How to 3M (Manage, Monitor and Monetize) APIs using Azure API Management
In my previous article, I have talked about the steps by steps on how to build APIs from scratch using Visual Studio Code with Python, Azure Functions and Cosmos DB.
In this article, I’d like to share on how to use the Azure API Management to help you to manage, monitor, secure and monetize those APIs that we have created earlier.
What is API Management
API Management is a process to help you to manage the APIs that are typically act as the functions or logics for a certain specific use cases. For example, a bank that a backend service that used to create new customer data, a service that inquire interest rate, and a service that check a customer’s credit worthiness.
These backend services are usually used by the internal systems, in certain scenario, where we would need to expose these services to external, this is where we would need to make sure the APIs are securely managed and governed. Hence, API Management provides the capabilities to help you to secure the API-protect the API by only allowing certain users to access and publish only the necessary APIs to external party to consume. Other than this, API Management also provide the capabilities to monitor the APIs-analysis the trend, consumption, able to monetize the APIs by setting up pricing rules, etc. API Management usually would provide a portal to allow developers to call, test the APIs on the sandbox provided.
An API Management solution typically consist of the following components — API Gateway, API Authoring/Publishing tool, Reporting & Analytics, Developer Portal and Monetization.
API Gateway
The function of the API Gateway within the API Management solution is a server that acts as an API front-end, receives API requests, enforces throttling and security policies, passes requests to the back-end service and then passes the response back to the requester.
API Publishing Tool
A tool to create/define APIs by scratch or using the OpenAPI, WADL, WSDL specifications, generate API documentation, govern API usage through access and usage policies for APIs, test and debug the execution of API, including security testing.
Developer Portal
A portal provides to the developers in a single convenient source information and functionality including documentation, tutorials, sample code, software development kits, an interactive API console and sandbox to trial APIs.
Reporting & Analytics
Monitor API usage and load such as API calls, completed transactions, number of data objects returned, amount of compute time and other internal resources consumed, volume of data transferred.
Monetization
API Management also provide the functionality to support charging for access to commercial APIs. This functionality can include support for setting up pricing rules, based on usage, load and functionality.
Azure API Management Services
Azure API Management Services is a hybrid API Management platform that can manage APIs across different Clouds and on-premises. One of the advantage of using Azure API Management is that one can quickly transform existing available services that are created using Azure services such as Azure Functions, App Services into REST API.
In exercise, we would be extending the APIs that were created in the earlier articles.
Outline
In this tutorial, we would be doing the following steps:
- Create a new API Management Services on the Azure portal.
- Define APIs
- Create policies
- Monitor the APIs
Prerequisites
- Azure account with a valid subscription — https://portal.azure.com
- Source codes — https://github.com/echoesian/azure-function
Create a New API Management Service
After login into the Azure portal, get to the API Management services by typing on the search bar on the top.
On the API Management services page, click on the Add button. This brings you to the Create API Management page.
Choose the subscription and the resource group that you want the resource to reside in. Create a new resource group if necessary.
Choose the region of your choice, enter a resource name, organization name and the administrator email.
On the pricing tier section, there are several options to choose from. The Developer pricing tier provides the cheapest cost or free depends on the usage but there is no SLA, so it is not recommended to use for Production.
Click Review + create button.
If validation is passed, click on the Create button to provision the new API Management service instance.
Define APIs
After the new API Management service instance has been created. You can navigate to the APIs section to define APIs.
On the APIs section, there are several ways for us to add APIs. This includes creation using OpenAPI, WADL, WSDL, or using existing Logic App, App Service, Function App or even create the API from scratch using the Blank API option. In this example, we would be using the Function App option to create the API using existing REST APIs that were created earlier on Function App.
On the Create from Function App dialog, choose the existing Function App by clicking on the browse button. This will bring you to the Import Azure Functions page.
On the Import Azure Functions page, click on the Configure required settings button, choose the function app name that was created in the previous blog. For example, in my case, the Function App name is “serverless-python”, once it is selected, you should see all the available functions to choose from.
These functions should be included “CreateUser” and “GetUsers”. Select both of them and click Select.
Back to the dialog, you can enter the display name and name of the API or leave it as default. Click Create. Notice that the Base URL is automatically assigned to you using Azure default API DNS name.
Delete the CreateUser API (POST method) and GetUsers (POST method) as we are only interested in defining the API for CreateUser on GET and GetUsers on GET.
Both of the APIs should look like the above now.
Next, we will need to configure both APIs. Let’s start configure the first one, CreateUser.
Click on the Definitions tab.
On the operations tab, on the Frontend section, click on the pencil icon to open the form-based editor.
On this page, you can change the display name and URL. Notice the URL is the path to call the API eventually. Leave it as default. Scroll to the bottom of the page to reach to the Query configuration.
Add a parameter to the Query parameters. Key in “name” as the Name parameter and any name for the Values parameter. Click Save. To test the API, on the top bar, click on the Test tab.
On the Test page, choose the value of the name from the dropdown list box. Click Send.
If the call is successful, you should see the response back 200 OK.
Throttling
One of the most popular feature of an API Management solution is to be able to control the incoming traffic requests to the API Gateway.
API calls could be overwhelmed, so being able to throttle the incoming requests is a key capability on an API Management tool. This is important in order to protect the APIs from being abused or overused. In Azure API Management, you can use rate limits or quotas to control the API calls.
Rate limits
Rate limits are usually used to protect against short and intense volume bursts. For example, if you know your backend service has a bottleneck at its database with a high call volume, you could set a rate-limit-by-key policy to not allow high call volume by using this setting.
Quotas
Quotas are usually used for controlling call rates over a longer period of time. For example, they can set the total number of calls that a particular subscriber can make within a given month. For monetizing your API, quotas can also be set differently for tier-based subscriptions. For example, a Basic tier subscription might be able to make no more than 10,000 calls a month but a Premium tier could go up to 100,000,000 calls each month.
Within Azure API Management, rate limits are typically propagated faster across the nodes to protect against spikes. In contrast, usage quota information is used over a longer term and hence its implementation is different.
In this topic, we will be using rate limit to control the traffic. Rate limit can be used to control traffic based on IP address, user identity, client header but for this case, we will just use rate limit to blanket control the traffic.
Go to the APIs section, click on the API name, on the design section, click on the GetUsers operation. On the Inbound processing, click on the policy code editor.
On the policy code editor, enter a new line after the set-backend-service and input the following:
<rate-limit calls=”10" renewal-period=”30" />
This means, we want to limit the calls up to maximum of 10 during the time interval set on the “renewal-period” in seconds.
To test this, let’s go to the Test section. Go down to the bottom of the screen and click Send for more than 10 times continuously. After the calls are more than 10 times, you should see there will be error response from the HTTP response — 429 Too Many Requests.
Monitoring
Lastly, we would want to monitor and analysis the API management, for example, we can see how many requests have been performed in a particular duration, data transfer rates, response time, etc.
Summary
There are many others capabilities which we can do as well in Azure API Management such as publishing and designing the Developer portal, grouping the APIs into category/product, user identity and authentication, certificates, etc.
