Azure API Management

All API's should be routed through API Management (APIM). This provides a single portal in which to manage api setup, security and policies.

APIM provides an Import from Function App using the portal to create APIM API's from function apps. This should not be used, the setup it creates is less than ideal.

All function app API's must use function authorization and also expose a swagger endpoint, that returns an openapi specification for the API.

The preferred way to configure APIM is to use release definitions. The release definitions read the latest swagger definition exposed by the target API and update the APIM definition based on that, they also set some security policies on the APIM definition.

We need to create a versioned api definition in apim and imports the swagger definition to create the endpoints. This article can be helpful to create a versioned API definition.

There are 3 main policies that we can set and they are very important in order for the API to work correctly:

• authheader - all function apps use function authorization, this means the client must pass the auth key in order to invoke the endpoint. This policy automatically inserts the auth header into every request going to the function app. In this way, we need to ensure that the function app is only accessible from APIM and not publicy exposed. The auth key is stored as a named value in APIM.
• whitelistip - all calls to APIM must first pass though the WAF (azure application gateway). To enforce this we need to make the api only accessible from the app gateway static IP.
• cors - We can optionally specify CORS rules to make the api accessible direct from a browser.
• rewritepolicy - this is an optional variable that specifies an APIM policy expression to define a rewrite rule on all operations in the api. This is used to map front end urls to different backend urls.

Thank you Hamada for all your guidance and help to make things easy.

Next: Setting Subscription Security on an API....