Intro
This article's intention is to explain the main skills measured in this sub-topic of the AZ-204 Certification. API Management, APIM authentication, and APIM policies are the main components that will have their fundamentals explained here alongside a practical example.
This certification is very extensive and this article approaches only the main topics, make sure you know those components in depth before taking the exam. Another great tip is doing exam simulators before the official exam in order to validate your knowledge.
What is the Certification AZ-204 - Developing Solutions for Microsoft Azure?
The AZ-204 - Developing Solutions for Microsoft Azure certification measures designing, building, testing, and maintaining skills of an application and/or service in the Microsoft Azure Cloud environment. It approaches, among others, those components,
- Azure Virtual Machines;
- Docker;
- Azure Containers;
- Service Web App;
- Azure Functions;
- Cosmos DB;
- Azure Storage;
- Azure AD;
- Azure Key Vault;
- Azure Managed Identities;
- Azure Redis Cache;
- Azure Logic App;
- Azure Event Grid;
- Azure Event Hub;
- Azure Notification Hub;
- Azure Service Bus;
- Azure Queue Storage.
Target Audience
Any IT professional willing to improve his knowledge in Microsoft Azure is encouraged to take this certification, it is a great way to measure your skills within trending technologies. But, some group of professionals is keener to take maximum advantage of it,
- Azure Developers, with at least 1 year of experience with Microsoft Azure;
- Experienced Software Developers, looking for an Architect position in a hybrid environment;
- Software Developers, working to move applications to the cloud environment.
Skills Measured
According to today's date, the skills that are measured in the exam are split as follows,
- Develop Azure compute solutions (25-30%)
- Implement Azure functions
- Develop for Azure storage (10-15%)
- Implement Azure security (15-20%)
- Monitor, troubleshoot, and optimize Azure solutions (10-15%)
- Connect to and consume Azure services and third-party services (25- 30%)
Benefits of Getting Certified
The main benefit here is having a worldwide recognized certification that proves that you have knowledge of this topic. Among intrinsic and extrinsic benefits, we have,
- Higher growth potential, as certifications are a big plus;
- Discounts and deals in Microsoft products and partners, like PluralSight and UpWork;
- MCP Newsletters, with trending technologies;
- Higher exposure on LinkedIn, as recruiters usually search for specific certifications;
- Higher salary, you will be more valuable to your company;
- Unique happiness when getting the result and you were approved, knowing that all your efforts were worth it;
Main skills Measured by this Topic
What is Azure API Management?
Azure API Management is a product that integrates existing back-end services into modern API gateways, it follows the API-first approach decoupling front-end and back-end teams with the help of API mocking. Azure API Management handles the full management of your APIs, it centralizes the securing, versioning, documentation, and compliance from your back-end services in a single point.
In order to a better understanding of API Management and the following practical examples, some key concepts have to be better explained as follows,
- API represents a set of operations;
- API Operation maps an API endpoint with the API backend;
- Product is formed by a single or a group of APIs and it is how your APIs are presented to developers. Can be public or private;
- Backend represents back-end services in your API;
- Group, used to manage the visibility of products to developers:
- Administrators have full access to the API Management;
- Developers, users with access to the developers portal with permissions to build applications;
- Guests, users without access to the developers portal but with reading permissions in some services.
- Developer, belongs to one or more group in a Product, and each developer has a primary and secondary key to call the product's APIs;
- Policies, configurations, and validations that are applied on-the-fly in the incoming requests and outcome responses;
- Named Values, key-value pairs used with policies. Values can be a result of an expression;
- Gateway, where your API calls are received and policies are applied to incoming requests;
- Developer Portal, where developers can access all APIs and products listed by your APIM alongside its API's operations and documentations. Developers can also request access to your APIs from the developers portal.
APIM Authentication
Azure API Management offers a basic authentication as the built-in authentication method to your APIs where the developer has to register with email and password in order to have access to an API key, then this key is used in the requests in order to authenticate the requestors. Besides the default basic authentication, you can also configure many other types of authentications as Azure AD Authentication, Google, Microsoft, and Facebook authentications, and Azure AD B2C authentication.
Azure API Management also gives you the opportunity to use your own authentication process flow in order to authenticate users, it is called delegated authentication and offers you the possibility to use your own sign-in/sign-up and production-subscription flows.
APIM Policies
API Management policies is a powerful tool to update request and response configurations on-the-fly, with APIM policies you are able to update basically any part of the request and response messages like headers, body, URLs, etc. Those API Management Policies can be applied in 4 different situations, as follows,
- Inbound Policies applied policies for incoming requests;
- Backend Policies apply policies to requests before they hit your backend;
- Outbound Policies apply policies to responses before sending the response to the client;
- Error Policies, applied when an error happens on the request. At the time an error happens no other policies are applied anymore, only the error policies but if other policies were applied before the error they will not be removed.
With API Management policies you can configure incoming request to change the behavior of your APIs through a wide range of possibilities, which could be applied in one or more of the listed situations above, as follows,
- Access Restriction Policies, like limiting call rates and bandwidth quotas or filtering incoming IPs;
- Advanced Policies, like logging, setting variables, proxy, HTTP method, status code and etc..;
- Authentication Policies, used for basic, managed identity and client certificate authentications against the backend;
- Caching Policies used to get, set, or remove items from the cache;
- Cross-Domain Policies used to manage CORS;
- Transformation Policies transforming incoming and outcoming URL, body, header, query-string, etc..;
- Dapr Integration Policies used to communicate with Dapr runtime.
Practical Samples
Create an API Management Instance
Observation: API Management instances takes around 30 minutes to be activated.
Using Azure CLI
Setting variables
- $resourceGroup ="APIM-RG"
- $location ="westeurope"
- $APIMName ="sampleAPIMClI"
- $publisherName="Thiago"
- $publisherMail ="thiago.vivas@***.com"
Creating the APIM
- az apim create --name $APIMName --resource-group $resourceGroup --publisher-name $publisherName --publisher-email $publisherMail --no-wait
Result
Using Powershell
Setting variables
- $resourceGroup ="APIM-RG"
- $location ="westeurope"
- $APIMName ="sampleAPIMPowershell"
- $publisherName="Thiago"
- $publisherMail ="thiago.vivas@***.com"
Creating the APIM
- New-AzApiManagement -Name $APIMName -ResourceGroupName $resourceGroup -Organization $publisherName -AdminEmail $publisherMail -Location $location
Result
Developers Portal
Creating a Product
Every API Management instance comes with two products as default but you can create custom products. From your API Management, go to products under APIs and add a new product.
Input your new product data and create it
Creating an API
By Default, every API Management instance comes with an Echo API. To create a new API go to APIs under APIs and click on Add API.
Here I selected the blank template.
Testing the Echo API
In order to test the API, you need to sign up and subscribe to a product in order to have the keys to authenticate against the APIs.
Here I am using Postman in order to test the Get, passing the key into the headers. We can see a 200 success status code.
Creating a Backend
Pre-Requisites
- Web-Api Published on Azure App Services. Here we will be using this Web-API named hosted at https://webapiwithswagger.azurewebsites.net;
From your API Management, go to Backends under APIs and add a new Backend.
API Management Authentication
API Management Authentication here is handled by identity providers and Azure has as default a Username and password identity provider. It handles the creation of users, sending email to validate an existent account before providing access to users. From your API Management go to Identities under Developer Portal.
In order to authenticate with our APIs, we configure those settings under the subscription section. If the subscription required is checked it means that only users with a valid access key can use it, if not checked then it is allowed anonymous requests. Here we also configure where the API is going to receive the access keys, being able to be sent as header or query string.
API Management Policies
Using an outbound policy to cache the response in a Get operation inside the Echo API.
Result
External References