API Management

Feel the Love

I haven’t had an excuse to use Azure API Management before, but it looks like it has mucho functionality. Beyond the basics of creating, publishing, maintaining, monitoring, and securing APIs, Azure API Management has a Policy Expression Language for writing custom API processing policies and API design and mocking capabilities, among other things.

So, let’s do a little experimentation with Azure API Management.

If you don’t have an Azure API Management instance already, you can create one easily enough in the Azure Portal.

Create a resource > API Management> Create

In the Basics tab, you will fill out the generalities. I am using the Developer tier for this scenario:

In the Monitoring tab, you can turn on Application Insights if you want. Application Insights can perform application performance monitoring for live web applications. It looks pretty cool, but I will need to dig into it another day.

In the Scale tab, you can add scale units to adjust for your capacity needs. The Developer tier I chose does not have an option for this.

The Managed identity tab lets you set up a system assigned managed identity for the API Management Service, enhancing security and adding convenience.

The Virtual network tab lets you pick from connecting to your instance from a private endpoint or a virtual network.

The Protocol settings tab lets you select which protocols your API will support.

Finally, create Tags if you like, then Review and Install.

So our Management Service is up, now let’s add some APIs.

I wanted to add some deliberately vulnerable APIs for my experiment with Defender for Cloud Defender for API. I’ve spent a fair amount of time playing with crAPI (https://owasp.org/www-project-crapi/), but I didn’t have a super easy way to import it into API Management. I did have a Postman Collection, however, to create an OpenAPI definition from. See this article, if you haven’t done that before: https://medium.com/@mgbecken/easy-bake-from-postman-collection-to-openapi-7d41d273f216

Once your OpenAPI definition is created, you can import it into API Management.

Other options to choose

Add Inbound Policy
— Filter IP Addresses
— Limit Call Rate
— Mock Responses
— Set Query Parameters
— Set Headers
— Allow CORS
— Cache Responses
— Set Usage Quota by Key
— Validate Content
— Validate Parameters
— Validate JWT
— Other Policies (roll your own)

Add Outbound Policy
— Set Headers
— Validate Content
— Validate Headers
— Validate Status Code
— Other Policies — custom XML

Quick as a bunny, your API is being managed.

This is where things got a little confusing. API Management imported 34 operations, but crAPI actually has more. These are the ones it did not import:

The discrepancy may be some error I introduced or an additional factor, like those outlined here:

https://learn.microsoft.com/en-us/azure/api-management/api-management-api-import-restrictions

I imported a different API — VAmPI (https://github.com/erev0s/VAmPI), and there was no discrepancy.

My next step is adding these API’s to Defender for Cloud API. My next article in this series is coming soon.