|
1 | | -# Samples: Api Management proxing calls to Azure Maps |
| 1 | +# Samples: Api Management proxying calls to Azure Maps |
2 | 2 |
|
3 | | -This is a sample demonstrating how to use Azure API Management (APIM) to proxy calls to the Azure Maps service. This setup allows you to manage, secure, and monitor access to Azure Maps through APIM. |
| 3 | +This sample demonstrates how to use Azure API Management (APIM) to proxy calls to Azure Maps service using **three different authentication methods**. This setup allows you to manage, secure, and monitor access to Azure Maps through APIM while showcasing various authentication patterns for different use cases. |
4 | 4 |
|
5 | 5 | ⚙️ **Supported infrastructures**: All infrastructures |
6 | 6 |
|
7 | | -👟 **Expected *Run All* runtime (excl. infrastructure prerequisite): ~[NOTEBOOK RUNTIME] minute** |
| 7 | +👟 **Expected *Run All* runtime (excl. infrastructure prerequisite): ~2 minutes** |
8 | 8 |
|
9 | 9 | ## 🎯 Objectives |
10 | 10 |
|
11 | | -1. Learn how to set up APIM to proxy requests to Azure Maps on a path to operation based mapping. |
12 | | -1. Learn how to set up APIM to proxy requests to Azure Maps on a generic path. |
13 | | -1. See how to secure access to Azure Maps using APIM policies for all 3 authentication methods (subscription key, Azure Entra AD, and SAS Tokens). |
14 | | -1. Show how to connect to the v1 enpoint of Azure Maps using APIM. |
| 11 | +1. **Demonstrate three Azure Maps authentication patterns:** |
| 12 | + - **Shared Key Authentication** - Using Azure Maps subscription keys |
| 13 | + - **Azure Entra ID (Managed Identity)** - Recommended approach for production scenarios |
| 14 | + - **SAS Token Authentication** - Dynamic token generation with fine-grained control |
| 15 | +2. Learn path-to-operation mapping vs. generic proxy patterns in APIM |
| 16 | +3. Understand how APIM can enable chargeback/cost allocation scenarios for Azure Maps usage |
| 17 | +4. Show integration with both v1 and v2 Azure Maps API endpoints |
15 | 18 |
|
16 | 19 | ## 📝 Scenario |
17 | 20 |
|
18 | | -This sample demonstrates how to use APIM to proxy requests to the Azure Maps service. By doing so, you can leverage APIM's capabilities to manage, secure, and monitor access to Azure Maps. This particular setup will show you how to map specific paths to Azure Maps APIs, as well as how to handle generic paths. Additionally, the sample will illustrate how to secure access to Azure Maps using different authentication methods supported by APIM policies. |
| 21 | +Organizations migrating from services like Bing Maps to Azure Maps often need flexible authentication and billing models. This sample addresses common questions about: |
| 22 | + |
| 23 | +- **Authentication flexibility**: While Azure Entra ID with Managed Identity is the recommended production approach, some scenarios require shared keys or SAS tokens |
| 24 | +- **Cost allocation**: Using APIM subscription keys to enable chargeback models and usage tracking per department/application |
| 25 | +- **Migration patterns**: Supporting different authentication methods during transition periods |
| 26 | +- **API management**: Centralizing access control, rate limiting, and monitoring for Azure Maps |
| 27 | + |
| 28 | +### Authentication Scenarios Demonstrated: |
| 29 | + |
| 30 | +1. **🔑 Shared Key (Subscription Key)**: Direct use of Azure Maps primary/secondary keys - simpler but less granular control |
| 31 | +2. **🛡️ Azure Entra ID (Managed Identity)**: Recommended for production - leverages Azure RBAC and eliminates key management |
| 32 | +3. **🎫 SAS Token**: Dynamic token generation with configurable expiration, rate limits, and regional restrictions - ideal for fine-grained access control |
| 33 | + |
| 34 | +> **Note**: In production scenarios, SAS token generation would typically be handled by a separate Azure Function or API service. This sample demonstrates in-policy generation for simplicity and educational purposes. |
19 | 35 |
|
20 | 36 | ## 🛩️ Lab Components |
21 | 37 |
|
22 | 38 | This lab sets up: |
23 | 39 |
|
24 | | -- An Azure Maps resource in Azure |
25 | | -- APIM managed identity with the following roles: |
26 | | - - **Azure Maps Search and Render Data Reader:** Grants the ability to call the apis and render the maps |
27 | | - - **Azure Maps Contributor:** Grants the ability to create the SAS Token from the APIM policy |
28 | | -- A User Assigned Managed Identity (UAMI) that is used as the principal id to emulate when creating the SAS Token for Azure Maps. It has the following roles asigned: |
29 | | - - **Azure Maps Search and Render Data Reader:** Grants the ability to call the apis and render the maps |
30 | | -- An API that demonstrates proxying requests to Azure Maps specific to APIs (geocode, search, etc.) |
31 | | - - Also in that api there will be an operation that demonstrates a generic path to Azure Maps |
| 40 | +- **Azure Maps Account** with Gen2 pricing tier |
| 41 | +- **APIM Managed Identity** with roles: |
| 42 | + - **Azure Maps Data Reader**: Read access to Maps APIs |
| 43 | + - **Azure Maps Contributor**: Ability to generate SAS tokens |
| 44 | +- **User Assigned Managed Identity (UAMI)** for SAS token principal, with: |
| 45 | + - **Azure Maps Data Reader**: Used as the identity for SAS token operations |
| 46 | +- **Three API Operations** demonstrating each authentication method: |
| 47 | + - `/geocode` - Azure Entra ID authentication |
| 48 | + - `/geocode/batch/async` - Shared key authentication |
| 49 | + - `/default/*` - SAS token authentication with caching |
32 | 50 |
|
33 | 51 | ## ⚙️ Configuration |
34 | 52 |
|
|
0 commit comments