing developers to work on API integration without needing a fully implemented backend or when the backend is unavailable.

**Benefits of Mocking:**
- **Development and Testing**: Allows front-end developers to proceed with their work while the backend is still under development.
- **Reliability**: Provides consistent responses, which is useful for testing how client applications handle responses.
- **Cost Saving**: Reduces costs by not invoking backend services during testing.

**Example of a Mocking Policy:**

```xml
<inbound>
    <base />
    <choose>
        <when condition="@(true)">
            <return-response>
                <set-status code="200" reason="OK" />
                <set-header name="Content-Type" exists-action="override">
                    <value>application/json</value>
                </set-header>
                <set-body>{
                    "message": "This is a mocked response",
                    "data": {
                        "id": 123,
                        "name": "Mocked Item"
                    }
                }</set-body>
            </return-response>
        </when>
    </choose>
</inbound>
```

In this example, the policy intercepts the request and returns a mocked JSON response with a 200 OK status, bypassing the backend service entirely. This allows developers to test their applications' handling of the API response.

In [None]:
%%question
What is a subscription?

In [None]:
%%question
Can you share an example of a subscription key as part of an HTTP request?

In [25]:
%%question
What other ways exists to secure access to the APIs?

Besides using subscription keys, other ways to secure access to APIs include:

1. **OAuth 2.0**: A protocol that allows secure authorization in a simple and standardized way. It provides secure delegated access to APIs.

2. **Client Certificates**: Use Transport Layer Security (TLS) for mutual authentication between the client and the API gateway, verifying client certificates.

3. **IP Filtering**: Restrict access to APIs based on specific IP addresses or ranges, allowing only trusted sources to access the API.

4. **JSON Web Tokens (JWT)**: Validate tokens to ensure the client is authorized to access the API resources.

5. **CORS (Cross-Origin Resource Sharing)**: Control which domains are allowed to access the API, adding an additional layer of security.

These methods can be combined to provide a robust security framework for protecting APIs.

In [26]:
%%question
Can you describe the high level steps to implement OAuth2.0 in API Management?

Certainly! Here are the high-level steps to implement **OAuth 2.0** in API Management:

1. **Register Your Application**: 
   - In your identity provider (e.g., Azure AD, Google, Auth0), register your application to obtain a client ID and client secret.

2. **Configure the Authorization Server in API Management**:
   - Go to the Azure Portal and navigate to your API Management instance.
   - Under "Security," select "OAuth 2.0 + OpenID Connect" and add a new authorization server.
   - Provide the necessary details such as the authorization endpoint, token endpoint, client ID, and client secret.

3. **Set Up the API to Use OAuth 2.0**:
   - In the API Management service, navigate to the API you want to secure.
   - Go to the "Settings" or "Design" section and configure the API to require OAuth 2.0 authentication by associating it with the authorization server you set up.

4. **Update API Policies**:
   - Add policies to validate the access token in incoming requests.
   - Use the `validate-jwt` policy to ensure that requests to the API include a valid JWT token.

5. **Test Your Configuration**:
   - Use a tool like Postman or your client application to request an access token from the authorization server.
   - Make API calls using the obtained access token to verify that only authorized requests are permitted.

These steps provide a secure way to implement OAuth 2.0, ensuring that only authenticated and authorized users can access your APIs.

In [27]:
%%question
Share an example of a validate-jwt policy

Certainly! Here's an example of a `validate-jwt` policy in Azure API Management:

```xml
<inbound>
    <base />
    <validate-jwt header-name="Authorization" failed-validation-httpcode="401" require-scheme="Bearer" token-expiration-claim="exp">
        <openid-config url="https://login.microsoftonline.com/{tenant_id}/v2.0/.well-known/openid-configuration" />
        <required-claims>
            <claim name="aud">
                <value>your-api-audience</value>
            </claim>
            <claim name="iss">
                <value>https://sts.windows.net/{tenant_id}/</value>
            </claim>
        </required-claims>
    </validate-jwt>
</inbound>
```

In this example:

- The policy validates the JWT found in the `Authorization` header.
- The `openid-config` element points to the OpenID Connect configuration URL for the identity provider.
- The `required-claims` ensure that the token contains specific claims, like `aud` (audience) and `iss` (issuer).
- The policy returns a `401 Unauthorized` response if the token is invalid or missing.

Replace `{tenant_id}` and `your-api-audience` with your specific tenant ID and audience value.

In [28]:
%%question
Can you share an example of a certificate-based authentication policy?

Certainly! Here's an example of a policy for **certificate-based authentication** in Azure API Management:

```xml
<inbound>
    <base />
    <choose>
        <when condition="@(context.Request.Certificate == null)">
            <return-response>
                <set-status code="403" reason="Forbidden" />
                <set-header name="Content-Type" exists-action="override">
                    <value>application/json</value>
                </set-header>
                <set-body>{
                    "error": "Certificate Required",
                    "message": "A client certificate is required for authentication."
                }</set-body>
            </return-response>
        </when>
        <when condition="@(context.Request.Certificate.Thumbprint != "EXPECTED_THUMBPRINT")">
            <return-response>
                <set-status code="403" reason="Forbidden" />
                <set-header name="Content-Type" exists-action="override">
                    <value>application/json</value>
                </set-header>
                <set-body>{
                    "error": "Invalid Certificate",
                    "message": "The client certificate provided is not valid."
                }</set-body>
            </return-response>
        </when>
    </choose>
</inbound>
```

In this example:

- The policy checks if a client certificate is present in the request.
- It verifies the certificate's thumbprint against an expected value (`EXPECTED_THUMBPRINT`).
- If no certificate is present or the thumbprint doesn't match, it returns a `403 Forbidden` response with an error message.

Replace `"EXPECTED_THUMBPRINT"` with the actual thumbprint of the valid client certificate.

In [29]:
%%question
What would be the recommended way to separate dev/test/production environments in API Management?

The recommended way to separate **dev/test/production environments** in API Management is to use **separate API Management instances** for each environment. Here are some key practices:

1. **Separate Instances**: Create distinct API Management instances for development, testing, and production. This ensures isolation and prevents changes in one environment from affecting another.

2. **Environment-Specific Configurations**: Configure each instance with environment-specific settings, such as different backend URLs, policies, and security settings.

3. **Consistent Naming Conventions**: Use consistent naming conventions for APIs, products, and groups across environments to simplify management and transitions.

4. **Automate Deployments**: Use tools like Azure DevOps or GitHub Actions to automate the deployment of API configurations across environments, ensuring consistency and reducing manual errors.

5. **Access Control**: Restrict access to each environment based on user roles. For example, developers might have access to the dev environment, while only select users can access production.

6. **Version Control**: Maintain version control for your API configurations and policies, enabling easier rollbacks and audits across environments.

These practices help ensure that each environment serves its intended purpose and supports a smooth transition from development to production.