Using Azure API Management to Limit Access to a Parity Ethereum Node

Itay Podhajcer
Mar 11 · 6 min read

The Parity Ethereum client is not an enterprise targeted implementation, which, when used in scenarios that require limiting access to the node, will need to be placed “behind” a product that acts as a gateway that executes logic to determine whether a connection should be forwarded to the node or not.

Such a product, especially when running on Azure, can be API Management. It allows us to define policies which, for example, lets us:

  • Limit calls by subscription
  • Limit calls by API key
  • Restrict caller IPs
  • Set usage quota by subscription
  • Set usage quota by key
  • And many more

Template Repository

A repository with a complete Azure Resource Manager template for deploying the complete example, with both a Parity Ethereum node and Azure API Management resource, can be found here:

The ARM Template

This time we will be creating an Azure Resource Manager template that will deploy:

  • A virtual network
  • A subnet for the Parity Ethereum node (as we don’t want to expose it directly to the internet)
  • A subnet for the API Management resource
  • An Azure Container Instances resource that will execute the Parity container
  • And lastly, an Azure API Management resource

It is recommended that we create a dedicated resource group for our example which we will use to execute the ARM template we will be writing in the following steps.

We will start by defining the , , empty and sections and the beginning of the section:

Now we will add the first resource, the virtual network with two subnets. we will use the address space for the virtual network, for the Parity subnet and for the API Management subnet:

Note the delegation defined in the subnet, that, combined with the following network profile, enable an Azure Container Instances resource to be placed in a private virtual network:

Now we can create our Container Instances resource, which will execute a single container, , enabling the HTTP JSON-RPC endpoint and allowing all CORS origins. We will also assign a private IP that will be later used by the API Management resource to communicate with the container:

And the last remaining resource, the API Management, which will create using the SKU, which is enough for our example, and add to it:

  • API that points to the container with the address we defined earlier.
  • a single operation which will cover our possible calls to the Parity Ethereum node.
  • A policy that will limit the calls rate to 1 every 60 seconds by key and allow all CORS origins (note that this XML value needs to be JSON escaped, it can be done with a tool like this):
  • And product to which the API will be associated and developers can get subscriptions to.

You can find an example of how the complete template should look like in the above linked GitHub repository.

Running The Template

To run the template we just create, we will be using Azure’s portal this time, a new Template deployment resource needs to be create inside a resource group:

After we hit Create, we will need to choose Build your own template in editor:

Load our template file (after the file is loaded the editor should look like the following):

Click on Save and on the next screen (the values should already be populated as we added the template in an existing resource) agree to the terms and then click on Purchase (as we are purchasing the resources defined by the template).

The template might take a relatively long period to deploy (API Management is a large resource even using the SKU) and once completed, we should have 3 resources in our resource group:

  • A virtual network.
  • An Azure Container Instances resource.
  • And an Azure API Management resource.

API Management Setup

To complete the setup of our example, we will be:

  • Publish the API Management portal.
  • Create a user to test our API.

To publish the developer portal, when inside the API Management resource, click on Developer portal:

It might take a few seconds to load. Once loaded, click on Publish-website located under Operations (the icon of the paper air plane):

Next, back at the API Resource, we will now create a user for testing our example. Under Users, click on Add and set values for First name, Last name, Email and Password like (No need to enter an Id as it is generated when an email address is entered):

Testing

Now that we have everything setup, we can test our API using API Management’s Developer portal (the URL is available in the resource’s Overview tab):

  • Browse to the Developer portal.
  • Sign in using the user we created.
  • Once signed in, click on Products.
  • Click on the Ethereum product.
  • Enter a subscription name and Click on Subscribe.

On the page that is displayed after the subscription is created, click on Show on either of the keys (Primary or Secondary, it doesn’t matter for our example) and copy the value.

Now we can test the Ethereum API using the users API key:

  • Click on APIs in the portal’s menu.
  • Click on the Ethereum API.
  • Once the page loads, click on the green Try it button.
  • should be set to .
  • The API key should be placed in the header.
  • And the body should be set to a value which will be accepted by the Parity Ethereum node, such as:
{
"jsonrpc": "2.0",
"method": "eth_blockNumber",
"params": [],
"id": 1
}
  • And then click on Send.

If everything worked as expected, we should see a result similar to this:

Now, if we try to hit Send again, before 60 seconds have passed (as we defined in our policy), the operation will fail and although the message in the browser seems related to CORS, if checked was actually returned by the server (such as using the browsers developers tools), we should see the following response:

{ "statusCode": 429, "message": "Rate limit is exceeded. Try again in 44 seconds." }

That’s it, we create a Parity Ethereum node inside a private virtual network with Azure API Management as its rate limiting gateway.

Cleanup

As the container located in the virtual network required a network profile, which at the writing of this article, wasn’t possible to delete using the portal, we will need to follow this steps:

  • Delete the API Management resource.
  • Delete the Container Instances resource.
  • Run the following in the command line:
$profile = $(az network profile list --resource-group <RESOURCE GROUP NAME> --query [0].id --output tsv)
az network profile delete --id $profile -y
  • And lastly, delete the virtual network.

Conclusion

Although everything seems to work pretty well with the resources deployed in this example, a production grade deployment will require much more, such as: higher SKU for the API Management resource, additional deployments of Parity Ethereum nodes, maybe even in multiple regions.

Microsoft Azure

Any language.

Itay Podhajcer

Written by

Highly experienced software development & technology professional; consultant, architect & project manager

Microsoft Azure

Any language. Any platform. Our team is focused on making the world more amazing for developers and IT operations communities with the best that Microsoft Azure can provide. If you want to contribute in this journey with us, contact us at medium@microsoft.com

More From Medium

More from Microsoft Azure

More from Microsoft Azure

More from Microsoft Azure

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade