10 days ago, Microsoft announced the public preview of two new Azure API Management tiers: Basic v2 and Standard v2. You can find more information here. I got many questions about the consequence of these new tiers, hence this blog post 🙂
New features of the v2 tiers
Let’s first list the main new capabilities of the v2 tiers:
- Faster deployment and scaling: people that worked with Azure API Management before, know that creating a new instance typically took 45 to 70 minutes. The new tiers get instantiated in a few minutes, which is a huge difference. Also the scale out/in benefits of this faster scaling architecture. Personally, this is a nice to have for me. Besides some frustrations when working on the infra as code, I did not really get customer complaints about the slow creation time.
- Private networking: the Standard v2 tier supports VNET integration, which ensures that the outbound connectivity can flow directly into your private virtual network. This is a game-changer, definitely when we consider the pricing. This blog post will mostly cover this topic.
- Higher scale: the new tiers support up to 10 scale units, which is a 5x improvements compared to the traditional tiers
Comparing the different tiers
A nice comparison between all tiers can be found here. Before, I typically had the following checklist to determine the appropriate tier:
- A static IP address is required >> Don’t use the Consumption tier
- A backup/restore functionality is a must >> Don’t use the Consumption tier
- A production-worthy SLA is required >> Don’t use the Developer tier
- Azure AD for the developer portal is required >> Standard tier or higher
- A multi-region setup is required >> Use Premium tier
- Network security (inbound and outbound) is a must >> Use Premium tier
- The self-hosted gateway is needed >> Use Premium tier
- Availability zone support is required >> Use Premium tier
At most customers, network security is a must. This is a good thing. So in 95% percent of the cases, my recommendation was to use the Developer tier for non-production workloads and the Premium tier for the live environment. However, for many customers, the price tag of about 2600 EUR for a Premium instance was often a showstopper. Luckily, with the introduction of the Standard v2 tier, we have now a cheaper alternative. Hooray!
Virtual network integration
As discussed, this is the biggest game-changer, so let’s dive into the capabilities.
With Premium tier
For the sake of simplicity, we consider the internal VNET mode of the Premium tier. This is the most chosen option. In this scenario, API Management is really injected into your virtual network. This means that the API gateway is by default completely isolated from the internet. Because of the VNET injection, internal applications can consume your APIs (inbound) and API Management can connect to the backend APIs (outbound), both in the cloud and on-premises (over the VPN or ExpressRoute). In case you want to make a subset of the APIs available on public internet. it is recommended to put an Application Gateway at the border of your network, serving as a Web Application Firewall. For the people who have experience with Azure App Service, this option is similar to the App Service Environment deployment.
With Standard v2 tier
When using the Standard v2 tier, it is not possible to inject the API Management gateway into your virtual network, so by default this tier is available on public internet. Luckily, you can change this.
Let focus first on the inbound side. To ensure that the gateway can receive requests from internal applications – without the need to go over public internet – we can configure a private endpoint for our API Management instance. This gives the gateway a private IP address inside your virtual network, so it becomes accessible for your internal apps. In most cases, you want to disable public access on API Management, so do not forget to check this box!
On the outbound side, you don’t want to make your backend APIs available on public internet, so API Management can connect to them. Instead, you need to ensure that API Management can connect through your private network to these APIs. This is possible thanks to the brand new VNET integration feature, which requires a dedicated subnet.
For those who work with App Services, this is the same way you can make a multi-tenant App Service private. Even the look and feel of the user interface is the same!
With the new Standard v2 tier, we can privatize API Management for 1/4 of the premium price. Be aware that the load that is single Standard v2 unit can handle is probably lower than what the Premium tier can manage. Another remark is that the price for Standard v2 includes 50M API requests per month and that you have to pay per extra bucket of 1M API requests.
Can’t wait to deploy this more affordable solution at our customers! We still have to wait a few (?) months, because the Standard v2 tier is still in preview and not feature-complete yet.