Managing a Distributed API Estate Efficiently with Azure API Management and Self-Hosted Gateways

Azure API Management (APIM) is a cloud-based service that enables you to create, publish and manage your APIs behind a secure, consistent façade. You can create and manage policies that control access to your APIs, enforce usage quotas, and transform requests and responses.

Azure APIM gateways are the proxy for handling API requests. Self-hosted gateways (SHGW) are a capability of Azure APIM which allow you to deploy an instance of the API gateway component of APIM outside of Azure, such as on-premises or on a different cloud platform. Self-hosted gateways are unique to Azure APIM.

API Center is an Azure service that provides a central point of discovery, reuse and governance for APIs in Azure, on-premises, or in other clouds. New features coming include API synchronisation from APIM and Git repos, and API compliance monitoring.

Introduction

Increasing demand for system integration and interoperability is a universal requirement that has driven a huge growth in API development and has led to a proliferation of APIs. APIs enable different systems to easily speak to one another and have become the building blocks of product ecosystems, monetising data assets and driving greater service agility and innovation. There is also a move to migrate legacy APIs into the cloud to reduce cost and provide additional resiliency to priority workloads.

Challenges

However, this increase in API dependency has come with its own challenges. APIs built across teams and time lack consistency, are implemented in different technologies, and are deployed on a multitude of different hosting platforms, from on-premises to cloud. This makes the job of managing an API estate efficiently extremely difficult. Lack of a single view of capability for management increases the effort required to operate and protect your API inventory, and prevents effective discovery leading to low rates of reuse, driving duplication.

I was recently working with a customer that was looking to simplify management of their API estate. They had a large number of mission critical APIs scattered across cloud and on-premises. They didn’t know where they all lived, how many duplicates existed, and really needed to consolidate, standardise, and have a view of all their APIs via a single pane of glass.

Requirements

The high-level requirements for the customer to address their challenges included:

• Support for distributed APIs with minimal latency overhead.
• A secure façade for APIs, which hides the underlying API differences from the end user.
• And importantly, a single management plane for the entire estate

Solution

Azure APIM with SHGW provides a solution which meets all of these requirements. The following diagram is based on the Azure APIM landing zone accelerator, but adds SHGW elements.

APIM + SHGW HL Architecture

1. Azure APIM instance, comprising Developer Portal (a fully configurable website that provides a central location for API discovery, experimentation, testing, and reuse), Gateway, and Management Plane (an interface for managing your APIM instance, including how your APIs are exposed, protected, and versioned). The APIM is configured in Internal Mode to prevent the instance from being directly publicly accessible. The instance is only accessible via the configured App Gateway, or via a peered network.
2. SHGW container* deployed on a third-party cloud platform (e.g. AWS, GCP).
3. SHGW container* deployed on on-premises resources.
4. Management connectivity between SHGW and APIM management plane, allowing transmission of SHGW heartbeat, configuration updates, log shipment. Connection is outbound from SHGW on port 443.
5. ExpressRoute dedicated on-premises to Azure connection (optional).
6. Network peering between APIM subnet and on-premises network, allowing direct connectivity between the APIM instance and on-premises services, including the SHGW.
7. Public point of ingress for all APIM services.
8. API consumer, accessing Azure, on-premises, and third-party cloud APIs via Azure GW and SHGW. For access to non-Azure APIs traffic goes direct to the closest gateway, not via Azure.

*SHGW is provided as a downloadable Linux container image which can be configured and hosted on your own [high availability] infrastructure. By hosting the gateway near to your APIs, users of the APIs go directly to them (via the SHGW instance) without the need to pass through Azure. This reduces latency and supports data sovereignty, while still being centrally managed via the Azure hosted APIM instance management plane. SHGW is only supported on APIM Premium and Developer tiers.

For Enterprise API inventory and discovery see API Center (not covered here) which is Generally Available.

Things to consider when designing your SHGW implementation.

• Connectivity between the SHGW and the Azure. Outbound connectivity is required from a SHGW to APIM and certain Azure services such as Azure Storage and Application Insights in order to pull configuration changes, for log shipment, heartbeat, and other operational necessities. Will you go via the internet, or remain on a private network? Private networking between on-premises SHGW and Azure can be achieved via network peering and a dedicated circuit such as ExpressRoute. It is also possible to peer a third-party cloud platform and Azure via a dedicated connection from third-party to on-premises and back up to Azure.
• Authentication. To authenticate with APIM, SHGW presents an authentication key which by default is stored in the SHGW container. However, this is a poor solution which risks exposing the key and increases administration effort - it needs to be rotated every 30 days, and if forgotten the SHGW will lose its connectivity. A better solution is to use Entra authentication, see https://learn.microsoft.com/en-us/azure/api-management/self-hosted-gateway-enable-azure-ad.
• Scalability. If using SHGW you are responsible for scaling the gateway, consider using Kubernetes horizontal pod autoscaler to scale out the gateway.

Conclusion

Azure APIM and SHGWs provide a complete solution for managing a distributed, diverse API estate efficiently. SHGWs offer flexibility, control, and customization options for organisations managing APIs, particularly those with specific performance, compliance, or integration requirements.