Overview

API Management helps to publish Restful/HTTP APIs to external, partner, and internal developers.
Each API consists of one or more operations, and each API can be added to one or more products.
To use an API, developers subscribe to a product that contains that API, and then they can call the API's operation, subject to any usage policies that may be in effect.

Scenarios

Securing mobile infrastructure:
- Gating access with API keys
- Preventing DOS attacks by using throttling
- Using advanced security policies like JWT token validation.
Enabling independent software vendors (ISV) partner ecosystems:
- Offering fast partner onboarding through the developer portal and building an API facade to decouple from internal implementations.
Running an internal API program:
- Offering a centralized location for the organization to communicate the availability of the APIs.
- Gating access based on organizational accounts, all based on a secured channel between the API gateway and the backend.

Components

The API gateway is the endpoint that:
- Accepts API calls and routes them to the backends.
- Verifies API keys, JWT tokens, certificates, and other credentials.
- Enforces usage quotas and rate limits.
- Transforms your API on the fly without code modifications.
- Caches backend responses where set up.
- Logs call metadata for analytics purposes.
The Azure portal is the administrative interface where you set up your API program. Use it to:
- Define or import API schema.
- Package APIs into products.
- Set up policies like quotas or transformations on the APIs.
- Get insights from analytics.
- Manage users.
The Developer portal serves as the main web presence for developers, where they can:
- Read API documentation.
- Try out an API via the interactive console.
- Create an account and subscribe to get API keys.
- Access analytics on their own usage.
Products are how APIs are surfaced to developers.
- Products in API Management have one or more APIs, and are configured with a title, description, and terms of use.
- Products can be Open or Protected.
  - Protected products must be subscribed to before they can be used, while open products can be used without a subscription.
- When a product is ready for use by developers, it can be published.
  - Once it is published, it can be viewed (and in the case of protected products subscribed to) by developers.
- Subscription approval is configured at the product level and can either require administrator approval, or be auto-approved.
Groups are used to manage the visibility of products to developers. Immutable system groups:
- Administrators: Azure subscription administrators are members of this group.
  - Administrators manage API Management service instances, creating the APIs, operations, and products that are used by developers
- Developers: Authenticated developer portal users fall into this group.
  - Developers are the customers that build applications using your APIs.
- Guests: Unauthenticated developer portal users, such as prospective customers visiting the developer portal of an API Management instance fall into this group.
  - They can be granted certain read-only access, such as the ability to view APIs but not call them.
- In addition to these system groups, administrators can create custom groups or leverage external groups in associated Azure Active Directory tenants.
- A user can be a member of more than one group.
Policies allow the Azure portal to change the behavior of the API through configuration.
- Policies are a collection of statements that are executed sequentially on the request or response of an API.
- Popular statements include format conversion from XML to JSON and call rate limiting to restrict the number of incoming calls from a developer.
- Policy expressions can be used as attribute values or text values in any of the API Management policies, unless the policy specifies otherwise.
- Some policies such as the Control flow and Set variable policies are based on Advanced policies and Policy expressions.