An Azure API Management is used to provide a central interface to create, provision, and manage ICB IIoT platform APIs.
Azure API Management is a reliable, secure, and scalable way to publish, consume and manage APIs running on the Microsoft Azure platform. Azure API Management provides all essential tools required for an end-to-end management of APIs. It ensures optimal performance of the APIs, tracks and enforces usage, authentication, and more.
Figure 1: Azure API management
API Management provides the core competencies to ensure a successful API program through developer engagement, business insights, analytics, security, and protection. Azure API Management allows us to:
- Monitor the health of APIs, identify errors, configure throttling, rate limits and more on each API.
- Provides insight into the utilization of APIs.
- Creating and managing user roles and defining end-to-end API usage policies.
- Provides a central interface to consolidate and manage multiple APIs across multiple platforms.
- Provide an authentication and access control mechanism to manage and ensure security on API access and utilization.
All clients will require a valid subscription to access any of the products exposed by the Azure API Management.
Figure 2: Subscriptions
To consume the APIs a subscription key will need to be provided with every request. Each partner (i.e. independent software vendor working for the manufacturing enterprise) will have a separate subscription registration and will be given a unique key.
By using the provided outbound processing by Azure API Management all headers carrying sensitive information are stripped from the response before returning it to the clients.
Figure 3: Outbound strip headers policy
Rate Limit Policy (Throttling)
Depending on the consumption rate the IIoT platform APIs may have a rate limit policy that prevents API usage spikes on a per subscription basis by limiting the call rate to a specified number per a specified time period. When this policy is triggered the consumers receive a “Too Many Requests” response status code.
As the IIoT platform APIs provide access to protected resources, it is essential that unwarranted access to them is prevented using the industry standard for authorization - OAuth 2.0 bearer access tokens.
Figure 4. OAuth 2.0
The addition of OAuth 2.0 to our security measurements doesn’t change anything for the end-users (power companies) of the API Management. They would not be aware that internally there is an OAuth 2.0 authorization implemented. The required data for a successful authorization (client id, client secret, and authorization endpoint) won’t be provided to them and we can guarantee that only requests originating from our API Management will be able to pass the authorization protocol.
All APIs require authentication details provided either as a Header or as a Query parameter. Access to the API services is provided with a subscription-based model. This allows us to introduce an extra security level by using dedicated access and tracking methodology for each subscription.
The user should be supplied with a Subscription Key by the Administrators of the APIs which should then be included in all requests to the APIs.
The subscription key can be provided by either of the following two methods:
- As a Header value:
- Header name: Ocp-Apim-Subscription-Key
- Header value: [***subscription-key***]
- As a Query String parameter:
- Parameter name: subscription-key
- Parameter value: [***subscription-key***]