In this last period I spent some time looking in Azure API Management and Azure security, the topic is quite complex and it required me a big effort to figured out how everything is able to work together, below a recap of my best thoughts and what we need to know to decide if API Management is the right technology to use for our problem.
I love Azure API Management (APIM) because is able to keep simple aspects that normally complicate are, like security services, services contracting harness, services management, metrics and governance.
First consideration to do is the services location which could be on premise or in the cloud.
if the API is in the cloud we don’t have any particular issue to cover, different situation if the service in on premise.
About the on premise side I had a look around and discussed with other guys in order to see different opinions, below the winners.
First Option put in security you on premise API using SSA or certificate and use 443 port.
Second option using application Service Environment (ASE), essentially it provides a virtual proxy IP environment approach so we need to replicate our “proxy service” layer in the cloud and inside ASE, a good start article here.
Second option activate the Premium Tier in the APIM and use a VPN approach, this approach is more expensive than ASE but it does not required any more effort in term of service management and governance, you services in the cloud and in the on premise side will be considered in the same way by APIM, a good article here.
About the security aspect I tried 2 options, Azure Active Directory and JWT token, both of them quite easy to set up using APIM because it is able to offer a very nice console to use.
Personally I like to use the open standard for authorization (OAuth), APIM offer the evolution 2.0 the OAuth2.
The concept in APIM is very clever, you decide your security provider and after that you only need to create a new authorization server, when you have your authorization server you can organize the security of your services assigning them to it, that awesome because you can manage a great granularity.
there are many great features to use in APIM, what I love most are policies, using policies you can control everything you need of your services starting from security like JWT, service consuming and more.
Over the simple things like control limit rate and bandwidth, but very complicate to realize using a classic code approach ;), great point about policies, I like the idea to execute C# scripting inside them, in that way I can extend the services behaviors in fast and easy way, you can also set a strong granularity control of you service caching.
My vote on this Azure stack? Awesome Azure Stack, I really recommend to use APIM in all Azure solution.