API Management — cerebro-stg-apim
Azure API Management (APIM) is the gateway that sits in front of all backend microservices. It handles routing, rate limiting, authentication, and API versioning.
Details
| Field | Value |
|---|---|
| Gateway URL | https://cerebro-stg-apim.azure-api.net |
| Azure name | cerebro-stg-apim |
| Resource group | testing |
| Region | South India |
| SKU | Consumption (serverless, pay-per-call) |
| State | Active |
What It Does
- Single entry point for all API consumers — clients call
cerebro-stg-apim.azure-api.netinstead of individual service FQDNs - Authentication — validates JWT tokens from Keycloak before forwarding requests
- Rate limiting — throttles requests per subscription key or IP
- API versioning — supports
/v1/,/v2/prefixes - Transformation — can modify request/response headers, bodies
How to Access APIM in the Azure Portal
- Go to portal.azure.com
- Navigate to: Resource groups → testing → cerebro-stg-apim
- Or search "API Management" in the top search bar
Key Sections in APIM
| Section | Purpose |
|---|---|
| APIs | Define and configure API routes |
| Products | Group APIs and assign to subscribers |
| Subscriptions | Manage API keys |
| Policies | Inbound/outbound transformation rules |
| Named Values | Shared constants (like backend URLs) |
| Backends | Configure upstream service URLs |
Adding a New API
- APIM Portal → APIs → + Add API
- Choose HTTP or import from OpenAPI spec
- Set the backend URL to the Container App FQDN
- Add a JWT validation policy pointing to Keycloak's OIDC endpoint:
<validate-jwt header-name="Authorization" failed-validation-httpcode="401">
<openid-config url="https://keycloak.icydesert-76825898.southindia.azurecontainerapps.io/realms/master/.well-known/openid-configuration" />
<audiences>
<audience>your-client-id</audience>
</audiences>
</validate-jwt>
Test an API
# Get a token from Keycloak
TOKEN=$(curl -s -X POST \
"https://keycloak.icydesert-76825898.southindia.azurecontainerapps.io/realms/master/protocol/openid-connect/token" \
-d "client_id=<client>&client_secret=<secret>&grant_type=client_credentials" \
| jq -r '.access_token')
# Call via APIM
curl -H "Authorization: Bearer $TOKEN" \
https://cerebro-stg-apim.azure-api.net/your-api/endpoint
Subscription Keys
For APIs that use subscription keys instead of JWT:
# List subscriptions
az apim subscription list \
--resource-group testing \
--service-name cerebro-stg-apim \
--output table