Control Access for APIs with Azure API Management using Products, Subscriptions and Policies

We learned about creating and importing APIs to Azure API management in my last post, lets continue our journey with APIM.

What is product in APIM?

An APIM Product contains one or more APIs, it can provide customization like rate limiting and quotas on APIs access, users can subscribe to product via developer portal, once approved they can access all the APIs with in that Product using the subscription key. Subscription approval is configured at the product level and can either require administrator approval or be auto approved, products are a way of controlling access to APIs, for example when you have enterprise levels APIs , access can be limited to APIs by teams, Internal vs external users.

Let’s create a product

  1. Navigate to API Management Instance.
  2. In the left navigation, select products -> + Add
  3. In the Add Product window, enter values.
    State – Select Published if you want to publish the product, by default product are not published.
    Requires subscription – Select if a user is required to subscribe to use the product.
    Requires approval -Select if you want an administrator to review and accept or reject subscription attempts to this product. If not selected, subscription attempts are auto approved.

  4. Select APIs you want to add to this product or can be added later.

Add Subscription

Subscription to Product can be requested from developer portal or APIM admin can create a subscription for users.

  1. In the APIM left Navigation, Select Subscriptions -> + Add Subscription.
  2. Select Product for scope.
  3. Select Product Name that is created above.

Now that we added subscription to APIM products, users can access APIs using subscription key.

Add policies

Policies are a collection of statements that are executed sequentially on the request or response of an API , policies can be setup at API level or product level.

Let’s setup a sample ip-filter policy to allow access only from address.

Obviously my local ip is not 🙂 , Any calls from my machine should fail , Let’s try if the policy is working as expected.

BOOM!!! it worked…

Products and subscription are one way of controlling access , you can also add JWT token or Certificates authentication to restrict access APIs.

Control authentication for APIs with Azure API Management using Products, Subscriptions and Policies

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s