1. This post covers the process of setting up API Management (Layer 7 Load balancer) in Azure.
2. It will also cover how to setup Subscription Key rate limited endpoint which would set you up for providing API SAAS.
I wanted to document this process when I was setting up a custom rate limited search cluster that was called from My fronted App while providing 2 endpoints.
- 1st endpoint being free.
- 2nd endpoint being available only with valid API key.
This post assumes you have already created Azure resource group and also deployed your backend service as Azure app service inside it.
After you deploy your App Service and API Management service to your Resource group, it will look similar to this.
Importing and publishing your first API is explained HERE
Start by importing an Azure Web App as an API.
Which is explained HERE
After that you can click on your added API endpoint and provision your desired policies.
After that you can set if API Key is needed to Access your endpoint.
Endpoint policies exported as XML
Paid endpoint LB policy:
- "set-backend-service" is set by default when we added New API attached to the App service.
- "quota-by-key" here is set to track successful 200 OK responses and also to allow max 1000 API calls every 29 days (2505600 sec)
- "set-header" is appended in Load balancer before request reaches backend service as this custom header is required by my service
Free endpoint LB policy:
- "rate-limit-by-key" is actually IP rate limit allowing 5 requests every 300sec
CORS Policy on all endpoints:
- here we set which HTTP methods are allowed
- which domains are allowed to access our endpoints
- "preflight-result-max-age="300"" caches our CORS preflight (for 300sec) request so that each subsequent request from Frontend App has one less network hop to do.
With this setup we would block immediately on Load balancer endpoint (even before it reaches App service endpoints).
Beware by default APIM puts CORS policy on Load balancer endpoint(effects all API Endpoints)… so check and update default if needed.
Policies documentation:
Cross domain policies
Advanced Policies
CORS caching : Learn more
Preflight OPTIONS request example
Managing API key subscriptions
MORE About it HERE.
Top comments (0)