It’s a good practice to configure backups for your API Management instances in production. A disaster can always occur, so it’s better that you are prepared for that. Even when your API Management is completely deployed through automation, this advise still remains. In most cases, your API Management gets deployed through multiple releases pipelines, so it becomes difficult for operators to figure out in what order they should run.
The API Management backup functionality comes with some caveats:
- A backup mostly takes around 10 minutes
- You can only restore backups to an APIM service with the same tier
- The backups expire after 30 days
- Backup functionality is not available in the consumption tier
- API Management offers an API, you have to do the plumbing yourself
So we have to trigger the backup API ourselves on regular times. There are several technology options:
- Azure Automation, using the Azure PowerShell module for API Management
- Azure Functions, using the Azure PowerShell module for API Management
- Azure Logic Apps, using the API Management REST API
My preferred option is Logic Apps. There are several reasons for this:
- We can use Managed Identity for simple and secure authentication
- Logic Apps are very user-friendly for operators to troubleshoot
- It is very easy to manually trigger a Logic App run as an operator
This is the high-level design:
(1) The backup Logic App has Managed Identity enabled. This identity has the APIM Service Operator role assigned, on the API Management instance.
(2) Each night, at 01:00, the Logic App gets fired and calls the APIM backup endpoint, using the Managed Identity
(3) API Management takes care of the long-running backup process and stores the backup in the configured storage account container.
I have a production ready ARM template available on my GitHub page, that I want to share with the community.
It takes three input parameters:
- apim_name: the name of the API Management service you want to backup (already existing)
- backup_storage_account_name: the storage account on which you want to store the backup files (already existing)
- location: defaults to the resource group location
The ARM template takes care of:
- Creating a container in the storage account, to store the APIM backups
- Deploying the Logic App that performs the backup, as describe earlier
- Enabling Managed Identity on that Logic App
- Creating a role assignment that gives the Logic App the APIM Service Operator role