Azure API Management Feature Roundup
There have been a bunch of new releases and feature enhancements to the Azure API Management service over the last year, so it can be hard to keep track of everything. Here's my attempt to get you up-to-date as of mid-June 2023.
In addition, here are some related sessions from Microsoft Build if you're wanting to learn more:
GraphQL: New services and tools for building API-driven apps
Increase developer velocity with Azure SQL Database from data to API
Azure API Center (preview)
Announced last week at Microsoft Build, Azure API Center will let you create a true API catalog for your organization for better API discovery, reuse, governance, and security.
Our team hasn't been given access to this new service, so while we don't have hands-on experience yet, the core capabilities sound like they'll help solve a lot of problems for customers:
API Inventory Management — Inventory all APIs across your business regardless of type (REST, SOAP, GraphQL, gRPC), deployment location, or API management solution.
Real-world API Representation — Capture information about your APIs, including versions, specifications, deployments, and environments.
Metadata Properties — Describe and enrich your cataloged APIs using built-in and custom metadata, compatible with JSON and YAML schema specs.
Workspaces — Administer access to APIs with role-based access control and workspaces to scope access to teams.
Integration with Microsoft Defender for APIs
Part of Microsoft Defender for Cloud, Defender for APIs (in preview) provides protection, detection, and response coverage for APIs hosted in Azure API Management, including:
API inventory
Security findings, such as if APIs are available externally, unused, or unauthenticated
Security recommendations to harden at-risk attack surfaces
Classify API data as sensitive to prioritize risks
Monitor API traffic in real time for anomalies and OWASP API Top 10 threats
Integrate with your security information and event management (SIEM) system
Overview of the Microsoft Defender for APIs plan in Microsoft Defender for Cloud
API Management Workspaces (preview)
Workspaces in Azure API Management allow platform teams to manage and monitor a centralized API Management service while giving developer teams the autonomy to publish APIs within a workspace without interfering with other teams also working on the shared instance.
One common use case for API Management Workspaces is to consolidate multiple Azure API Management instances in use across the enterprise into a single shared instance for cost savings and better governance and security.
Synthetic GraphQL
Lets you use your existing REST and SOAP APIs as data sources to offer a GraphQL API to development teams using this technology with client applications.
Azure API Management Authorizations
API Management Authorizations unbundle and abstract the OAuth 2.0 authorization process by managing the token lifecycle for you without requiring any coding.
This feature opens a few different scenarios that were previously difficult, including:
Proxy requests to a Saas service backend through Azure API Management
Proxy requests to GraphQL federation backends
Use APIs in Azure API Management as Logic Apps custom connectors
Azure AD token policy in APIM
The validate-jwt
policy is commonly used to validate JSON Web Tokens in Azure API Management before passing them to backend services. Now organizations using Azure AD as their identity provider can use the validate-azure-ad-token
policy for easier integration and to take advantage of AAD-specific features.
Private Link support for inbound traffic in APIM
For years, you needed the Premium tier of API Management to connect to an Azure Virtual Network in production. Private Link support gives some capabilities to the Basic and Standard tiers of APIM by letting you make the API gateway component only accessible via a Vnet instead of the internet.
While this is helpful for a few scenarios, I talk to more customers interested in support for outbound traffic, allowing non-Premium APIM instances to connect to servers with private addresses in the Virtual Network or on-premises and use them as API backends. This feature is being worked on.
Request/Response Validation Policy
The well-named validate-content policy validates the size or content of a request or response body against JSON, XML, or SOAP schemas. This helps you reduce the attack surface of your APIs by blocking or logging requests or responses that don't match the declared schema.
Common usage of validate-content policy in APIM - Microsoft Community Hub
Reuseable Policy Fragments
Policy Fragments let you create reusable XML code snippets that can be incorporated into a larger API Management policy definition.
Policy Fragments are centrally managed and let you update one item that is then applied to every policy where it's used.
Azure Policy Built-in Definitions for APIM
Azure Policy now has 16 built-in policy definitions for Azure API Management, allowing you to enforce the use of encryption, authentication, and private networks, among others.
Subscribe to my newsletter
Read articles from Jason Berberich directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Jason Berberich
Jason Berberich
Data, Apps & AI Specialist @ Microsoft. I help customers build apps with AI and modernize their data & analytics workloads.