Automatic backups for Azure API Management

It’s a good practice to configure backups for your API Management instances in production.  A disaster can always occur, so it’s better that you are prepared for that.  Even when your API Management is completely deployed through automation, this advise still remains.  In most cases, your API Management gets deployed through multiple releases pipelines, so it becomes difficult for operators to figure out in what order they should run.

Some limitations

The API Management backup functionality comes with some caveats:

  • A backup mostly takes around 10 minutes
  • You can only restore backups to an APIM service with the same tier
  • The backups expire after 30 days
  • Backup functionality is not available in the consumption tier
  • API Management offers an API, you have to do the plumbing yourself

Technology choice

So we have to trigger the backup API ourselves on regular times.  There are several technology options:

  • Azure Automation, using the Azure PowerShell module for API Management
  • Azure Functions, using the Azure PowerShell module for API Management
  • Azure Logic Apps, using the API Management REST API

My preferred option is Logic Apps.  There are several reasons for this:

  • We can use Managed Identity for simple and secure authentication
  • Logic Apps are very user-friendly for operators to troubleshoot
  • It is very easy to manually trigger a Logic App run as an operator

Implementation

This is the high-level design:

(1) The backup Logic App has Managed Identity enabled.  This identity has the APIM Service Operator role assigned, on the API Management instance.

(2) Each night, at 01:00, the Logic App gets fired and calls the APIM backup endpoint, using the Managed Identity

(3) API Management takes care of the long-running backup process and stores the backup in the configured storage account container.

Community contribution

I have a production ready ARM template available on my GitHub page, that I want to share with the community.

It takes three input parameters:

  • apim_name: the name of the API Management service you want to backup (already existing)
  • backup_storage_account_name: the storage account on which you want to store the backup files (already existing)
  • location: defaults to the resource group location

The ARM template takes care of:

  • Creating a container in the storage account, to store the APIM backups
  • Deploying the Logic App that performs the backup, as describe earlier
  • Enabling Managed Identity on that Logic App
  • Creating a role assignment that gives the Logic App the APIM Service Operator role

Cheers!
Toon

About me

Hi! I’m Toon Vanhoutte, a hands-on Azure architect – based in Belgium – with a big passion for teaching and helping people out. I’m happy to assist you during your Azure journey with high-quality advisory and I would love to teach you Azure’s possibilities via my tailored training courses.

Subscribe to the blog