Building Azure API Management Proxy for Azure Storage

Building Azure API Management Proxy for Azure Storage

Microsoft acquired Apiphany, backed it up with Azure compute and storage and has now made it available to users as API Management service. Azure API Management is a reliable, secure and scalable way to publish, consume and manage APIs running on the Microsoft Azure platform. Azure API Management provides all essential tools required for end-to-end management of APIs. It ensures optimal performance of the APIs, tracks and enforces usage, authentication, and more.

Microsoft acquired Apiphany, backed it up with Azure compute and storage and has now made it available to users as API Management service. Azure API Management is a reliable, secure and scalable way to publish, consume and manage APIs running on the Microsoft Azure platform. Azure API Management provides all essential tools required for end-to-end management of APIs. It ensures optimal performance of the APIs, tracks and enforces usage, authentication, and more.

Recently, I was reading about AWS API Gateway (a service similar to Azure API Management) which has out of the box support for interacting with your AWS resources. I really liked the idea behind having an API front end for your resources. I will quote the reasons for which you may want to do so verbatim from the AWS blog post (replacing AWS with Azure of course!).

  1. You might want to enable your application to integrate with very specific functionality that an Azure service provides, without the need to manage access keys and secret keys that Azure APIs require.
  2. There may be application-specific restrictions you’d like to place on the API calls being made to the Azure services that you would not be able to enforce if clients integrated with the Azure APIs directly.
  3. You may get additional value out of using a different HTTP method from the method that is used by the Azure service. For example, creating a GET request as a proxy in front of an Azure API that requires an HTTP POST so that the response will be cached.
  4. You can accomplish the above things without having to introduce a server-side application component that you need to manage or that could introduce increased latency.

Scenario

We want to implement an API to download private blobs from Azure storage in a secure manner. The API user needs to be authenticated and should be authorized to access the resources. We don’t want to host a custom application that might introduce latency and whose resources such as memory and scalability need to be managed.

We will build this API using Azure API Management and use JWT token to authenticate and authorize the user. This approach not only abstracts the underlying service (Azure storage REST API) that serves the data (you can later switch the data provider to AWS S3 without modifying the clients) but also provides low latency access to your storage resources.

Building the Resources

First and foremost, you need to create an Azure storage account. Once you have it ready, create a private Azure blob container and add some files to it. I use Azure Storage Explorer, which is a free and easy to configure utility, to assist me with such tasks. Here, I created a storage account named secretresources, created a container named organizationresources and added a few files into it.

Specify Operations

If you take a look at the REST operations for Azure Blob service, the base URL used for all the operations is https://[yourstorageaccountname].blob.core.windows.net. Therefore, the Web Service URL that the API should forward requests to should be https://[yourstorageaccountname].blob.core.windows.net. Next, you may supply an optional Web API URL suffix, which we have left blank. Choose HTTPS as the URL scheme to ensure message transport security.

Defining The Policy

The behavior of an API in API Management is driven through policies. Policies are a collection of statements that are executed sequentially on the request or response of an API. A policy can alter both the inbound request and outbound response. Navigate to the policy applicable to your API by clicking on Policies, selecting your API and then selecting the relevant operation from the list.

Specifying HTTP Request Headers in Policy

The following statements in the policy specify the headers that should be added to HTTP Request when it is forwarded to the back-end Azure Blob Storage service.

Validate JWT

We will use JWT passed in a request header to the API to validate the incoming request and authorize the access based on the value of the canDownload claim present in the token. The following declaration in the policy helps achieve this objective.

Testing The API

Azure API Management instance comes with a configurable developer portal available at https://.portal.azure-api.net (also accessible through a link available on top right hand side of management portal). In the portal, click on APIs and select your API from the list of available APIs. On your API definition page, click on Try it button. You should now have a view that is similar to the following.

JWT Refresher

There is a nice little introduction of JWT present here. JWT is a JSON formatted token which is signed with an algorithm. The key used to encrypt the token is known only to the server and therefore the token can only be decoded by it.

JSON Web Tokens consist of three parts separated by dots (.), which are:

  • Header: which typically consists of two parts: the type of the token, which is JWT, and the hashing algorithm such as HMAC SHA256 or RSA
  • Payload: which contains the JSON formatted claims.
  • Signature: To create the signature part you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that.

Generating A Token

Navigate to http://jwt.io and then navigate to the token debugger. In the debugger, you can generate a token with a given header, payload and signature. The debugger color codes the header, payload and signature to show the various components which form the token.

azure storage api azure

What is Geek Coin

What is GeekCash, Geek Token

Best Visual Studio Code Themes of 2021

Bootstrap 5 Tutorial - Bootstrap 5 Crash Course for Beginners

Nest.JS Tutorial for Beginners

Hello Vue 3: A First Look at Vue 3 and the Composition API

Top 10 API Security Threats Every API Team Should Know

Learn what are the most important API security threats engineering leaders should be aware of and steps you can take to prevent them

An API-First Approach For Designing Restful APIs | Hacker Noon

I’ve been working with Restful APIs for some time now and one thing that I love to do is to talk about APIs.

Public ASX100 APIs: The Essential List

The method used for this initial research was to obtain a list of the ASX100 (as of 18 September 2020). Then work through each company looking at the following

What Are Good Traits That Make Great API Product Managers

What is API product management and what can you be doing to be a better API product manager — get aligned with SaaS and enterprise software requirements. This guide lays out what is API product management and some of the things you should be doing to be a good product manager.

54% of Developers Cite Lack of Documentation as the Top Obstacle to Consuming APIs

APIs are perceived as reliable—more than half of respondents stated that APIs do not break, stop working, or materially change specification often enough to matter.