Azure APIM
- 13 Apr 2023
- 4 Minutes to read
- PDF
Azure APIM
- Updated on 13 Apr 2023
- 4 Minutes to read
- PDF
Article Summary
Share feedback
Thanks for sharing your feedback!
APIM is Azure's API management platform. Azure APIM supports private, public, and hybrid integrations. Azure APIM supports the following four tiers:
- Developer
- Basic
- Standard
- Premium
The Azure APIM policy is written in XML and C#. The policy provides hooks to capture and perform transformations on the request and responses. A policy consists of an inbound and an outbound section. Traceable's policy is added in both inbound and outbound sections to capture request and response. The policy captures the data, creates a JSON payload and sends it to ext_cap request and response endpoint. The Traceable policy waits for a response from ext_cap before it forwards the request to the backend.
Traceable supports both synchronous and asynchronous request and response capture depending on the Traceable policy you download from Traceable's download site. When you use the synchronous policy, the request blocking is immediate, however, with the asynchronous policy the request is not blocked.
The following diagram shows a high-level deployment of Traceable in Azure APIM setup:
Before you begin
- Make sure that Azure APIM is deployed in either a Developer or Premium tier with a vNet configuration.
- Decide whether you want to deploy Traceable's sync or asynchronous policy.
Deployment
The deployment of Traceable policy consists of the following steps:
- Launch Traceable agent VM using ARM templates.
- Create a named variable in APIM portal which has a newly created VMs private IP.
- Apply Traceable policy. You can apply the policy at the global level for all the APIs, at individual level, or for a specific operation for an API.
Step 1 – Launch and configure Traceable agent using ARM template
Click on the launch link to start the configuration process. ARM template portal is displayed. .png)
Click on the Next: Review + create> button after you have configured the values in the template.
The following table describes the options.
| Option | Description |
|---|---|
| Resource Group | Select Resource group from the dropdown list. Do not create new. Use Azure APIM resource group. |
| Region | Gets selected automatically |
| Traceable Environment | Environment name for Traceable platform agent. |
| Traceable Service | Service name for ext_cap |
| Traceable Refresh Token | Add the token from Traceable platform. Copy the token from Agent Token. |
| Admin Username | username for VM. The default value is azureuser. |
| SSH key | ssh key to be used for accessing VM. Add your public key (contents of ~/.ssh/id_rsa.pub) |
| Vm Size | VM instance type for Traceable agent |
| Vnet Name | Name of the VNet (Azure APIM's Vnet). |
| Subnet Name | Name of the subnet (Subnet in the above Vnet). |
| Tracing Format | Possible values are TRACECONTEXT and B3. When APIM is configured with API insight and w3c as trace context, then this value should be changed to B3. The default value is TRACECONTEXT. |
| Enable Blocking | Possible values are true or false to enable or disable blocking. The default value is false.Note Enabling of blocking is only applicable to synchronous policy, that is, when you use the policy.xml file. Furthermore, see Step 3. |
| Assign Public IP | Assign public IP to Traceable agent VM. The default value is false. |
| APIM Gateway Public IP | If Azure APIM is not connected to a Vnet, then the Azure APIM will get only public IP address. Provide that IP address for APIM Gateway Public IP configuration. The template creates a security group. Allow port numbers 5442 and 5443 of Traceable agent VM to be accessible from this IP address. In case of Vnet, this field can be kept empty and Traceable agent’s private IP address can be used in the policy. By default, Azure’s NSG (network security group) allows access to all traffic from the same Vnet. |
| TLS Key Base64Encoded | Private RSA key to be used by Traceable agent’s TLS server. Note that the key should be in OpenSSH PEM format. |
| TLS Cert Base64Encoded | Certificate to be used by Traceable agent’s TLS server. Note that the key should be in OpenSSH PEM format. |
| Root Cert Base64Encoded | Root/CA cert. Make sure that the certificate file is a single file listing the root CA and all the intermediate CAs. |
If you are using self-signed certificates for TLS, then add root CA and intermediate certificates to Azure APIM's certificate trust store. Complete the steps as shown in the screenshots below.
Click on Add and choose Intermediate from the drop-down list as shown below.
Step 2 – Create named variable in APIM portal
Complete the following steps to create a named variable in APIM portal:
- Open your APIM in Azure portal.
- Create a named variable
traceable-endpointwith value as URL of Traceable agent's endpoint.- For non-TLS connections, use the value:
http://<ip>:5442 - For TLS connections, use the value:
https://<ip>:5443Note
Name and display name should be traceable-endpoint.
- For non-TLS connections, use the value:
Step 3 – Add the Traceable policy
Download Traceable's Azure policy from the download site. Navigate to install > azure-apim > latest > policy.xml or policy_async.xml. You can add the policy at multiple levels:
- For all the APIs at global level
- For all the operations of an API
- For a specific operation of an API
Note
Blocking of a request is only applicable to a synchronous policy, that is, when you use the policy.xml file.
The step to apply the Traceable policy is a copy and paste operation into your existing setup. Complete the following steps:
- Open the downloaded policy in any editor.
- Add or edit the existing policy in APIM.
- Copy the content of policy between
<inbound>and</inbound>and paste it in theinboundsection of the existing policy. - Copy the content of the policy between
<outbound>and</outbound>and paste it in theoutboundsection of the existing policy..png)
- Apply the policy.
.png)
While copy and pasting the policy for all the APIs, if an error in element “base” appears, then remove the
<base /> element.You can add Traceable's policy at different scopes. For more information, see Configure policies at different scopes in Microsoft's documentation.
Upgrade
Replace the current policy by downloading and copy-pasting the new policy (as described in Step 3 above) from Traceable's download site.
Uninstall
To uninstall Traceable agent:
- Manually delete all the resources that were created by the template.
- Remove the Traceable section that was added in the policy.
Was this article helpful?
