Azure API Management overview and Amazon API gateway comparison
Azure API Management overview and Amazon API gateway comparison

Azure API Management overview and Amazon API gateway comparison

Autore: Alberto Gardini

In my previous article I analyzed the benefits of API Gateway Pattern and I focused on Amazon API Gateway; in this post I’ll take a quick tour about Microsoft Azure API Management and summarizes the basic differences from API Gateway.

The API Management service can be easily provisioned in the Azure portal:

figure1-a.jpg

Figure 1:  create a API Management service

Once the API Management Service is created (takes few minutes), you should see “Publisher Portal” and “Developer Portal” enabled in the Overview page and in fact looking the diagram below we can decouple API Management in three main components:

figure 2-a.png

Figure 2: API Management overview

 

Publisher Portal

In publisher portal administrators/owners of the service can create or import APIs (through WADL document, Swagger or WSDL), edit, configure how the APIs should behave and control who has access to call them.

figure 3-a.png

Figure 3: Publisher Portal

A quick description of the tabs in the left menu:

  • APIs: in this section you create and configure the APIs (url, credentials, list of operations supported and caching).
  • Products: a product (configured with a title, description, and terms of use) define a set of APIs that are exposed to developers for consumption. They can be Open or Protected: Open product is publicly available while a Protected product require a subscription once published.
  • Policies: policies are a collection of pre-built statements that are executed sequentially on the request or response of an API and allow the publisher to change the behavior of the API through configuration. A policy can be applied at different scopes (Product, API or Operation) and popular policies include format conversion from XML to JSON, the number of call requests allowed within a period, CORS etc.
  • Analytics: you can view the analytics for the usage (number of calls, bandwidth), health (different views per status code, response time) and activity (different views per Developer, API, Products) of your APIs.
  • Users: add, remove or block users.
  • Groups: allows you to organize the visibility and access to the APIs within a product on the developer portal. By default, a product has three standard groups that cannot be deleted: Administrators, Developers and Guests. It’s possible to create new groups including the use of groups within an Azure Active Directory tenant.
  • Notifications: manage the notifications for specific events (subscription request, approaching subscription quota limit, new issue or comment, etc.) and configure the email templates that are used to communicate with the administrators and developers of an API management instance.
  • Security: if enabled developers can create an account and login to the developer portal by using a third-party identity provider (Twitter, Facebook, etc.)
  • Developer Portal section: in this section you manage the look and feel and applications published on the developer portal.

 

Developer Portal

Once the admin publishes the APIs, those will be accessible to the outside developers through Developer Portal. The developer portal is where developers can learn about your APIs, view and call operations, and subscribe to products.

figure 4-a.png

Figure 4: Developer Portal

Developer portal helps developers to get up to speed with your APIs: provides documentation, automatically generated samples in many languages (JavaScript, C#, PHP, Python, Ruby, Curl, Java and Objective-C) and an interactive console where developer can test the behavior of the API directly with browser.

 

API proxy

Engine of API Management is where the API execution happens and policies defined in publisher portal by admins are applied on inbound, back-end and outbound traffic. When the proxy receives a request it can re-map the URL and forward it on to your back-end API, as well as add caching and transform the result if you desire. The backend API can be hosted in Azure or on-premises and developed using any technology where HTTP APIs are exposed.

 

Comparison of Amazon API Gateway and Azure API Management

The following table summarizes the basic differences between API Gateway and API Management.

 

Azure API Management

Amazon API Gateway

Price (*)

The cheapest plan (three tiers offered: Developer, Standard, and Premium) is the developer plan which costs about 50$ a month.

 

No free edition available.

$3.50 per million API calls received, plus the cost of data transfer out, in gigabytes:

·        $0.09/GB for the first 10 TB

·        $0.085/GB for the next 40 TB

·        $0.07/GB for the next 100 TB

·        $0.05/GB for the next 350 TB

Free tier includes one million API calls per month for up to 12 months.

Caching (*)

Depend by plan:

·        Developer: 10 MB

·        Standard: 1 GB

·        Premium: 5 GB

Caching is charged by the hour and is not eligible for the AWS free tier.

 

Cache size (GB)

Price per Hour

0.5

$0.020

1.6

$0.038

6.1

$0.200

13.5

$0.250

28.4

$0.500

58.2

$1.000

118.0

$1.900

237.0

$3.800

Monitoring

Integrated with Azure Monitor where you can see number of calls, errors, bandwidth and response times and take actions on the metrics and logs coming from API Management. The available metrics are:

Total Gateway Requests: the number of API requests.

Successful Gateway Requests: the number of API requests that received successful HTTP response codes including 304, 307 and anything smaller than 301 (for example, 200).

Failed Gateway Requests: the number of API requests that received erroneous HTTP response codes including 400 and anything larger than 500.

Unauthorized Gateway Requests: the number of API requests that received HTTP response codes including 401, 403, and 429.

Other Gateway Requests: the number of API requests that received HTTP response codes that do not belong to any of the preceding categories (for example, 418).

 

 

You can monitor API execution using CloudWatch, which collects and processes data from API Gateway into readable, near real-time statistics. The available metrics are:

Count: the number of calls to API methods.

4XXError: the number of client-side errors captured.

5XXError: the number of server-side errors captured.

CacheHitCount: the number of requests served from the API cache.

CacheMissCount: the number of requests served from the back end when API caching is enabled.

IntegrationLatency: the time (millisecond) between when API Gateway relays a request to the back end and when it receives a response from the back end.

Latency: the time (millisecond) between when API Gateway receives a request from a client and when it returns a response to the client. The latency includes the integration latency and other API Gateway overhead.

Logging

You can access logs in your API Management service, or access logs of all your Azure resources in Azure Monitor. There are two types of logs:

Activity logs: provide insight into the operations that were performed on your API Management services; you can determine the "what, who, and when" for any write operations

Diagnostic logs: provide rich information about operations and errors that are important for auditing as well as troubleshooting purposes.

You can also send the events to EventHub and process the events there and log them however you want.

When CloudTrail logging is enabled API Gateway calls are tracked in log files delivered (based on a time period and file size) to an Amazon S3 bucket you specify. The information collected by CloudTrail are: which request was made to API Gateway, the source IP address from which the request was made, who made the request, when it was made, etc.

Once enabled Amazon CloudWatch Logs can monitor, store, and access log files generated by AWS CloudTrail.

 

SLA

Depend by plan:

·        Developer: N/A

·        Standard: 99.9%

·        Premium: 99.95%

Amazon not offer an SLA for API Gateway now.

Admin Portal

As seen before in Publisher Portal you can create, import and edit APIs. It is possible to organize APIs in Products and apply restrictions using feature called “Policies” written in XML and C# expressions to define complex rules like: rate limit, quota, caching, JWT token validation, authentication, transformations, rewrite URL, CORS, restrict IPs, Set Headers, etc. Access to and visibility of products is controlled using Groups and developer subscriptions for those APIs requiring subscriptions.

The Amazon API Gateway console is the quickest way to create, import and edit APIs.  It provides a web-based interface for building, deploying, managing and monitoring your APIs. Usage plans help you declare plans for third-party developers that restrict access only to certain APIs, define throttling and request quota limits, and associate them with API keys. You can also extract utilization data on a per-API key basis to analyze API usage and generate billing documents. API Gateway supports multiple mechanisms of access control: standard AWS roles and policies, custom authorizers (Lambda function that you provide to control access to your APIs) and integration with Amazon Cognito.

Developer Portal

Developer portal provided with nice features:

·        quick developer onboarding

·        user registrations and mail notifications

·        nice interface to test your API and see the documentation

Amazon is not providing a Developer Portal but published aws-api-gateway-developer-portal, an open source serverless web application that you can use to get started building your own developer portal.

REST API

See API Management REST

See Amazon API Gateway REST API

API lifecycle

The best way to move an API from one environment to the other is through GIT at this moment using  this template.

Each REST API can have multiple stage to help with the development lifecycle of an APIs: after you’ve built your APIs and you deploy them to a development stage, or when you are ready for production, you can deploy them to a production stage. Amazon API Gateway saves the history of your deployments so that at any point you can roll back a stage to a previous deployment.

VPN (*)

Connecting VPNs to Azure API Management to secure the backend services only works when using the Premium Tier, priced about 2850$. Connect to VPN feature is available in Developer tier too but is for development and functional test (customers should not use this tier for production).

At the moment, you cannot directly connect to a VPN through API Gateway Proxy but you can place your Lambda's functions in a VPC and connect your VPN to the VPC where Lambda will be able to work as a proxy and connect to your backend.

Active Directory Integration

If an organization synchronizes an on-premises Active Directory domain to Azure, access to the API endpoints can be configured to use Azure Active Directory to provide same sign-on capabilities. Available only in Premium and Developer tiers.

By leveraging the integration between Amazon Cognito and API Gateway you can provide access to the different API users and resources based on a specific identity provider or even an enterprise-level SAML provider, such as Active Directory.

Multi-region deployment

When using Premium tier, it is possible to deploy the API Management instance to many locations to provided geographically distributed load.

No direct support for multi-region redundancy in API Gateway but there are alternate solutions.

Monetize API

Microsoft’s Azure team offer a tutorial on how to monetize API’s using Azure API Management.

Amazon API Gateway integrates with the AWS Marketplace to help you monetize and meter usage for your API products, without writing any code.

SDK

SDK generation not available but from developer portal there is sample code that it requires manually copy and pasting code.

API Gateway supports generating an SDK to download for an API in Java, JavaScript, Java for Android, and Objective-C or Swift for iOS. The client SDK automatically handles retries, informing the developer of network or other fault conditions. The SDK library includes the logic necessary to authenticate the client application to your APIs.

Limits

API Management limits are different for each pricing tier, see API Management Pricing.

See Amazon API Gateway Limits, Pricing and Known Issues.

(*) prices are related to Central US region for API Management and US East (N. Virginia) for Amazon API Gateway

Summary

Azure API Management and AWS API Gateway are great tool for provisioning, managing and monitoring any sort of API. They offer services like authentication, transformation, quotas & rate limiting, caching, logging, CORS, mocking and much more. In this article I tried to compare Azure and AWS products to understand how they accomplish these common goals and where they differ, up to you the best choice for your scenario!

 

References

Do you have any question about Microsoft Azure API Management? Send us. It could become the topic of the next post!

Alberto Gardini