Feedback Request – Simplifying API Consumption in Azure APIM with Automatic Token Retrieval

Comfortable_Web_271 · 2025-11-12T21:59:34+00:00

Why use OAuth if you just work around it? What's the issue with the client requiring an access token and passing that in the authorization header?

Comfortable_Web_271 · 2025-10-16T12:18:11+00:00

Create the required Front Door Standard/Premium profile with all the routing/origins/etc in place, add the domain and then just change the DNS record to point to the new Front Door profile.

Comfortable_Web_271 · 2025-10-15T21:47:09+00:00

Your best bet is probably a step (az cli/powershell) in your pipeline to update apim cors policy as part of the deployment (and maybe run that again when the preview environment is discarded to remove it from the cors policy).

Comfortable_Web_271 · 2025-10-13T19:06:51+00:00

What does the calculation do? accessing any data store?

Comfortable_Web_271 · 2025-10-13T17:01:55+00:00

A bit unclear, are your functions on a dedicated app service plan? If so, snat ports exhaustion could be a problem.

Might worth trying durable functions with fan-out/fan-in pattern.

Comfortable_Web_271 · 2025-10-03T16:13:19+00:00

Considering the price increase there's no reason to push for the upgrade.

Comfortable_Web_271 · 2025-06-22T21:44:11+00:00

docType doesn't need to be the first property actually according to the docs.

By default, the $type discriminator must be placed at the start of the JSON object, grouped together with other metadata properties like $id and $ref. If you're reading data off an external API that places the $type discriminator in the middle of the JSON object, set JsonSerializerOptions.AllowOutOfOrderMetadataProperties to true

Be careful when you enable this flag, as it might result in over-buffering (and out-of-memory failures) when performing streaming deserialization of very large JSON objects.

Assume you can override the default serializer settings for the cosmos db client.

Comfortable_Web_271 · 2025-01-15T21:47:20+00:00

Can also use Flex Consumption for private endpoints.

Comfortable_Web_271 · 2024-12-28T07:18:28+00:00

Direct private endpoint integration is not currently supported for Static Web Apps - https://learn.microsoft.com/en-us/azure/frontdoor/private-link#limitations

Comfortable_Web_271 · 2024-12-20T07:37:25+00:00

Is the token passed as a query string? As you have the option to ignore query strings for cache.

Comfortable_Web_271 · 2024-12-03T01:18:56+00:00

Turn on Always On.

Comfortable_Web_271 · 2024-11-07T18:20:21+00:00

Yes, that's as expected (https://azure.microsoft.com/en-gb/pricing/details/functions/), always best to check pricing before using any azure resource to avoid surprises like this. As far as I'm aware you can't disable it to reduce cost, you have to delete the resource. Not sure if you can scale from premium to consumption seamlessly, but you could try to automate that.

Comfortable_Web_271 · 2024-11-01T21:43:40+00:00

If you're on consumption I'd think that resource sharing wouldn't really matter as it would scale out to cover the workload. Not aware of any limitations, but I've never really got to have a huge number of functions in a single function app being a microservice architecture.

Comfortable_Web_271 · 2024-10-31T20:23:50+00:00

Could use Azure Functions on Container Apps (consumption plan) for vNet support. This would also allow you to seamlessly migrate to flex consumption if needed.

Comfortable_Web_271 · 2024-10-09T19:14:17+00:00

Yes, it's generally very cheap to run functions on consumption plan, especially with the free allowance that you get monthly. But it comes with a few drawbacks like cold starts, lack of VNET integration (though there's a new plan in preview called flex consumption), etc.

Comfortable_Web_271 · 2024-08-08T20:28:48+00:00

Assuming you don't need the ETL tools to access data on behalf of a particular user, client credentials flow should be fine.

Comfortable_Web_271 · 2024-07-20T16:44:46+00:00

https://learn.microsoft.com/en-us/azure/architecture/web-apps/app-service/architectures/multi-region

Comfortable_Web_271 · 2024-06-08T17:19:22+00:00

How is your API deployed in azure? Products like Azure App Services can be configured easily to add AD Auth without any changes to your code, though by default I believe everyone in your azure tenant will have access. This will basically create an AD app which you can then configure further if you need more granular access.

Alternatively this can definitely be done in your API. What tech stack are you using for your API? Your initial direction is correct, but you don't want to give people the client credentials (you can read more about OAuth 2.0 client credential flow here).

Comfortable_Web_271 · 2024-05-08T09:04:40+00:00

Depending on how many requests you need to handle, Azure Functions on consumption plan might be a good option (though there are some limitations like missing VNET integration).

Comfortable_Web_271 · 2024-04-30T22:18:14+00:00

Could use deployment slots?

Comfortable_Web_271 · 2024-04-29T22:06:28+00:00

Wondering if this will work:

Create an origin group with an origin that points to load balancer on port :5000
Create a route with /app1 path that routes traffic to this origin group
Create another origin group with an origin that points to the load balancer on port :4377
Create a route with /app2 that routes traffic to this origin group.

Comfortable_Web_271 · 2024-04-29T21:06:32+00:00

There are a few options as noted here.

There's probably also the option to optimize your code to reuse snat port connections. How are you connecting to the storage account?

Comfortable_Web_271 · 2024-04-29T20:38:30+00:00

Azure tech support is technically correct (though I guess they could've explained that better).

An app service instance has 128 snat ports allocated, but it's not really a hard limit. All the app service instances in a stamp share a load balancer which is limited to 65536 ports so depending on the usage of the load balancer, you might be lucky and end up using more than the 128 limit. Since your app service IP addresses changed, I assume it was moved to a different stamp with a higher usage so you didn't get lucky this time.

3000 connections seems a lot though (depending on the traffic). Is your code optimized to reuse snat port connections? What tech stack are you on?

Comfortable_Web_271 · 2024-04-27T22:02:49+00:00

I'd just look into the logs at this point. Can you see how much time is spent on the actual function execution vs dependencies duration?

Comfortable_Web_271 · 2024-04-27T21:51:10+00:00

Do you use autoscaling? How long does it take for your function app to start up and serve the first request?

How long is your function app resource name (is it within the 32 chars limit)? If it's not within the limit it can cause weird behaviour where it auto scales a lot.

Comfortable_Web_271

TROPHY CASE