How to Expose and protect Logic App using Azure API Management (Part 1) – Exposing the Logic App

Earlier on this blog, Eldert Grootenboer explains how you can expose Azure Services using Azure API Management, see more details here: Exposing Azure Services using Azure API Management. Today I will explain the step-by-step process on how you can publish your Logic App in Azure API Management (APIM), or if you prefer, how you can protect your Logic App using APIM. This will be the first of a series of blogs post about this topic.

What is Azure API Management?

It is not the goal of this blog post but for you to be contextualized, if you are not familiar with APIM, in a simple way, Azure API Management is a fully managed service that enables customers to publish, secure, transform, maintain, and monitor APIs.

And it will allow you in a matter of a few clicks in the Azure Portal, most of the times, for you to create an API façade that acts as a “front door” through which external and internal applications can access data or business logic implemented by your custom-built backend services, running on Azure, for example, Logic Apps, App Services, or other many services or the once which run on-premises in your organization. Then, the APIM will be able to handle all the tasks involved in mediating API calls, like request authentication and authorization, rate limit and quota enforcement, request and response transformation, logging and tracing, and/or API version management.

APIM is made up of the following components:

• The API gateway is the endpoint that:
  • Accepts API calls and routes them to your backends.
  • Verifies API keys, JWT tokens, certificates, and other credentials.
  • Enforces usage quotas and rate limits.
  • Transforms your API on the fly without code modifications.
  • Caches backend responses were set up.
  • Logs call metadata for analytics purposes.
• The Azure portal (old Publisher Portal) is the administrative interface where you set up your API program. Use it to:
  • Define or import API schema.
  • Package APIs into products.
  • Set up policies like quotas or transformations on the APIs.
  • Get insights from analytics.
  • Manage users.
• The Developer portal serves as the main web presence for developers, where they can:
  • Read API documentation.
  • Try out an API via the interactive console.
  • Create an account and subscribe to get API keys.
  • Access analytics on their usage.

Note: in this blog post, I will not explain how you create an API Management resource on Azure.

Exposing and protect Logic App using Azure API Management

Don’t see an Azure Logic App?

First thing you should be aware is that out-of-the-box, you can only expose an Azure Logic App that exposes an HTTP endpoint on your APIM and are inside your Azure Subscription (same subscription that your APIM is created).

Exposing Logic App using Azure API Management

The Microsoft APIM team has done an excellent job, and they created an intuitive and quite easy experience that quickly allows developers or administrators to add new APIs to APIM based on an Azure Logic Apps. For that you need to:

• Access to your APIM on the Azure Portal (old Publisher Portal that is now built-in inside the Azure Portal;
• And on the left menu, under “API Management” section, click the “API” option

• By doing that under the “All APIs” section you will see the list of all APIs that you are already available, and on the main panel you will find several different options to add a new API to your list:
  • From scratch – Blank API;
  • Export based on an OpenAPI, WADL or WSDL specification;
  • Or based on an Azure Service:
    • Logic App
    • API App
    • Or a Function App
• In our case, we will be using a Logic App, so go and press “Logic App” option

• This will open a “Create from Logic App” form that will allow us with a few clicks to ingest our logic app configuration into APIM

• To do that we need:
  • Under “Logic App” attribute, click on “Browse” and select the Logic App we want to expose from the available Logic App list inside our subscription that can be triggered using an HTTP based trigger like the Request trigger

• • Note: that by default, all the required fields will be filled using the name of the Logic App;
  • You can go ahead and click “Create” or change the mandatory values, field the optional ones (API URL suffix and Products”) and then click “Create”

• • In my case, as a proof of concept, I will treat this as a list of operations that I need to expose, each Logic App will be an operation that will handle BizTalk Server alerts, so I will change this default values for:
    • Display name: BizTalk Alerts API
    • Name: biztalk-alerts-api
  • And I will associate the “Starter” product to it.
  • Note: you can change or rectify all these parameters/configurations later;
  • Note: in future blog posts we will address how can you add more operations;
• After you have done that the wizard will expose for you the Logic App under a POST operation called “manual-invoke“.
  • Note: By default, the operation name will always be “request-invoke”

Testing the Logic App exposed to Azure API Management

After all the above steps, the next step is for us to test the Logic App expose as an API on APIM before we give access to our developers, teams or partners. And the more natural way to do that is directly on the Azure Portal.

To do that you need to:

• Under the API top options menu, select “Test” option, and in this case, there is only one operation which will automatically get selected;
• On the “Request body” section, select “Raw” option and insert a valid and expected request to be sent to the Logic App;
• And finally, press “Send”

And after that, you will see an expected response from the Logic App.