Azure API Management Feature Roundup

Azure API Management Feature Roundup

There have been a bunch of new releases and feature enhancements to the Azure API Management service over the last year, so it can be hard to keep track of everything. Here's my attempt to get you up-to-date as of mid-June 2023.

In addition, here are some related sessions from Microsoft Build if you're wanting to learn more:

Azure API Center (preview)

Announced last week at Microsoft Build, Azure API Center will let you create a true API catalog for your organization for better API discovery, reuse, governance, and security.

Our team hasn't been given access to this new service, so while we don't have hands-on experience yet, the core capabilities sound like they'll help solve a lot of problems for customers:

  • API Inventory Management — Inventory all APIs across your business regardless of type (REST, SOAP, GraphQL, gRPC), deployment location, or API management solution.

  • Real-world API Representation — Capture information about your APIs, including versions, specifications, deployments, and environments.

  • Metadata Properties — Describe and enrich your cataloged APIs using built-in and custom metadata, compatible with JSON and YAML schema specs.

  • Workspaces — Administer access to APIs with role-based access control and workspaces to scope access to teams.

Integration with Microsoft Defender for APIs

Part of Microsoft Defender for Cloud, Defender for APIs (in preview) provides protection, detection, and response coverage for APIs hosted in Azure API Management, including:

  • API inventory

  • Security findings, such as if APIs are available externally, unused, or unauthenticated

  • Security recommendations to harden at-risk attack surfaces

  • Classify API data as sensitive to prioritize risks

  • Monitor API traffic in real time for anomalies and OWASP API Top 10 threats

  • Integrate with your security information and event management (SIEM) system

Overview of the Microsoft Defender for APIs plan in Microsoft Defender for Cloud

API Management Workspaces (preview)

Workspaces in Azure API Management allow platform teams to manage and monitor a centralized API Management service while giving developer teams the autonomy to publish APIs within a workspace without interfering with other teams also working on the shared instance.

Screenshot of creating an API Management workspace in the portal.

One common use case for API Management Workspaces is to consolidate multiple Azure API Management instances in use across the enterprise into a single shared instance for cost savings and better governance and security.

Synthetic GraphQL

Lets you use your existing REST and SOAP APIs as data sources to offer a GraphQL API to development teams using this technology with client applications.

Azure API Management Authorizations

API Management Authorizations unbundle and abstract the OAuth 2.0 authorization process by managing the token lifecycle for you without requiring any coding.

This feature opens a few different scenarios that were previously difficult, including:

  • Proxy requests to a Saas service backend through Azure API Management

  • Proxy requests to GraphQL federation backends

  • Use APIs in Azure API Management as Logic Apps custom connectors

Azure AD token policy in APIM

The validate-jwt policy is commonly used to validate JSON Web Tokens in Azure API Management before passing them to backend services. Now organizations using Azure AD as their identity provider can use the validate-azure-ad-token policy for easier integration and to take advantage of AAD-specific features.

For years, you needed the Premium tier of API Management to connect to an Azure Virtual Network in production. Private Link support gives some capabilities to the Basic and Standard tiers of APIM by letting you make the API gateway component only accessible via a Vnet instead of the internet.

Architecture diagram showing Azure API Management connected to a Vnet using a Private Endpoint.

While this is helpful for a few scenarios, I talk to more customers interested in support for outbound traffic, allowing non-Premium APIM instances to connect to servers with private addresses in the Virtual Network or on-premises and use them as API backends. This feature is being worked on.

Request/Response Validation Policy

The well-named validate-content policy validates the size or content of a request or response body against JSON, XML, or SOAP schemas. This helps you reduce the attack surface of your APIs by blocking or logging requests or responses that don't match the declared schema.

Common usage of validate-content policy in APIM - Microsoft Community Hub

Reuseable Policy Fragments

Policy Fragments let you create reusable XML code snippets that can be incorporated into a larger API Management policy definition.

Policy Fragments are centrally managed and let you update one item that is then applied to every policy where it's used.

Azure Policy Built-in Definitions for APIM

Azure Policy now has 16 built-in policy definitions for Azure API Management, allowing you to enforce the use of encryption, authentication, and private networks, among others.