Azure API Management (APIM) Demo

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
14 hours 28 minutes
Difficulty
Intermediate
CEU/CPE
15
Video Transcription
00:00
>> Hello, Cybrarians.
00:00
Welcome to Lesson 6.3 of Module 6
00:00
>> of this course titled,
00:00
>> AZ301, Microsoft Azure Architect Design.
00:00
Here are the tasks that will be
00:00
completing in this particular demo.
00:00
We'll start by creating
00:00
a new API Management Instance or service.
00:00
Will then import and publish
00:00
an existing back-end API into the service.
00:00
We'll go through the process of transforming
00:00
the API using an outbound policy.
00:00
We'll go through the process of protecting
00:00
the API using an inbound policy.
00:00
We'll then create an API revision
00:00
so that we see how revision works.
00:00
Let's get into this.
00:00
The first thing that I'll be showing you is
00:00
the creation of a new API Management Service,
00:00
and this is what I currently have.
00:00
I have a conference API which is
00:00
hosted on Azure App Service,
00:00
which is the back-end API,
00:00
and then I'll be creating an API M service.
00:00
Let's go to the Azure portal to do this.
00:00
Here I am in the Azure portal,
00:00
so to create a new API M service,
00:00
I click on "Create a resource,"
00:00
and I'll search for API Management.
00:00
There you go, I select that,
00:00
and it gives me the option to create that,
00:00
so I'll click on "Create" and I can specify some details.
00:00
First, I need to give it a name.
00:00
I'll call this AZ301 API M,
00:00
and that's accepted, so that's good,
00:00
then I'll need to specify a resource group for it.
00:00
I earlier created a resource group
00:00
called cybray- mod 6-rg,
00:00
so I'll be using that resource group.
00:00
I'll leave the location as UK South,
00:00
I'll specify the organization name,
00:00
which I'll call Cybrary AZ301.
00:00
I'll specify an administrator email
00:00
which I'll just leave us, david@superclouds.xyz.
00:00
The pricing tier, you can
00:00
see the different options that are available,
00:00
consumption tier is only available in a few regions.
00:00
I'll just go ahead and select developer tier,
00:00
and I won't be enabling application insight for now,
00:00
so I'll just go ahead, and click on "Create."
00:00
This will take a few minutes to create,
00:00
I think you could take up to 15-20 minutes to create,
00:00
so what I'll do is I'll pause the recording.
00:00
After it's successfully created the API M service,
00:00
I'll resume to the recording.
00:00
The deployment of
00:00
the API M service completed successfully,
00:00
so what you can do is I can click on "Go to
00:00
resource" and it takes me to my API M service here.
00:00
Let's go back to the slides and
00:00
then proceed to the next task.
00:00
In the next task,
00:00
I'll show you how to import,
00:00
and publish an API.
00:00
As a visual representation of what I'll be showing you,
00:00
we already have our API Management Service created.
00:00
I'm going to be importing
00:00
my back-end API into the API management service,
00:00
and then I'm going to be creating the products,
00:00
and I'll associating in
00:00
the imported API with that product,
00:00
so let's go ahead to do that.
00:00
Back in the Azure portal under my API M service,
00:00
if I click on the "APIs,"
00:00
and what I can do is I can add a new API.
00:00
I can create a blank,
00:00
empty API here,
00:00
what I'm going to do is I'm going to select
00:00
the open API specification,
00:00
and I'll change this from basic to full.
00:00
What I'll be doing here is, I need to specify
00:00
the URL for my back-end service,
00:00
and I'll copy that,
00:00
and then I'll paste that in there.
00:00
Then now need to specify a display name,
00:00
I'll specify the display name as Conference API,
00:00
and also the name will be Conference API.
00:00
I'll leave the description alone,
00:00
that's accurate, so the API itself,
00:00
it's an API about
00:00
a technical conference where you can
00:00
get information around speaker,
00:00
sessions, and topics for the conference.
00:00
For the URL scheme, I'll select HTTP.
00:00
For the API URL suffix,
00:00
so this is important because I mentioned earlier that
00:00
when we create an API Management Service,
00:00
we'll going to be getting a gateway URL,
00:00
and that's also the base URL.
00:00
You can say the base URL there but for the address of
00:00
the API that I'm going to be importing is going to
00:00
be the base URL forward slash,
00:00
the API URL suffix,
00:00
so I'll just set this conference API
00:00
, so that's good.
00:00
For the tags I'll leave that,
00:00
and for the product, by default,
00:00
there are two products for API Management Service.
00:00
There's the starter, and there's the unlimited product.
00:00
I'll be creating my own products,
00:00
but for now let's go ahead and just
00:00
select unlimited for now,
00:00
and I'll just go ahead and click on,
00:00
"Create" and there we go,
00:00
it's imported my API.
00:00
What I can do is I can see on the design,
00:00
I can see that it's essentially
00:00
indexed the list of operations that it could find,
00:00
so you can see the list of operations for the API here.
00:00
I can see like get speakers,
00:00
get session so I can display,
00:00
click on "Tests," and
00:00
I click on "Get speakers," for example.
00:00
Let's go ahead and test this API,
00:00
make sure everything is working fine.
00:00
If I just go ahead and test this,
00:00
so let's send that,
00:00
the get speakers operation, and there you go,
00:00
I get an HTTP 200 okay,
00:00
and I can see the information about
00:00
the speakers for the conference,
00:00
so that's looking good.
00:00
The next thing that I'll do is I'll create a product.
00:00
A product is what we need to create
00:00
for end users to be able to subscribe to our APIs.
00:00
If I click on the products,
00:00
they are two by default,
00:00
I'll just go ahead and add a new one.
00:00
I'll call this
00:00
cybray- AZ301 APIs,
00:00
and I'll leave the ID,
00:00
and I'll give this a description.
00:00
Actually, I'll just use the
00:00
display name as the description.
00:00
I can specify whether this is published or not,
00:00
by default, it'll be not
00:00
published but I can see specify published.
00:00
Does it require a subscription?
00:00
What that means is for people to be able to
00:00
consume the APIs within this products,
00:00
they need to subscribe.
00:00
In other words, they need to register,
00:00
and then obtain a subscription,
00:00
an API key, I can specify that.
00:00
If I want the subscription to
00:00
be subject to approval of an administrator,
00:00
I can select this option,
00:00
but I'm going to leave this option unselected for now.
00:00
Subscription count limit means
00:00
how many concurrent subscriptions
00:00
can the same user have? I'll just leave that.
00:00
I can specify some legal information
00:00
here that uses have to agree to for them to
00:00
be able to consume APIs in this product.
00:00
>> Then I can associate APIs with this product.
00:00
An API can be associated with more than one product.
00:00
If I go ahead and select, the API is there,
00:00
I have my conference API,
00:00
I select that and I'm associating it with this product.
00:00
I'll go ahead and click on "Create",
00:00
and that's it now I have my products that's created.
00:00
If I go back on the APIs over here,
00:00
if I click on "Developer Portal" "Legacy",
00:00
this takes me to the developer portal.
00:00
If I click on the "APIs",
00:00
I can see my API is there,
00:00
but if I click on the "Product",
00:00
I can see the products there,
00:00
so that's my products.
00:00
Within that products, I
00:00
should be able to see my conference API. That's good.
00:00
The next activity that I'll be showing you involves
00:00
the transformation of an API using an outbound policy.
00:00
What I'll do is I'll apply the outbound policy
00:00
from the back-end to my conference API,
00:00
so that whenever client makes a request to the API,
00:00
it straight gets way to the back-end service.
00:00
Whenever a response is
00:00
generated from the back-end service,
00:00
in this case the back-end service
00:00
will generate a response that has
00:00
certain HTTP headers and has
00:00
certain references and links within that.
00:00
As the result is returned back through the API Gateway,
00:00
the outbound policy will be stripping out
00:00
certain information that I do
00:00
not want to go to my client.
00:00
It's going to be hiding all those
00:00
information and then it's going to send
00:00
that reply back to the client without
00:00
those sensitive information included in them.
00:00
That's what I'll be showing you.
00:00
Let's go ahead and do that.
00:00
I'm back in the Azure portal.
00:00
The first thing that I will do is if I
00:00
go to my conference API,
00:00
let's go do some test again.
00:00
I'll go to GetSpeakers,
00:00
and I will just go ahead and make
00:00
this request trigger that operation.
00:00
Here's what I want to show you.
00:00
Number 1 thing I want to show you is I've triggered
00:00
this operation I get an HTTP 200,
00:00
but you can see that information
00:00
about the x-asp.net version.
00:00
What is it's product part by?
00:00
It's included in the returned response
00:00
from the back-end service.
00:00
This could potentially be sensitive information.
00:00
Anyone who has this information could then go look up
00:00
vulnerabilities for this version of
00:00
ASP.net and then try to exploit that.
00:00
Maybe I want to hide this in
00:00
the response back to the client,
00:00
which is what I want to do.
00:00
The other thing that I want to do is
00:00
that the response that was
00:00
sent includes setting references,
00:00
which has the URL of the back-end service itself.
00:00
I do not want the end users
00:00
to have this information about
00:00
the back-end service URL so I want to
00:00
transform these to the URL of
00:00
the API M service instead, the gateway.
00:00
That's what I want to do in this case.
00:00
Let's get both of that done.
00:00
To do that I'll need to configure policies.
00:00
Let's go under design and if I click on "All
00:00
operations," so I want to apply this to
00:00
all operations and I want to apply an outbound policy.
00:00
Under outbound policy here,
00:00
if I click on "Policy code
00:00
editor," and I want to apply an outbound policy.
00:00
What I'll do is just put a space there.
00:00
I'll click on "Insert policy" and I'll scroll down to
00:00
where it says transformation policies, set HTTP header.
00:00
If I go ahead and select that,
00:00
it adds that policy in there.
00:00
What I'll do is I'll make this modification.
00:00
What I'm doing is I'm adding this album policy to say if
00:00
the header that's received
00:00
from the back-end service includes this,
00:00
add the name, I want you to delete it.
00:00
I'm doing that for both Powered-By and ASP.Net Version.
00:00
I will go ahead and save this, that saved.
00:00
The other thing that I wanted to do was I wanted to add
00:00
another policy to replace the URL.
00:00
If I go ahead and click on "Outbound policy" again.
00:00
Where it says outbound,
00:00
I will put a space and I will insert policy.
00:00
This time around, I want to insert
00:00
a policy for find and replace string in body.
00:00
Anywhere it finds this URL.
00:00
Let's go ahead and do this.
00:00
Wherever it finds the information about the references,
00:00
the URL of my back-end service,
00:00
I want to change it to
00:00
the URL of my API Management service.
00:00
If I got my API M service on the overview,
00:00
I can see the gateway URL there.
00:00
That's the information that I want,
00:00
I want the information to be changed to my Gateway URL.
00:00
Let's go back.
00:00
If I paste that in there,
00:00
so I'll just remove HTTPS.
00:00
Anytime this is found in the body,
00:00
is going to replace it with
00:00
this but what also I want to do is because
00:00
this base URL is
00:00
not the actual URL for where the API is hosted,
00:00
I need to add the suffix of /conferenceapi.
00:00
If you remember I added that suffix earlier.
00:00
Once I add that suffix there,
00:00
all that looks good.
00:00
If I go ahead and save that, now that fine.
00:00
Now, I have this policy which sets
00:00
the header and then which finds and replaces a string.
00:00
Let's go ahead on the tests to test these again.
00:00
Now if I go back under GetSpeakers,
00:00
and if I click on Send that operation,
00:00
now I'm receiving my reply,
00:00
but you can see that
00:00
the headers that we had initially are no longer present.
00:00
Also, if you look at the references and the links,
00:00
you can see that there have been changed from
00:00
the back-end URL to my API management URL.
00:00
In the next activity,
00:00
I'll be showing you how to protect
00:00
an API using an inbound policy.
00:00
This is a visual representation
00:00
of what I'll be showing you.
00:00
I'll be creating an inbound policy similar to the way
00:00
I created an outbound policy earlier but
00:00
what that will be doing is its information
00:00
that's coming from the client going to back-end.
00:00
What the policy would do is that if
00:00
the request that's coming from the client
00:00
does not violate the policy,
00:00
it's going to be routed, or routed by
00:00
my gateway to the backend service.
00:00
In this case, I'll be adding a width limit.
00:00
However, if the request that's
00:00
coming from the client violates
00:00
that policy which I'm going to
00:00
trigger it so that violates the policy.
00:00
In other words, I'm going to make too
00:00
many requests than what is allowed.
00:00
That will automatically be
00:00
stopped by that policy in the gateway.
00:00
That's what I'm going to be showing you now.
00:00
Let's go ahead and do that.
00:00
I'm back in the Azure portal.
00:00
What I'll do is I'm still under my conference API.
00:00
If I click on the design,
00:00
under all operations this time around I want to
00:00
select inbound processing and I want to click on that.
00:00
The section that I'm going to be modifying
00:00
this time will be the inbound section.
00:00
I'm going to click on "Insert policy," and I'm going
00:00
to click look for access restriction policies.
00:00
The policy I want to add is limit call rate per key,
00:00
so that's the policy.
00:00
Let's add that policy there.
00:00
it says rate limit by key calls,
00:00
I'm going to change this to three,
00:00
renewal period, 15 and counter key.
00:00
Let's change that to the subscription ID.
00:00
A subscription ID is going to limit that.
00:00
If I go ahead and save this,
00:00
and I can see my policy there.
00:00
What I'll do is if I go back under
00:00
the tests tab and I click on GetSpeakers,
00:00
and I'll click on "Send" to trigger
00:00
that operation and that's 200, that's okay.
00:00
Let's send again.
00:00
Good, let's send again, that's still good.
00:00
Let's send again, there you go.
00:00
That's been triggered. It says I have
00:00
429, too many requests.
00:00
Finally, I'll be showing you how to
00:00
create an API revision.
00:00
Back in the Azure Portal still under my conference API.
00:00
At the very top here you have revisions.
00:00
If I click on "Revisions," you can see that I
00:00
currently have just one revision.
00:00
Why can the second click on Add Revision?
00:00
I can give the revision a description.
00:00
I call this revision 2 and I click on "Create."
00:00
Now that that's created my revision,
00:00
what I can do is I can click on
00:00
the drop-down and I can
00:00
specify which revision I want to edit.
00:00
In this case, I'm on revision 2 so let's stick with that.
00:00
If I go back under design,
00:00
I can see all my operations here.
00:00
What I want to do is I'm going to
00:00
click on "Add operation."
00:00
I want to add a brand new operation,
00:00
I'm going to call this tests.
00:00
I'm going to set this to the POST method.
00:00
I'm going to say POST/test.
00:00
I'll just go ahead and save that.
00:00
I'm adding a new operation to this.
00:00
If I scroll down, I can see my new operation over here.
00:00
I can see that under revision
00:00
2 but if I go to revision 1,
00:00
I'll see that that operation is not there.
00:00
Also, if I go to the Developer Portal,
00:00
and if I go under APIs,
00:00
and if I go under
00:00
my conference API and I can see the operations.
00:00
You can see that the new operation that I just
00:00
added is not present because it's not in production yet.
00:00
What I can do is if I go back under revisions,
00:00
I have my revision 2
00:00
there and then I can make this the current revision.
00:00
If I switch that to be the current revision,
00:00
let's go ahead and save that.
00:00
Now it switched revision 2 to be the current revision.
00:00
Now if I go back to developer portal,
00:00
if I refresh the screen,
00:00
I can see my new operation
00:00
>> that I just added right there.
00:00
>> That brings me to the end of this demo,
00:00
I hope you found this informative.
00:00
Thanks very much for watching,
00:00
and I'll see you in the next lesson.
Up Next