关于 API 管理About API Management

API 管理 (APIM) 是一种为现有后端服务创建一致且现代化的 API 网关的方法。API Management (APIM) is a way to create consistent and modern API gateways for existing back-end services.

API 管理有助于组织将 API 发布给外部、合作伙伴和内部开发人员,以充分发挥其数据和服务的潜力。API Management helps organizations publish APIs to external, partner, and internal developers to unlock the potential of their data and services. 所有企业都想要作为数字平台扩大其运营、创建新渠道、查找新客户和深化与现有的契合。Businesses everywhere are looking to extend their operations as a digital platform, creating new channels, finding new customers and driving deeper engagement with existing ones. API 管理通过开发人员参与、商业洞察力、分析、安全性和保护提供了核心竞争力以确保成功的 API 程序。API Management provides the core competencies to ensure a successful API program through developer engagement, business insights, analytics, security, and protection. 可以使用 Azure API 管理处理任何后端,并基于它发布正式的 API 程序。You can use Azure API Management to take any backend and launch a full-fledged API program based on it.

本文概述了涉及 APIM 的常用方案,This article provides an overview of common scenarios that involve APIM. 并简单介绍了 APIM 系统的主要组件,It also gives a brief overview of the APIM system's main components. 然后较详细地介绍了每个组件。The article, then, gives a more detailed overview of each component.

概述Overview

要使用 API 管理,管理员需要创建 API。To use API Management, administrators create APIs. 每个 API 包括一个或多个操作,可以将每个 API 添加到一个或多个产品。Each API consists of one or more operations, and each API can be added to one or more products. 要使用的 API,开发人员需要订阅包含该 API 的产品,它们可以调用该 API 的操作,根据任何可能生效的使用情况策略。To use an API, developers subscribe to a product that contains that API, and then they can call the API's operation, subject to any usage policies that may be in effect. 常见方案包括:Common scenarios include:

  • 保护移动基础结构 通过使用 API 密钥控制访问,使用限制或使用高级安全策略(如 JWT 令牌验证)阻止 DOS 攻击。Securing mobile infrastructure by gating access with API keys, preventing DOS attacks by using throttling, or using advanced security policies like JWT token validation.
  • 启用 ISV 合作伙伴生态系统 通过开发人员门户提供快速的合作伙伴加入,并构建 API 外观使其与未准备好供合作伙伴使用的内部实现分离。Enabling ISV partner ecosystems by offering fast partner onboarding through the developer portal and building an API facade to decouple from internal implementations that are not ripe for partner consumption.
  • 运行内部的 API 程序 通过为组织提供一个集中位置来交流 API 的可用性和最新更改,基于组织帐户控制访问,所有这一切都基于 API 网关与后端之间的安全通道。Running an internal API program by offering a centralized location for the organization to communicate about the availability and latest changes to APIs, gating access based on organizational accounts, all based on a secured channel between the API gateway and the backend.

系统由以下组件组成:The system is made up of the following components:

  • API 网关是具有以下功能的终结点:The API gateway is the endpoint that:

    • 接受 API 调用,并将调用路由到后端。Accepts API calls and routes them to your backends.
    • 验证 API 密钥、JWT 令牌、证书和其他凭据。Verifies API keys, JWT tokens, certificates, and other credentials.
    • 强制实施使用配额和速率限制。Enforces usage quotas and rate limits.
    • 无需修改代码即可随时转换 API。Transforms your API on the fly without code modifications.
    • 在设置的位置缓存后端响应。Caches backend responses where set up.
    • 记录调用元数据以用于分析。Logs call metadata for analytics purposes.
  • Azure 门户是一个管理界面,可以在其中设置 API 程序。The Azure portal is the administrative interface where you set up your API program. 使用它可执行以下操作:Use it to:

    • 定义或导入 API 架构。Define or import API schema.
    • 将 API 打包到产品中。Package APIs into products.
    • 设置策略,如 API 的配额或转换。Set up policies like quotas or transformations on the APIs.
    • 从分析中获得见解。Get insights from analytics.
    • 管理用户。Manage users.
  • 开发人员门户是面向开发人员的主要 Web 平台,可以在其中执行以下操作:The developer portal serves as the main web presence for developers, where they can:

    • 阅读 API 文档。Read API documentation.
    • 通过交互式控制台试用 API。Try out an API via the interactive console.
    • 创建帐户并可以订阅以获取 API 密钥。Create an account and subscribe to get API keys.
    • 访问他们自己的使用情况分析。Access analytics on their own usage.

有关详细信息,请参阅基于云的 API 管理:利用 API 的强大功能 PDF 白皮书。For more information, see the Cloud-based API Management: Harnessing the Power of APIs PDF whitepaper. 此关于 API 管理的简介白皮书由 CITO Research 编撰,包括以下内容:This introductory whitepaper on API Management by CITO Research covers:

  • 常见 API 需求和挑战Common API requirements and challenges
  • 分离 API 和呈现外观Decoupling APIs and presenting facades
  • 使开发人员快速启动并运行Getting developers up and running quickly
  • 保护访问权限Securing access
  • 分析和指标Analytics and metrics
  • 控制并深入了解 API 管理平台Gaining control and insight with an API Management platform
  • 云解决方案与本地解决方案使用对比Using cloud vs on-premises solutions
  • Azure API 管理Azure API Management

API 和操作 APIs and operations

API 是 API 管理服务实例的基础。APIs are the foundation of an API Management service instance. 每个 API 表示一组可供开发人员使用的操作。Each API represents a set of operations available to developers. 每个 API 包含对实现该 API 的后端服务的引用,并且其操作映射到由后端服务实现的操作。Each API contains a reference to the back-end service that implements the API, and its operations map to the operations implemented by the back-end service. API 管理中的操作高度可配置,可控制 URL 映射、查询和路径参数、请求和响应内容以及操作响应缓存。Operations in API Management are highly configurable, with control over URL mapping, query and path parameters, request and response content, and operation response caching. 还可以在 API 或单个操作级别实现速率限制、配额和 IP 限制策略。Rate limit, quotas, and IP restriction policies can also be implemented at the API or individual operation level.

有关详细信息,请参阅如何创建 API如何将操作添加到 APIFor more information, see How to create APIs and How to add operations to an API.

产品 Products

产品是用于将 API 提供给开发人员的方式。Products are how APIs are surfaced to developers. API 管理中的产品有一个或多个 API,并且配置为包含一个标题、说明和使用条款。Products in API Management have one or more APIs, and are configured with a title, description, and terms of use. 产品可以是公开的受保护的Products can be Open or Protected. 对于受保护的产品,必须先订阅,然后才能使用它们,但公开的产品无需订阅即可使用。Protected products must be subscribed to before they can be used, while open products can be used without a subscription. 产品可以供开发人员使用时,就会发布。When a product is ready for use by developers, it can be published. 产品一旦发布,开发人员就可以查看(如果是受保护的产品,应先进行订阅)。Once it is published, it can be viewed (and in the case of protected products subscribed to) by developers. 订阅审批是在产品级别配置的,可能需要管理员审批,也可能自动审批。Subscription approval is configured at the product level and can either require administrator approval, or be auto-approved.

组用于管理产品对开发人员的可见性。Groups are used to manage the visibility of products to developers. 产品向组授予可见性,并且开发人员可以查看和订阅对他们所属的组可见的产品。Products grant visibility to groups, and developers can view and subscribe to the products that are visible to the groups in which they belong.

Groups

组用于管理产品对开发人员的可见性。Groups are used to manage the visibility of products to developers. API 管理具有下列不可变的系统组:API Management has the following immutable system groups:

  • 管理员 - Azure 订阅管理员是此组的成员。Administrators - Azure subscription administrators are members of this group. 管理员管理 API 管理服务实例、创建开发人员使用的 API、操作和产品。Administrators manage API Management service instances, creating the APIs, operations, and products that are used by developers.
  • 开发人员 - 已经过身份验证的开发人员门户用户属于此组。Developers - Authenticated developer portal users fall into this group. 开发人员是使用 API 构建应用程序的客户。Developers are the customers that build applications using your APIs. 开发人员有权访问开发人员门户,并构建调用 API 操作的应用程序。Developers are granted access to the developer portal and build applications that call the operations of an API.
  • 来宾 - 未经身份验证的开发人员门户用户属于此组,例如,访问某个 API 管理实例的开发人员门户的潜在客户。Guests - Unauthenticated developer portal users, such as prospective customers visiting the developer portal of an API Management instance fall into this group. 它们可以被授予某些只读访问权限,例如能够查看 API,但不能调用它们。They can be granted certain read-only access, such as the ability to view APIs but not call them.

除了这些系统组,管理员还可以创建自定义组或利用关联 Azure Active Directory 租户中的外部组In addition to these system groups, administrators can create custom groups or leverage external groups in associated Azure Active Directory tenants. 可以将自定义组和外部组与系统组一起使用,来允许开发人员查看和访问 API 产品。Custom and external groups can be used alongside system groups in giving developers visibility and access to API products. 例如,可以为隶属于一个特定合作伙伴组织的开发人员创建一个自定义组并仅允许他们从包含相关 API 的产品中访问 API。For example, you could create one custom group for developers affiliated with a specific partner organization and allow them access to the APIs from a product containing relevant APIs only. 一个用户可以是多个组的成员。A user can be a member of more than one group.

有关详细信息,请参阅如何创建和使用组For more information, see How to create and use groups.

开发人员 Developers

开发人员表示 API 管理服务实例中的用户帐户。Developers represent the user accounts in an API Management service instance. 可以让管理员创建或邀请开发人员加入,也可以让开发人员从开发人员门户注册。Developers can be created or invited to join by administrators, or they can sign up from the Developer portal. 每个开发人员是一个或多个组的成员,并且可以订阅授予这些组的可见性的产品。Each developer is a member of one or more groups, and can subscribe to the products that grant visibility to those groups.

当开发人员订阅某个产品时,会向其授予该产品的主密钥和辅助密钥。When developers subscribe to a product, they are granted the primary and secondary key for the product. 在调用产品的 API 时使用此键。This key is used when making calls into the product's APIs.

有关详细信息,请参阅如何创建或邀请开发人员如何将组与开发人员关联For more information, see How to create or invite developers and How to associate groups with developers.

策略 Policies

策略是 API 管理的一项强大功能,允许 Azure 门户通过配置更改 API 的行为。Policies are a powerful capability of API Management that allow the Azure portal to change the behavior of the API through configuration. 策略是一组语句,在请求或 API 的响应时按顺序执行。Policies are a collection of statements that are executed sequentially on the request or response of an API. 流行的语句包含 XML 格式转换为 JSON 和调用速率限制,以限制从开发人员传入的呼叫数,还有许多其他策略可用。Popular statements include format conversion from XML to JSON and call rate limiting to restrict the number of incoming calls from a developer, and many other policies are available.

在任何 API 管理策略中,策略表达式都可以用作属性值或文本值,除非策略另行指定。Policy expressions can be used as attribute values or text values in any of the API Management policies, unless the policy specifies otherwise. 某些策略(如控制流设置变量策略)基于策略表达式。Some policies such as the Control flow and Set variable policies are based on policy expressions. 有关详细信息,请参阅高级策略策略表达式For more information, see Advanced policies and Policy expressions.

有关 API 管理策略的完整列表,请参阅策略参考For a complete list of API Management policies, see Policy reference. 有关使用和配置策略的详细信息,请参阅 API 管理策略For more information on using and configuring policies, see API Management policies. 有关创建具有速率限制和配额策略的产品的教程,请参阅如何创建和配置高级产品设置For a tutorial on creating a product with rate limit and quota policies, see How create and configure advanced product settings.

开发人员门户 Developer portal

开发人员门户是开发人员用来了解 API、视图和调用操作以及订阅产品的地方。The developer portal is where developers can learn about your APIs, view and call operations, and subscribe to products. 潜在客户可以访问开发人员门户,查看 API 和操作并注册。Prospective customers can visit the developer portal, view APIs and operations, and sign up. 开发人员门户的 URL 位于 API 管理服务实例的 Azure 门户中的仪表板上。The URL for your developer portal is located on the dashboard in the Azure portal for your API Management service instance.

可以通过添加自定义内容、自定义样式并添加品牌来自定义开发人员门户的外观。You can customize the look and feel of your developer portal by adding custom content, customizing styles, and adding your branding.

后续步骤Next steps

完成以下快速入门,然后即可使用 Azure API 管理:Complete the following quickstart and start using Azure API Management: