Cloud Integration – Note to self

Calling API Management from Azure Function using Managed Identities

One of the solutions I am consulting on today is securing a number of APIs with OAuth with client credential flow, using Azure Active Directory as the identity provider. Those APIs are exposed via Azure API Management, which makes the validation of the access tokens provided as simple as injecting a policy at a product, API or operation level.

While this all works nicely, there is one item in this process which is a painpoint from an operations point of view: as they use client certificates to request access tokens, the certificate management is becoming a bit of a chore with the number of APIs and clients that access those APIs increasing.

A lot of those clients are either Azure Functions or Azure Logic Apps, which today provide the ability to using a managed identity to easy the burden of maintaining credentials.

So it was only logical to think about how would we be able to use the managed identities configured in both Azure Functions and Logic Apps to generate a token that can be validated by API Management. Turns out that this is quite possible, but needs a bit of preparation…

Countdown to Global Integration Bootcamp 2021

Last January, I wrote about this year edition of Global Integration Bootcamp. As you might remember, this year we locked it on 26-27 February (UTC Time) running two different event streams starting at times that can be suitable for the three main time zone areas- APAC, EMEA and Americas.

Lineup

We’ve received an awesome number of sessions and in the end, the event will count with 21 sessions and 19 speakers from APAC, EMEA and Americas, including Microsoft Cloud Advocates, Azure MVPs, Community Leaders and Industry Experts – covering a long list of topics in the from cloud and data integration to hybrid integration and API design/development. Here is this year’s lineup:

Global Integration Bootcamp 2021 goes Virtual!!!

Hey there! Happy New Year!!!

Many of you were asking about if we would be doing another Global Integration Bootcamp this year. I know that there is been a while since we provided any news about it, but the team was trying to come up with a formula that would work for our goal of a 24 hour around the globe marathon of Microsoft Integration goodness! We knew that we wanted:

Stream it in a way that you could just tune in and watch whenever you were, instead of having to join a specific application.
Run through as many timezones as possible.
Open up for the community to bring their content either live or pre-recorded.

After much discussion (read HEAPS of Whats App messages going back and forth, tests on multiple streaming platforms, and trying to find a time that didn’t clash with other events), we locked it on 26-27 February (UTC Time) running three different event streams starting at times that are more suitable for the three main time zone areas- APAC, EMEA and Americas.

But for that to fly we need sessions and people ready to present right? So the Call for Papers process is now open. We are catering for both lightning talks (15 minutes) and breakout sessions (30-45 minutes) and any level (from introductory to advanced), so if you are interested in Microsoft Cloud and Hybrid Integration and would like to present in one of those time zones, please submit a session -or 3. The link for the CFP page is:

https://sessionize.com/gib-2021-virtual/

Submissions end on 5 February, so get your thinking caps on, or dust off that classic session you would like to revisit and send it our way!

Also, make sure you keep an eye on the event website (https://integrationbootcamp.com/ ) as we will be adding more information about the format and the links for the streaming pages, closer to the event.

In Summary

Global Integration Bootcamp is back on 26-27 February 2021
The event will cover most of the globe catering for time zones in APAC, EMEA and Americas
CFP is now open at https://sessionize.com/gib-2021-virtual/.
CFP closes on 5^th February.
Make sure you keep an eye on https://integrationbootcamp.com/ for more info.

Azure Functions with a Static Outbound IP Address

“So to complete our configuration we just need your outbound static IP…” This is something that pops up again and again, specially if you work integrating legacy systems, like banks, government agencies or other older systems that requires a static IP Address to add to firewall inbound rules.

In the past I had to use on of the subscription tiers from Azure API Management or in some cases deploy the code within a self hosted service in a Virtual Machine. And both of them are valid options if you already have one of those components in place. But in a couple of my last projects, Not only I needed to implement a new component (in this case API Management) just to fulfil this requirement. I also had to change my design a bit, because API Management didn’t support one of the streaming requirements I had (but that is a story for another post).

But I wouldn’t be writing a post just to complain about this (not that this has never happened before) – I actually found another solution – one that I’ve tried and discarded earlier this year, but thanks to some good work from the App Services Engineering team, is finally a viable solution: Azure Functions + VNET Integration + NAT Gateways!

Recapping Integrate 2020

Last week I’ve attended the Integrate conference once again. It was my 5th time attending the conference, and the 4th time I’ve participate as a speaker.

But Integrate 2020 was quite a different experience from the last years. Dubbed Integrate 2020 Remote, to reflect the fact that was yet another event that had to adapt to the pandemic reality that assaulted the planet since the end of last year. Kovai, the company formerly know as BizTalk 360, and the event organizer since its inception in 2012, took some time to decide that the event would go ahead, but when decided that it would be in a new format, didn’t pull any stops to get it running. With almost 1000 online attendees – which is impressive for a paid event, Integrate 2020 had 28 speakers, between Microsoft Program Managers and Microsoft MVPs and as many technical sessions distributed across three days.

MS Build Recap – The AIS Edition

This year’s MS Build was very different – we all know that. But for most of us, me included, was the first opportunity to join the event officially. And what event it was.

Ran across three time zone, with a mix of live sessions, Teams Live events and smaller Teams events, like focus groups, which allowed the attendees to really interact with the product groups and advocates from Microsoft.

This year there were some interesting announcements around the Azure Integration Services technologies. I’ve recently shared those announcements on a Auckland Azure User Group meetup, and thought that, since I already had everything collated, it would be a good idea to just share this with you on the blog as well. So, let’s talk about what is now available, or just \around the corner for AIS

API Management – Restrict Operation Access per Product

Last week I had an interesting request from a client. They have been creating generic APIs, using a variety of different backend systems (on-prem APIs, Azure Functions, Logic Apps, cloud APIs). Those APIs were grouped by product but even within a product they would like to restrict access to only some operations, so product A would have access to a group of operations, while product B would have access to different group. Initially I thought that role based access driven by claims, but the issue was that we didn’t have control of the identity providers, or the back end services. In the end we would have to find a solution within API Management to create this ACL like style.

Initally I didn’t like the idea to create our own access controls in APIM, but faced with the other constraints, I slowly warmed up to the idea and learned a couple of things about policies along the way.

API Management – Arc Enabled

API Management what enabled? If you haven’t keeping up with the news from MS Ignite 2019, the title might be a bit confusing. Arc (not A.R.C as I read it initially) is a new Service in Azure that allow customer to deploy and manage Azure Services anywhere – and anywhere in this case means any cloud, on-premises infrastructure and at the edge. You can find more about that service here.

During MS Ignite, the API Management team launched the public preview of a new feature, that takes advantage of the Arc technology to deploy API Management gateways anywhere. So let’s take a look of what that looks like.

API call with client certificate policy failing to execute due to message size on Azure API Management

Well, that is a mouthful of a title, but I wanted to capture the exact issue, because I couldn’t find any page to help with this specific error and managed to get it fixed thanks to Vladimir Vinogradsky pointing me out to a tip in one of the APIM docs.

So my scenario was this: my team was working on an API that is protected with a client certificate policy – quite simple, very straightforward. At the API level it had the following policy:

Automating API Management CI/CD with APIM DevOps Resource Kit

Hey everyone! It’s been a while right? The only thing I have to say in my defense is that the last 5 months have been crazy with travel, presentations and lots of work, so I couldn’t get myself to create a good blog post. But enough of excuses already… Remember the “lots of work” part? That involved working with different clients, and a common theme among many of those clients was the implementation of a centralized API layer, tho expose the back services they were creating. That meant that I had to find a good way to automate the publishing of the APIs created in API Management across the different environments. Previously, I’ve relied on the fantastic work that Mattias Logdberg did with the API Management ARM Template Creator (which is also worth a look). But now that Microsoft had some official guidance for that extraction, I decided to have a go with it.