Introducing Azure API Management Policy Toolkit
We’re excited to announce the early release of the Azure API Management Policy Toolkit, a set of libraries and tools designed to change how developers work with API Management policies, making policy management more approachable, testable, and efficient for developers. Empowering developers with Azure API Management Policy Toolkit Policies have always been at the core of Azure API Management, offering powerful capabilities to secure, change behavior, and transform requests and responses to the APIs. Recently, we've made the policies easier to understand and manage by adding Copilot for Azure features for Azure API Management. This allows you to create and explain policies with AI help directly within the Azure portal. This powerful tool lets developers create policies using simple prompts or get detailed explanations of existing policies. This makes it much easier for new users to write policies and makes all users more productive. Now, with the Policy Toolkit, we’re taking another significant step forward. This toolkit brings policy management even closer to the developer experience you know. Elevating policy development experience Azure API Management policies are written in Razor format, which for those unfamiliar with it can be difficult to read and understand, especially when dealing with large policy documents that include expressions. Testing and debugging policy changes requires deployment to a live Azure API Management instance, which slows down feedback loop even for small edits. The Policy Toolkit addresses these challenges. You can now author your policies in C#, a language that feels natural and familiar to many developers and write tests against them. This shift improves the policy writing experience for developers, makes policies more readable, and shortens the feedback loop for policy changes. Key toolkit features to transform your workflow: Consistent policy authoring. Write policies in C#. No more learning Razor syntax and mixing XML and C# in the same document. Syntax checking: Compile your policy documents to catch syntax errors and generate Razor-based equivalents. Unit testing: Write unit tests alongside your policies using your favorite unit testing framework. CI/CD integration: Integrate Policy Toolkit into automation pipelines for testing and compilation into Razor syntax for deployment. Current Limitations While we’re excited about the capabilities of the Policy Toolkit, we want to be transparent about its current limitation: Not all policies are supported yet, but we’re actively working on expanding the coverage. We are working on making the Policy Toolkit available as a NuGet package. In the meantime, you’ll need to build the solution on your own. Unit testing is limited to policy expressions and is not supported for entire policy documents yet. Get Started Today! We want you to try the Azure API Management Policy Toolkit and to see if it helps streamlining your policy management workflow. Check out documentation to get started. We’re eager to hear your feedback! By bringing policy management closer to the developer, we’re opening new possibilities to efficiently manage your API Management policies. Whether you’re using the AI-assisted approach with Copilot for Azure or diving deep into C# with the Policy Toolkit, we’re committed to making policy management more approachable and powerful.GPT-4o Support and New Token Management Feature in Azure API Management
We’re happy to announce new features coming to Azure API Management enhancing your experience with GenAI APIs. Our latest release brings expanded support for GPT-4 models, including text and image-based input, across all GenAI Gateway capabilities. Additionally, we’re expanding our token limit policy with a token quota capability to give you even more control over your token consumption. Token quota This extension of the token limit policy is designed to help you manage token consumption more effectively when working with large language models (LLMs). Key benefits of token quota: Flexible quotas: In addition to rate limiting, set token quotas on an hourly, daily, weekly, or monthly basis to manage token consumption across clients, departments or projects. Cost management: Protect your organization from unexpected token usage costs by aligning quotas with your budget and resource allocation. Enhanced visibility: In combination with emit-token-metric policy, track and analyze token usage patterns to make informed adjustments based on real usage trends. With this new capability, you can empower your developers to innovate while maintaining control over consumption and costs. It’s the perfect balance of flexibility and responsible consumption for your AI projects. Learn more about token quota in our documentation. GPT4o support GPT-4o integrates text and images in a single model, enabling it to handle multiple content types simultaneously. Our latest release enables you take advantage of the full power of GPT-4o with expanded support across all GenAI Gateway capabilities in Azure API Management. Key benefits: Cost efficiency: Control and attribute costs with token monitoring, limits, and quotas. Return cached responses for semantically similar prompts. High reliability: Enable geo-redundancy and automatic failovers with load balancing and circuit breakers. Developer enablement: Replace custom backend code with built-in policies. Publish AI APIs for consumption. Enhanced governance and monitoring: Centralize monitoring and logs for your AI APIs. Phased rollout and availability We’re excited about these new features and want to ensure you have the most up-to-date information about their availability. As with any major update, we’re implementing a phased rollout strategy to ensure safe deployment across our global infrastructure. Because of that some of your services may not have these updates until the deployment is complete. These new features will be available first in the new SKUv2 of Azure API Management followed by SKUv1 rollout towards the end of 2024. Conclusion These new features in Azure API Management represent our step forward in managing and governing your use of GPT4o and other LLMs. By providing greater control, visibility and traffic management capabilities, we’re helping you unlock the full potential of Generative AI while keeping resource usage in check. We’re excited about the possibilities these new features bring and are committed to expanding their availability. As we continue our phased rollout, we appreciate your patience and encourage you to keep an eye out for the updates.The Rising Significance of APIs - Azure API Management & API Center
As we venture deeper into the digital era, APIs (Application Programming Interfaces) have become the cornerstone of modern software development and digital communication. APIs continue to be pivotal, acting as the conduits through which different systems, applications, and devices interact and exchange data. This growing reliance on APIs is reflected in the investment trends, with a significant 92% of global respondents indicating that investments in APIs will either remain steady or increase over the next year (2023 State of the API Report, Postman, 2023). Recognizing the critical role that APIs play in modern software architecture, Microsoft has been consistently investing in and expanding its API suite to fulfill diverse needs. Managing APIs is not a one-size-fits-all solution with different API ecosystems requiring different API management approaches and tools. Azure API Center, a new API Azure service, was recently announced General Availability (GA). Azure API Center is engineered to function independently, yet it seamlessly integrates with Azure API Management, providing customers options to manage various aspects of their API ecosystem. In the following sections, we will dive into the specifics of Azure API Management and Azure API Center, highlighting their differences, use cases, and guiding you on when to use each product to best manage and leverage your API ecosystem. Azure API Management: Your Gateway to Digital Transformation Azure API Management (APIM) is a managed cloud service designed to streamline and secure the use of APIs. API Management acts as a secure front door to facilitate, manage, and analyze the interactions between an organization’s APIs and their users with some of their core functionalities listed below: API gateway - operational management: API Management acts as a gateway, managing API exposure, security, and analytics during runtime. Traffic routing: Acts as a facade to backend services by accepting API calls and routing them to appropriate backends. API access: Verifies API keys and other credentials such as JWT tokens and certificates presented with requests to access APIs published through an API Management instance. Operational stability: API Management allows you to enforce usage quotas and rate limits to manage the flow of requests to your APIs effectively to prevent API overuse. It also validates requests and responses in compliance with the specification - e.g., JSON and XML validation, validation of headers and query params. Request transformation: The rich policy engine of API Management allows you to modify incoming and outgoing requests to your needs with more than 60 built-in policies and the option to build your own custom policies. API logging: API Management provides the capability to emit logs, metrics, and traces, which are essential for monitoring, reporting, and troubleshooting your APIs. Self-hosted gateway: API Management also offers self-hosted gateway capabilities, a containerized version of the default managed gateway to place your gateways in the same environments where you host your APIs. Developer Portal: API Management features a developer portal, which can be generated automatically and is a fully customizable website with the documentation of your APIs. It facilitates API discovery, testing, and consumption by internal and external developers. Azure API Center: Your Inventory for API Lifecycle Management Azure API Center is the newest addition to the Azure API suite, focusing on the design-time aspects of API governance and centralizing your API inventory for tracking reasons. It acts as a repository and governance tool for all APIs within an organization, regardless of where they are in their lifecycle or where they are deployed. API inventory management: API Center allows you to register all your organization’s APIs in a centralized inventory, regardless of their type, lifecycle stage, or deployment location, for better tracking and accessibility. Tackling API sprawl: APIs' runtime might be managed in multiple different API Management services, multiple different API gateways from different vendors, or are unmanaged at all. Azure API Center allows you to develop and maintain a structured API inventory. Holistic API view: While API Management excels in runtime API mediation, its inventory management capabilities are limited to the types of APIs that are supported at runtime and to the versions that are actively managed in runtime. Azure API Center supports any kind of API types, such as AsyncAPIs, and you can easily track APIs across different deployment environments. Real-world API representation: You can add detailed information about each API, including versions, definitions, custom metadata, and associate them with deployment environments (e.g. Dev, Test, Production). API governance: Azure API Center provides tools to organize and filter APIs using metadata, set up linting and analysis to check API design consistency for better conformance on API style guidelines. Additionally, shift-left API compliance to API teams to ensure that developers can more productively and efficiently create compliant APIs. API discovery and reuse: It enables internal developers and API program managers to discover APIs through the Azure portal, an API Center portal, and developer tools, including a Visual Studio Code extension. Navigating Your API Ecosystem - Example Scenarios for Azure API Center and API Management While both services are integral to the API ecosystem, they serve distinct purposes: Azure API Management is geared towards runtime API governance and observability, focusing on the operational aspects of API management, such as securing, publishing, and analyzing APIs in use. Azure API Center, in contrast, is tailored for design-time API governance, helping organizations to maintain a structured inventory of all APIs for better discovery and governance. API Management and API Center are complementary services that, when used together, provide a comprehensive API management solution from design to deployment. API Mangement excels in the operational phase, while API Center, as your organizational API inventory, shines in the design and governance stages, ensuring that APIs are not only functional but also adhere to organizational standards and best practices. Note: The following scenarios are not mutually exclusive. They have been separated for better display and clarity. Scenario 1: Azure API Center serves as an API design governance tool for analyzing API definitions based on linting rules to check on API design consistency and quality: Scenario 2: Azure API Center serves as a centralized inventory solution for managing APIs across different API lifecycle stages (e.g. development, testing, production): Scenario 3: Azure API Center serves as a centralized inventory solution for managing APIs across different regional or organizational deployments (e.g. Asia, Europe, America): Scenario 4: Azure API Center serves as a centralized inventory solution for managing APIs across different cloud platforms (e.g. Azure, AWS, and Google Cloud): Azure API Center and API Management Workspaces Note: Azure API Management workspaces currently only apply to the Premium API Management tier (see Workspaces in Azure API Management for further details). API management workspaces are a feature within Azure API Management that allows decentralized API development teams to manage and productize their own APIs. Workspaces enable aggregation of multiple teams with proper isolation in a single APIM service. For Azure API Center, all previously mentioned scenarios still apply, regardless of whether APIM services use workspaces. Azure API Center will continue to improve the management of APIs across different API Managment services, as organizations... have APIM services across environments, for example, dev, test, and prod. have more than one production APIM service in their company. have APIm platforms from multiple vendors. Conclusion In conclusion, the launch of Azure API Center and the continued evolution of Azure API Management underscore Microsoft’s commitment to empowering organizations in their API first journey. By leveraging Azure API Management for runtime efficiency and Azure API Center for inventory and governance, organizations can navigate their API ecosystems with confidence, knowing they have the tools to foster innovation, efficiency, and growth. Share Your Thoughts! Your insights are invaluable to us. We're eager to hear what you think about Azure API Center and API Management, and to understand your needs. Is there something specific that would make you and your organization even more successful? Your feedback is the key to our continuous improvement. If you prefer a more personal touch, feel free to reach out via LinkedIn to Julia Kasper, Pierce Boggan and Mike Budzynski. Thank you for being a part of our journey!Publish, Protect and Validate OData APIs in API Management
We are excited to announce the public preview of the OData API type in Azure API Management (API Management). OData (Open Data Protocol) is a standard that defines a set of best practices for building and consuming RESTful APIs. OData gained popularity as an industry standard for data integration and interoperability and has been widely adopted by large companies such as SAP, Oracle, Microsoft, and others. This new capability extends the benefits and capabilities of API Management to OData APIs, including the ability to secure them with standard API protections, such as authentication, authorization, and rate limiting, in combination with OData-specific policies for request validation. First-class support for OData makes it easier for customers to publish OData APIs in API Management eliminating the need to first convert OData metadata to OpenAPI. The rest of the blog will show how simple and quick it is to onboard to and protect an OData API with API Management. An example: Importing and protecting an OData API from SAP I will be using the publicly available SAP Gateway Demo system ES5 which provides a practical, working OData service with a dataset containing a list of items of a sales order from the Enterprise Procurement demo data. It contains EntitySets such as: BusinessPartnerSet ProductSet SalesOrderSet SalesOrderLineItemSet Export an OData metadata file and create an OData API from the update-enabled SAP Gateway Demo API “GWSAMPLE_BASIC” and now I can import this as an OData API into API . To create an OData API within the Azure API Management service: Open the Azure Portal in your browser Select your Azure API Management service or create a new one Select the APIs blade Select +Add API Fill in the form: Choose a Display name (sap-odata-test) The name field will auto-fill with a suitable name Select the file that contains the metadata for an API Choose an API URL suffix (sap-odata-test) Select Create to create the API After the API is created, the entity sets and functions appear on the API’s schema tab. Add policy for an OData request validation With the introduction of OData API type into Azure API Management we added the new `validate-odata-request` policy which validates the request URL, headers, and parameters of a request to an OData API to ensure conformance with the OData specification. Now I can add an OData request validation policy to the imported SAP Gateway Demo API: Select API Policies tab Select </> in the Inbound processing section to edit the policy Add a <validate-odata-request> to the policy definition <policies> <inbound> <validate-odata-request default-odata-version="4.01" min-odata-version="4.0" max-odata-version="4.01" /> <base /> </inbound> … </policies> Resulting policy should look the following Select Save to apply changes to the policy If I try to request an EntitySet with a non-existing property, API Management will validate this request and return an error. I will send a request for ProductSet with a property ‘Name1’ using Postman: The request was validated by Azure API Management, and I received a response stating that property could not be found. { "statusCode": 400, "message": "Could not find a property named 'Name1' on type 'GWSAMPLE_BASIC.Product'." } In combination with the large set of policies available in API Management, such as authorization, authentication, rate limiting and more, you can further enhance the security of your OData APIs For instance, you can exchange Microsoft Entra ID (formerly Azure Active Directory) issued tokens for an SAP issued Bearer token and forward it to backend with caching support for both tokens. Policy snippet available here. Next steps Kickstart your SAP app integration project on Azure leveraging OData and the SAP Cloud SDK from here. To hit the ground running, find publicly available SAP OData APIs or mock services here. OData API type in Azure API Management is in public preview, give it a try and let us know what you think in the comments below!
