Azure API Gateway Management and Monitoring Made Easy

Managing and monitoring Azure API Gateway can be overwhelming, but it doesn't have to be. Azure API Gateway provides a built-in feature called API Gateway metrics, which allows you to track and monitor API traffic, latency, and other key performance indicators.

This feature provides detailed insights into API performance, helping you identify potential issues and make data-driven decisions to optimize your API's performance.

API Gateway metrics can be viewed in the Azure portal, giving you a centralized location to monitor and analyze your API's performance.

Azure API Gateway also supports integration with Azure Monitor, a powerful monitoring and analytics service that provides a unified view of your entire Azure environment.

To authenticate the connection between your self-hosted gateway and the cloud-based API Management instance, you have two options: Microsoft Entra authentication and Gateway access token (also called authentication key). Microsoft Entra authentication allows you to configure one or more Microsoft Entra apps for access to the gateway, manage access separately per app, and configure longer expiry times for secrets in accordance with your organization's policies.

You can also use the Gateway access token, which expires every 30 days at maximum and must be renewed in the containers. This token is backed by a gateway key that can be rotated independently, for example, to revoke access. Regenerating the gateway key invalidates all access tokens created with it.

To handle authentication and authorization through Azure AD / Entra ID, you need to create app roles for the app registration and select allowed member types as Both (Users/Groups and Applications). You can then add users and groups to the app roles and navigate to the overview to select the service principal.

Managing Cipher Suites is a crucial aspect of ensuring the security of your self-hosted gateway. This is especially true when dealing with sensitive data, as the wrong cipher suite can leave your system vulnerable to attacks.

You can manage the ciphers used by the self-hosted gateway through the configuration. Specifically, you can define a comma-separated list of ciphers to use for the TLS connection between the API client and the self-hosted gateway using the `net.server.tls.ciphers.allowed-suites` property.

As of v2.1.1 and above, you can customize the cipher suites used by the self-hosted gateway. This allows you to tailor the security settings to your specific needs.

To do this, you'll need to specify the exact cipher suites you want to use. You can find a list of available cipher suites in the documentation. Some examples of cipher suites include `TLS_AES_256_GCM_SHA384` and `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`.

Here's a list of available cipher suites:

You can also manage the cipher suites used for the TLS connection between the self-hosted gateway and the backend using the `net.client.tls.ciphers.allowed-suites` property. This allows you to define a comma-separated list of ciphers to use for this specific connection.

To ensure your Azure API Gateway is secure, you can enable private connectivity to the v2 configuration endpoint from the location of the self-hosted gateway, for example, using a private DNS in a peered network.

If you need to connect to the v2 configuration endpoint over the internet, configure a custom hostname for the configuration endpoint, and expose the endpoint using Application Gateway.

If connectivity to Azure is lost, the self-hosted gateway will be unable to receive configuration updates, report its status, or upload telemetry.

The self-hosted gateway is designed to "fail static" and can survive temporary loss of connectivity to Azure, but it's essential to consider local configuration backup to minimize downtime.

If local configuration backup is turned off and connectivity to Azure is interrupted, stopped self-hosted gateways won't be able to start, but running self-hosted gateways will continue to function using an in-memory copy of the configuration.

If local configuration backup is turned on and connectivity to Azure is interrupted, stopped self-hosted gateways will be able to start using a backup copy of the configuration, and running self-hosted gateways will continue to function using an in-memory copy of the configuration.

To ensure internal APIs are not exposed to the internet, you can connect your APIM instance to a virtual network, allowing internal APIs to be accessed only through the APIM gateway.

Here are some key considerations for networking and connectivity:

You can deploy the self-hosted gateway into the same environments where the backend API implementations are hosted, allowing API traffic to flow directly to the backend APIs, reducing latency and optimizing data transfer costs.

To automate deployments, you can use infrastructure as code (IaC) tools like Azure Resource Manager (ARM) templates, Terraform, or Azure CLI scripts.

For a unified management experience, all self-hosted gateways are managed from the API Management service they're federated with, providing customers with visibility across all internal and external APIs.

Cloud Management is a crucial aspect of deployment and management. Organizations can efficiently and securely manage APIs hosted on-premises and across clouds from a single API Management service in Azure.

With the self-hosted gateway feature, customers have the flexibility to deploy a containerized version of the API Management gateway component to the same environments where they host their APIs. This allows API traffic to flow directly to the backend APIs, reducing latency and optimizing data transfer costs.

Each API Management service is composed of three key components: the Management plane, Gateway, and Developer portal. The Management plane is exposed as an API, used to configure the service via the Azure portal, PowerShell, and other supported mechanisms.

The Gateway, or data plane, is responsible for proxying API requests, applying policies, and collecting telemetry. By default, all these components are deployed in Azure, causing API traffic to flow through Azure regardless of where backends implementing the APIs are hosted.

Deploying self-hosted gateways into the same environments where the backend API implementations are hosted allows API traffic to flow directly to the backend APIs. This reduces latency, optimizes data transfer costs, and enables compliance while retaining the benefits of having a single point of management, observability, and discovery of all APIs within the organization.

Here are the key components of an API Management service:

As you explore the deployment options for your self-hosted gateway, you'll notice the importance of tags. Our official deployment options in the Azure portal use the v2 tag, which allows customers to use the most recent version of the self-hosted gateway v2 container image with all feature updates and patches.

The v2 tag is a great choice for those who want to stay up-to-date with the latest features and patches. By using this tag, you can ensure your gateway is running with the most recent version of the container image.

If you're installing with our Helm chart, image tagging is optimized for you. The Helm chart's application version pins the gateway to a given version and doesn't rely on the latest version.

Here's a quick rundown of the different tag conventions and their recommendations:

Remember, preview versions aren't officially supported and are for experimental purposes only.

API Management offers several tiers to suit different organizational needs. The Basic v2 tier is ideal for teams and projects, while the Standard v2 tier is perfect for starting an organizational API program that scales as it grows.

The Premium v2 tier, which is currently in preview, is designed for operating an enterprise-grade API program. It offers unlimited API requests, 5 GB of cache per region, and a 99.99% Service Level Agreement (SLA).

Here's a breakdown of the key features for each tier:

Each tier has its own set of features and limitations, so it's essential to choose the one that best fits your organization's needs.

You can call API operations directly from the Azure portal, which provides a convenient way to view and test the operations. This is a great way to get started with the new API.

To test the new API in the Azure portal, follow these steps: In the left navigation of your API Management instance, select APIs > Swagger Petstore.Select the Test tab, and then select Finds Pets by status.Select Send.

The backend responds with 200 OK and some data, showing that the API is working correctly. This is a great way to test the API without having to write any code.

You can also use the Azure portal to test API calls using a subscription key scoped to a product. This allows you to test the API with different keys and see how it behaves.

The Azure portal provides a convenient way to view and test the operations, making it a great tool for developers and testers.