Azure APIM
  • 13 Apr 2023
  • 4 Minutes to read
  • PDF

Azure APIM

  • PDF

Article Summary

APIM is Azure's API management platform. Azure APIM supports private, public, and hybrid integrations. Azure APIM supports the following four tiers:

  • Developer
  • Basic
  • Standard
  • Premium

The Azure APIM policy is written in XML and C#. The policy provides hooks to capture and perform transformations on the request and responses. A policy consists of an inbound and an outbound section. Traceable's policy is added in both inbound and outbound sections to capture request and response. The policy captures the data, creates a JSON payload and sends it to ext_cap request and response endpoint. The Traceable policy waits for a response from ext_cap before it forwards the request to the backend. 

Traceable supports both synchronous and asynchronous request and response capture depending on the Traceable policy you download from Traceable's download site. When you use the synchronous policy, the request blocking is immediate, however, with the asynchronous policy the request is not blocked.

The following diagram shows a high-level deployment of Traceable in Azure APIM setup:

Before you begin

  • Make sure that Azure APIM is deployed in either a Developer or Premium tier with a vNet configuration. 
  • Decide whether you want to deploy Traceable's sync or asynchronous policy.


The deployment of Traceable policy consists of the following steps:

  1. Launch Traceable agent VM using ARM templates.
  2. Create a named variable in APIM portal which has a newly created VMs private IP.
  3. Apply Traceable policy. You can apply the policy at the global level for all the APIs, at individual level, or for a specific operation for an API.

Step 1 – Launch and configure Traceable agent using ARM template

Click on the launch link to start the configuration process. ARM template portal is displayed. 

Click on the Next: Review + create> button after you have configured the values in the template. 

The following table describes the options.

Resource GroupSelect Resource group from the dropdown list. Do not create new. Use Azure APIM resource group.
RegionGets selected automatically
Traceable EnvironmentEnvironment name for Traceable platform agent.
Traceable ServiceService name for ext_cap
Traceable Refresh TokenAdd the token from Traceable platform. Copy the token from Agent Token.
Admin Usernameusername for VM. The default value is azureuser.
SSH keyssh key to be used for accessing VM. Add your public key (contents of ~/.ssh/
Vm SizeVM instance type for Traceable agent
Vnet NameName of the VNet (Azure APIM's Vnet).
Subnet NameName of the subnet (Subnet in the above Vnet).
Tracing FormatPossible values are TRACECONTEXT and B3. When APIM is configured with API insight and w3c as trace context, then this value should be changed to B3. The default value is TRACECONTEXT.
Enable BlockingPossible values are true or false to enable or disable blocking. The default value is false.
Enabling of blocking is only applicable to synchronous policy, that is, when you use the policy.xml file. Furthermore, see Step 3.
Assign Public IPAssign public IP to Traceable agent VM. The default value is false.
APIM Gateway Public IP

If Azure APIM is not connected to a Vnet, then the Azure APIM will get only public IP address. Provide that IP address for APIM Gateway Public IP configuration. The template creates a security group. Allow port numbers 5442 and 5443 of Traceable agent VM to be accessible from this IP address.

In case of Vnet, this field can be kept empty and Traceable agent’s private IP address can be used in the policy.  By default, Azure’s NSG (network security group) allows access to all traffic from the same Vnet.

TLS Key Base64EncodedPrivate RSA key to be used by Traceable agent’s TLS server. Note that the key should be in OpenSSH PEM format.
TLS Cert Base64EncodedCertificate to be used by Traceable agent’s TLS server. Note that the key should be in OpenSSH PEM format.
Root Cert Base64EncodedRoot/CA cert. Make sure that the certificate file is a single file listing the root CA and all the intermediate CAs.
If you are using self-signed certificates for TLS, then add root CA and intermediate certificates to Azure APIM's certificate trust store. Complete the steps as shown in the screenshots below.

Click on Add and choose Intermediate from the drop-down list as shown below.

Step 2 – Create named variable in APIM portal

Complete the following steps to create a named variable in APIM portal:

  1. Open your APIM in Azure portal.
  2. Create a named variable traceable-endpoint with value as URL of Traceable agent's endpoint.
    1. For non-TLS connections, use the value: http://<ip>:5442
    2. For TLS connections, use the value: https://<ip>:5443
      Name and display name should be traceable-endpoint.

Step 3 – Add the Traceable policy

Download Traceable's Azure policy from the download site. Navigate to install > azure-apim > latest > policy.xml or policy_async.xml. You can add the policy at multiple levels:

  • For all the APIs at global level
  • For all the operations of an API
  • For a specific operation of an API
Blocking of a request is only applicable to a synchronous policy, that is, when you use the policy.xml file.

The step to apply the Traceable policy is a copy and paste operation into your existing setup. Complete the following steps:

  1. Open the downloaded policy in any editor.
  2. Add or edit the existing policy in APIM.
  3. Copy the content of policy between <inbound> and </inbound> and paste it in the inbound section of the existing policy.
  4. Copy the content of the policy between <outbound> and </outbound> and paste it in the outbound section of the existing policy. 
  5. Apply the policy.
While copy and pasting the policy for all the APIs, if an error in element “base” appears, then remove the <base /> element.

You can add Traceable's policy at different scopes. For more information, see Configure policies at different scopes in Microsoft's documentation.


Replace the current policy by downloading and copy-pasting the new policy (as described in Step 3 above) from Traceable's download site. 


To uninstall Traceable agent: 

  1. Manually delete all the resources that were created by the template. 
  2. Remove the Traceable section that was added in the policy.

Was this article helpful?