Skip to content

Latest commit

 

History

History
42 lines (41 loc) · 3.35 KB

mgmt-monitoring.md

File metadata and controls

42 lines (41 loc) · 3.35 KB

Management and Monitoring

Design Considerations

  • Be aware of maximum throughput limits of each APIM SKU
  • Be aware of the maximum number of scale-out units per APIM SKU
  • Be aware of the maximum throughputs are approximate and not guarantees
  • Be aware of the time required to scale-out, deploy into another region, or convert from deployment types
  • APIM does not scale-out automatically, additional configuration is required.
  • There is no downtime during a scale-out event
  • Only the gateway component of API Management is deployed to all regions in a multi-region deployment.
  • Be aware of the possible performance impact of AppInsights logging at high loads.
  • Be aware that the number of inbound and outbound policies applied and their impact to performance
  • Policies are code and should be under version control
  • APIM's built-in cache is shared by all units in the same region in the same API Management service.
  • Utilize Availability Zones, the number of Units selected must distribute evenly across the zones
  • Self-hosted gateway's credentials expire every 30 days and must be rotated.
  • The Uri /status-0123456789abcdef can be used as a common health endpoint for the APIM service.
  • The APIM Service is not a WAF. Deploy Azure App Gateway in front to add additional layers of protection
  • Client certificate negotiation is enabled is a per-gateway configuration
  • certificates updated in the key vault are automatically rotated in API Management and is updated within 4 hours.
  • Secret in Key Vault is updated within 4 hours after being set. You can also manually refresh the secret using the Azure portal or via the management REST API.
  • Custom Domains can be applied to all endpoints or just a subset. The Premium tier supports setting multiple host names for the Gateway endpoint.
  • APIM can be backed up using its Management REST API. Backups expire after 30 days. Be aware of what APIM does not back up.
  • Named-Keys are global in scope.
  • API Operations can be grouped into Products and Subscriptions. The design will be based on actual business requirements.

Design Recommendations

  • Apply custom domains to the Gateway endpoint only
  • Use Event Hub policy for logging at high performance levels
  • Utilize an external cache for control and fastest performance
  • Deploy at least two scale units spread over two AZs per region for best availability and performance
  • Utilize Azure Monitor to Autoscale APIM. If using a self-hosted gateway, use Kubernetes Horizonal Pod Autoscaler to scale out the gateway
  • Deploy self-host gateways where Azure does not have a region close to the back-end API
  • Utilize Key Vault for Certificate storage, notification, and rotation
  • Do not enable 3DES, TLS1.1 or lower encryption protocols unless absolutely required.
  • Utilize DevOps and Infrastructure-As-Code practices to handle all deployments, updates, and DR.
  • Create an API revision and Change Log entry for every API update.
  • Utilize Backends to eliminate redundant API backend configurations.
  • Utilize Named-Values to store common values that can be used in policies.
  • Utilize Key Vault to store secrets that Named-Values can reference.
  • Secrets updated in the key vault are automatically rotated in API Management.
  • Develop communication strategy to notify users of breaking API version update.
  • Set diagnostic settings to forward AllMetrics and AllLogs to Log Analytics workspace