Centralized management of enterprise APIs
How we implemented Azure API Management to centralise over 120 enterprise endpoints with Azure AD authentication, unified monitoring and 50,000 calls per minute handled.
Development of an Azure API Management Architecture.
Development of an Azure API Management Architecture
Through the use of Azure API Management, we have created a solution for the centralized management of its APIs complete with:
- Authentication Management
- Monitoring
- Definition of roles and access to the various APIs
- Publication of endpoints starting from APIs developed on different technologies
- Controlled management of the publishing process
In an API-first model, where it is essential to connect different systems, it is necessary to define a central point in which to manage data exposure.
The problem: enterprise APIs without governance
Enterprise organisations that grow organically accumulate APIs over time without a unified plan. One team builds a REST service with OAuth, another releases a SOAP endpoint with a static API key, a third integrates a legacy system via custom tokens. The result is a heterogeneous, fragmented inventory that no single person fully understands.
The security risk is concrete. An uncontrolled exposed API is a real attack vector: a single non-revoked token or an undocumented endpoint can open gaps in the corporate security perimeter that go undetected for months.
Performance is equally at risk. An unmonitored API can become a silent bottleneck, degrading the performance of entire automation processes before anyone notices. There are no alerts, no dashboards, no baseline to compare against — just a slowdown that gradually gets worse.
Version management compounds the problem further. Without a central API gateway, every update requires manually notifying all consumers and coordinating coexistence between old and new versions. What should take hours turns into days of cross-team coordination, with the constant risk that some application keeps calling a deprecated endpoint long after it should have been decommissioned.
This was exactly the context the client was in when they approached us.
A common way to manage enterprise APIs
The customer’s request was very specific: Put order to the myriad of web services, services and APIs in place within the company. These were resources in use and critical for the functioning of automation processes, but they were implemented with the most disparate technologies and authentication methods.
The challenge was to develop a Azure API Management Architecture that would allow all services to be managed together in terms of security, monitoring, deployment and updating.
Everything had to be implemented through an intuitive and simple to use tool.
Azure API Management
Our experts have made the most of the features offered by Azure API Management, the application endpoint management service present in the Microsoft cloud platform.
Azure API Management interfaceThe package was then completed with a automated management of API releases through ARM templates (Azure Resource Manager) and automatic resource installation pipeline through Azure DevOps, which offered the customer a ready-to-use mechanism for recovering the entire Azure resource infrastructure.
Security and governance: the unified control layer
Azure API Management was configured as the single entry point for all requests to backend services. Any internal application or external system passes through the gateway, which authenticates the request, applies the defined policies and forwards it to the correct service. Backend services remain hidden and protected - they are never directly reachable from outside the gateway.
Authentication is built entirely on Azure Active Directory, covering two distinct scenarios. Application mode uses client credentials - a service-to-service flow with no user involved, suited to background processes and scheduled integrations. Delegated mode propagates the current user’s identity end-to-end, allowing backend services to apply contextual authorisation logic based on the Office 365 profile of whoever is making the call.
Rate limiting and throttling policies protect backend services from unexpected load spikes. When a service receives an anomalous volume of calls, the gateway throttles the traffic automatically before the issue reaches the backend - no manual intervention required.
The integrated developer portal completes the governance layer. Developers can browse a centralised API catalogue, read auto-generated OpenAPI documentation, run test calls directly from the interface, and subscribe to API products without opening tickets or coordinating with other teams. Onboarding a new internal consumer becomes a self-service activity measured in minutes, not days.
The benefit for the customer
Thanks to the new Azure API Management Architecture, the customer was able to benefit from a single platform where users can:
- manage all APIs for automation of their internal or external processes:
- have a unified authentication mechanism for any type of web service or API;
- have full autonomy to manage versioning of the APIs and the related test;
- monitor API usage;
- manage user recognition through the Office 365 business account;
- have a controlled API publishing mechanism.
Achieved results
The Azure API Management Architecture developed by us has brought the customer a solution that has significantly improved the use and management of application endpoints within the company.
The main result was the centralization of security management for access to the various APIs that has been implemented using Azure AD as an identity provider for authentication both in application mode and in delegated mode, thus exploiting the identity of the current user.
The system now has more than 120 different endpoints in use that offer data to various internal and external applications at the perimeter defined by the corporate network, with an average number of more than 50k calls per minute.
Written by
Emanuele Rossi
Infra & Security · Dev4Side