I want to create a new API Management instance in EU and make sure my data in APIM can not leaves the EU geographic zone
Based on the Microsoft documentation, the data will not leave the configured region.
Data residency in Azure provides you with information about the data based on selected regions:
Most Azure services enable you to specify the region where your customer data will be stored and processed. Microsoft may replicate to other regions for data resiliency, but Microsoft will not store or process customer data outside the selected Geo. You and your users may move, copy, or access your customer data from any location globally.
Customers can configure the following Azure services, tiers, or plans to store customer data only in a single region:
https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-deploy-multi-region
Only the gateway component of API Management is deployed to all regions. The service management component and developer portal are hosted in the Primary region only.
Related
We have a centralized development instance for Azure API Management Service where developers from different agencies/organization creates their Products, API and subscription. Essentially they have contributor role on resource group of APIM instance. This is a centralized shared APIM instance.
I can probably create a Custom RBAC role that allows me to edit only my API but not sure how to hide my own API and products from others.
Is there a way for developers to hide their Products and API entirely from other developers in Admin portal as well as in Developer portal?
Have you tried implementing the restriction at the product level?
Check your user list.
Create a group with by selecting the required members.
Create an product( Add required APIs) -> Go to access control -> Add a group (you may remove the Administrator group)
I have created a vault/key under a compartment.
As vault service is a regional service it is only available under the region I created it.
Even if tenancy subscribes to multiple region the compartment shows up but still Vault is not available for that region. Is there a way we could replicate Vault / Key /secrets while tenancy subscribes to multiple regions .
I have not done this myself, but you could try this approach and see if the following steps will work for you:
Step 1. Use the BackupKey/BackupVault API (from Vault Service) in the SOURCE region to create the relevant key/vault encrypted file(s).
Step 2. Use the CopyOBject API (from Object Storage Service) to copy the file(s) created in Step 1 from your SOURCE region to all DESTINATION regions.
Step 3. Use the RestoreKey/RestoreVault API (from Vault Service) to restore the key/vault in the DESTINATION regions. See
We have an AWS MySQL users table that has a column (flag) to indicate if the user is a paid member or not (Yes or No).
Can IBM Watson Assistant on IBM Cloud read the data, given the user ID, and depending on whether it's Yes or No, proceed to a different dialogue sequence?
Do you have an example of how to do it?
It is possible to reach out to database systems from within an IBM Watson Assistant dialog. For an example including code see this IBM Cloud solution tutorial on building a database-driven Slackbot.
Watson Assistant supports so-called programmatic calls from within a dialog node. It allows to either signal the calling application to perform some action or to invoke an IBM Cloud Functions action. In the mentioned tutorial Cloud Functions is used to to reach out to a database system to retrieve or insert data.
In your case, you would write an IBM Cloud Functions action, would need to bind the credentials, and then, in the chatbot dialog, invoke that action to check for the member status.
I have multi-tenant application, which exposes some API for our customers to use. I would like to expose it using Azure API Management. Mostly to provide Development Portal to our customers, which I find very useful, and maybe use some other features.
If I understand correctly, our customers will set up their own subscription keys for authentication, which API Management proxy will validate.
Question: How can I link and identify user/subscription to the tenant of my application, to ensure that only data from this tenant are returned.
One direction I can see to explore is to use delegated sign up, which I guess will help me to link subscription to the tenant. But then still the question is how to get user id in my backend API?
Any direction to documentation or samples is very appreciated
You could create separate groups in APIM to represent your tenants and then put users into those groups using delegation hookups. Withing APIM policy in expressions you can reference context.User.Groups to list groups user making the call belongs to and forward that information to backend.
Alternatively you could use Note field to store tenant name and access it as context.User.Note. Or if you're willing to store mapping on your side the just take an id context.User.Id.
All of above could be passed as a header using set-header policy like:
<set-header name="userId">
<value>#(context.User.Id)</value>
</set-user>
All scenarios would require you to have delegation setup to fill this information automatically for every new user created.
My task is to create mysql insided google cloud sql. Following instructions I try to set an instance unluckily. The problem is a message
"Authorized GAE applications must be in the same region as the database instance"
at the time when I have checked both instance and application for that region setting and it is matching. I don't know what shall I put in the box "authorized networks". Thanks in advance.
That message means you chose a region (EU for example) for your Cloud SQL that is different from the region of your App Engine application (US for example) where you created the Cloud SQL instance.
From the documentation
Note: An App Engine application must be in the same region (either
European Union or United States) as a Google Cloud SQL instance to be
authorized to access that Google Cloud SQL instance.
As the GAE location can't be changed, you should change the region of the Cloud SQL instance, which also can't be changed. So you'd need to create a new instance in the exact region of your app.
The Authorized networks is exactly what Paul said. The IPs or subnetworks you want to whitelist to access your instance, only if you plan to access your instance with mysql client.