Mastering automated API deployments with API Ops methodology
Mastering API Deployments with API Ops: Azure DevOps vs GitHub Implementation Guide
• API Management, API Ops, DevOps, Azure DevOps, GitHub Actions, CI/CD, Azure, Code Night, New Zealand
• 24 min read
Welcome to another insightful session from Code Night New Zealand! In this special presentation, we dive deep into API Ops methodology and explore how to implement automated API deployments using both Azure DevOps and GitHub.
What is API Ops?
Understanding the Evolution: DevOps → GitOps → API Ops
API Ops is the natural evolution of DevOps practices specifically applied to the API development lifecycle. Let’s break down this progression:
DevOps Foundation
DevOps is a methodology that integrates and automates the work of software development and IT operations, binding together practices from different teams:
GitOps introduces version control as the single source of truth, with Git being the most popular choice. This creates a systematic approach to infrastructure and application management.
API Ops Definition
API Ops applies DevOps and GitOps practices specifically to the API development lifecycle, encompassing:
API Design: OpenAPI specifications and contracts
API Development: Implementation and testing
API Deployment: Automated provisioning and configuration
API Management: Policies, monitoring, and governance
API Operations: Maintenance and continuous improvement
# Extract the toolkitunzip apiops-release.zip
# Available pipelines:├── run-extractor.yml # Extracts current API Management state├── run-publisher.yml # Publishes changes to API Management└── run-publisher-with-env.yml # Multi-environment publisher
2. Service Connection Configuration
Recommended Approach: Use Workload Identity Federation (no secrets required)
1
2
3
4
5
6
7
8
9
# Service Connection SettingsconnectionType:workloadIdentityFederationsubscriptionId:$(AZURE_SUBSCRIPTION_ID)resourceGroup:$(RESOURCE_GROUP_NAME)servicePrincipal:auto-generated# Required Permissions:# - API Management Contributor# - Resource Group Contributor (if creating resources)
Alternative: Service Principal with Certificate/Secret
1
2
3
4
# Only use if Workload Identity Federation is not availableconnectionType:servicePrincipalauthenticationType:spnCertificate# or: spnKey for secret-based authentication
3. Repository Permissions
Configure the build service account to create pull requests:
1
2
3
4
# Grant Contributor access to build serviceProject Settings > Repositories > Security
Add: [Project Name] Build Service (organization-name)Permissions: Contribute, Create branch, Create pull request
# Create service principal for developmentaz ad sp create-for-rbac --name "api-ops-dev"\
--role "API Management Service Contributor"\
--scopes /subscriptions/{subscription-id}/resourceGroups/{dev-rg}\
--sdk-auth
# Create service principal for production az ad sp create-for-rbac --name "api-ops-prod"\
--role "API Management Service Contributor"\
--scopes /subscriptions/{subscription-id}/resourceGroups/{prod-rg}\
--sdk-auth
3. GitHub Secrets Configuration
Store the service principal output as GitHub secrets:
# backends/api-todo-backend.ymlname:api-todo-backendtitle:"API Todo Backend Service"description:"Backend service for Todo API operations"url:"https://localhost:5000"# Default/template URLprotocol:httpcredentials:authorization:scheme:bearerparameter:"{{backend-auth-token}}"proxy:url:"{{proxy-url}}"username:"{{proxy-username}}"password:"{{proxy-password}}"tls:validateCertificateChain:truevalidateCertificateName:true
Policy Fragment Management
Correlation ID Policy Fragment (policies/correlation-id-fragment.xml)
# .spectral.ymlextends:["@stoplight/spectral/dist/rulesets/oas/index.json"]rules:# Enforce API versioningapi-version-required:description:"API must have version in path"given:"$.paths.*~"then:function:patternfunctionOptions:match:"^/v[0-9]+/"# Enforce correlation ID headercorrelation-id-header:description:"All operations must accept correlation-id header"given:"$.paths.*.*.parameters[?(@.in === 'header')]"then:function:schemafunctionOptions:schema:type:objectproperties:name:enum:["correlation-id","x-correlation-id"]# Enforce response schemasresponse-schema-required:description:"All success responses must have schema"given:"$.paths.*.*.responses[?(@property.match(/^2/))]"then:field:"content.application/json.schema"function:truthy# Security requirementssecurity-defined:description:"All operations must have security requirements"given:"$.paths.*.*"then:field:"security"function:truthy
# .spectral-apim.ymlextends:[".spectral.yml"]rules:# API Management specific rulesapim-policy-required:description:"APIs should have rate limiting policies"given:"$.paths.*.*"then:function:custom-apim-policy-checkapim-backend-required:description:"APIs must reference a backend service"given:"$.info"then:function:custom-backend-reference-checkapim-product-assignment:description:"APIs should be assigned to products"given:"$.info"then:function:custom-product-assignment-check
Visual Studio Code Extension Integration
For development productivity, use the Azure API Management extension for VS Code:
{"openapi":"3.0.3","info":{"title":"Todo API","description":"A simple Todo list API with correlation tracking","version":"1.0.0","contact":{"name":"API Team","email":"api-team@company.com"}},"servers":[{"url":"https://api.company.com/v1","description":"Production server"}],"paths":{"/todos":{"get":{"summary":"Get all todos","operationId":"getTodos","parameters":[{"name":"correlation-id","in":"header","required":true,"schema":{"type":"string","format":"uuid"},"description":"Correlation ID for request tracing"}],"responses":{"200":{"description":"List of todos","content":{"application/json":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/Todo"}}}}},"400":{"description":"Bad request - missing correlation ID"}},"security":[{"apiKey":[]}]},"post":{"summary":"Create a new todo","operationId":"createTodo","parameters":[{"name":"correlation-id","in":"header","required":true,"schema":{"type":"string","format":"uuid"}}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"$ref":"#/components/schemas/CreateTodoRequest"}}}},"responses":{"201":{"description":"Todo created successfully","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Todo"}}}}}}}},"components":{"schemas":{"Todo":{"type":"object","properties":{"id":{"type":"integer","format":"int64"},"title":{"type":"string"},"completed":{"type":"boolean"},"createdAt":{"type":"string","format":"date-time"}}},"CreateTodoRequest":{"type":"object","required":["title"],"properties":{"title":{"type":"string","minLength":1,"maxLength":100}}}},"securitySchemes":{"apiKey":{"type":"apiKey","in":"header","name":"Ocp-Apim-Subscription-Key"}}}}
Step 2: Configure Backend Services
Development Backend (configuration.dev.yml)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# Development environment backend configurationbackends:- name:api-todo-backendurl:"https://todo-api-dev.company.com"protocol:httpscredentials:header:authorization:"Bearer {{dev-api-token}}"tls:validateCertificateChain:truenamedValues:- name:dev-api-tokenvalue:"dev-bearer-token-value"secret:true
Production Backend (configuration.prod.yml)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# Production environment backend configurationbackends:- name:api-todo-backendurl:"https://todo-api-prod.company.com"protocol:httpscredentials:header:authorization:"Bearer {{prod-api-token}}"tls:validateCertificateChain:truenamedValues:- name:prod-api-tokenvalue:"prod-bearer-token-value"secret:true
Step 3: Deploy and Test
Execute the Pipeline
1
2
3
4
5
6
7
8
9
# For Azure DevOpsaz pipelines run --name "API-Ops-Publisher"\
--variables API_MANAGEMENT_SERVICE_NAME=your-apim-instance \
--variables RESOURCE_GROUP_NAME=your-resource-group
# For GitHub Actions gh workflow run publish.yml \
-f apimServiceName=your-apim-instance \
-f resourceGroupName=your-resource-group
Verify Deployment
1
2
3
4
5
6
# Test the deployed APIcurl -X GET "https://your-apim.azure-api.net/todo/v1/todos"\
-H "Ocp-Apim-Subscription-Key: your-subscription-key"\
-H "correlation-id: $(uuidgen)"# Expected Response: 200 OK with todo list
Platform Comparison: Azure DevOps vs GitHub
Azure DevOps Advantages
✅ Seamless Azure Integration
Native service connections with Workload Identity Federation
Integrated with Azure Active Directory
Built-in Azure resource management
✅ Enterprise Features
Robust approval workflows and gates
Advanced pipeline templates and inheritance
Comprehensive audit and compliance tracking
✅ Mature DevOps Toolchain
Integrated work item tracking
Built-in test management
Advanced reporting and analytics
GitHub Advantages
✅ Developer-Friendly Experience
Familiar Git workflow and interface
Excellent code review capabilities
Strong community and ecosystem
✅ Advanced Automation
Powerful GitHub Actions marketplace
Flexible workflow triggers and conditions
Easy integration with third-party tools
✅ Cost Effectiveness
Generous free tier for public repositories
Competitive pricing for private repositories
No additional costs for basic CI/CD
Configuration Complexity Comparison
Azure DevOps
1
2
3
4
5
# Easier setup for Azure-native scenarios- Service Connection:✅ One-click setup (with proper permissions)- Variables:✅ Centralized variable groups- Environments:✅ Built-in approval gates- Permissions:⚠️ Requires build service configuration
GitHub
1
2
3
4
5
# More setup required but flexible- Authentication:⚠️ Manual service principal creation required- Secrets:✅ Easy secret management- Environments:⚠️ Protection rules require Enterprise license- Permissions:✅ Simple workflow permissions
Troubleshooting Common Issues
Azure DevOps Issues
Build Service Permissions Error
1
2
3
4
5
# Error: TF401027: You need the Git 'CreateBranch' permission# Solution: Grant contributor access to build serviceProject Settings > Repositories > Security
Add: [Project] Build Service ([Organization])Permissions: ✓ Contribute, ✓ Create branch, ✓ Create pull request
Service Connection Authentication Failed
1
2
3
4
5
6
7
# Error: Forbidden - Invalid credentials# Solutions:1. Use Workload Identity Federation (recommended)2. Verify service principal has proper RBAC roles:
- API Management Service Contributor
- Resource Group Contributor
3. Check subscription and tenant IDs are correct
Variable Group Not Found
1
2
3
4
5
6
7
# Error: Could not find variable group 'apim-automation'# Solution: Create variable group with required variables:- API_MANAGEMENT_SERVICE_NAME
- APIOPS_RELEASE_VERSION
- RESOURCE_GROUP_NAME
- REPOSITORY_NAME
- TARGET_FOLDER_NAME
GitHub Issues
Workflow Permissions Error
1
2
3
4
5
# Error: Resource not accessible by integration# Solution: Enable workflow permissionsSettings > Actions > General > Workflow Permissions:
✓ Read and write permissions
✓ Allow GitHub Actions to create and approve pull requests
# Issue: No approval required for production deployment# Solution: GitHub Enterprise required for protection rules# Workaround: Use workflow_dispatch with manual triggers
Common API Ops Issues
Configuration File Syntax Errors
1
2
3
4
5
6
7
# ❌ Common mistake: Using tabs instead of spacesbackends:- name:api-backend # Tab character causes YAML parsing error# ✅ Correct: Use spaces for indentation backends:- name:api-backend # 2-space indentation
# Error: OpenAPI specification validation failed# Common issues:1. Missing required headers (correlation-id)2. No security definitions
3. Missing response schemas
4. Invalid API versioning in paths
# Solution: Update OpenAPI spec to match Spectral rules
Best Practices and Recommendations
🔒 Security Best Practices
1. Secrets Management
1
2
3
4
5
6
7
8
9
10
# ✅ Use Key Vault references for sensitive valuesnamedValues:- name:database-connection-stringkeyVault:secretIdentifier:"https://vault.vault.azure.net/secrets/db-conn-string"# ❌ Never commit secrets in plain textnamedValues:- name:api-keyvalue:"super-secret-key-123"# Never do this!
2. Least Privilege Access
1
2
3
4
# Service Principal Permissions (minimum required)- API Management Service Contributor # For APIM operations- Key Vault Secrets User # For secret access (if using Key Vault)- Reader # For resource group access
3. Network Security
1
2
3
4
5
6
# Configure IP restrictions for management accessmanagement:restrictAccess:trueallowedIPs:- "10.0.0.0/8"# Corporate network- "192.168.1.0/24"# VPN network
🚀 Performance Optimization
1. Optimize Pipeline Execution
1
2
3
4
5
6
7
8
# Use pipeline caching for faster builds- task:Cache@2inputs:key:'apiops | $(Agent.OS) | $(Build.SourceVersion)'path:$(Pipeline.Workspace)/.apiops-cacherestoreKeys:| apiops | $(Agent.OS)
apiops
2. Parallel Environment Deployments
1
2
3
4
5
6
7
8
# Deploy non-production environments in parallelstrategy:matrix:development:environment:'dev'testing:environment:'test'maxParallel:2
📊 Monitoring and Observability
1. Custom Dashboards
1
2
3
4
5
6
7
8
9
10
11
12
13
{"title":"API Ops Deployment Dashboard","widgets":[{"title":"Deployment Success Rate","query":"traces | where customDimensions.pipeline == 'api-ops-publisher' | summarize SuccessRate = avg(toint(customDimensions.success)) by bin(timestamp, 1d)"},{"title":"API Response Times","query":"requests | where name contains 'todo-api' | summarize avg(duration) by bin(timestamp, 5m)"}]}
2. Automated Testing Integration
1
2
3
4
5
6
7
8
# Add API testing to pipeline- task:Newman@4displayName:'Run API Tests'inputs:collectionFileSource:'URL'collectionURL:'https://api.company.com/postman/todo-api-tests.json'environmentFileSource:'URL'environmentURL:'https://api.company.com/postman/environments/$(Environment).json'
# Planned: Support for multiple cloud providersenvironments:- name:azure-prodprovider:azureapimInstance:"azure-apim-prod"- name:aws-prod provider:awsapiGateway:"aws-gateway-prod"
3. Enhanced Observability
1
2
3
4
5
6
7
8
9
# Roadmap: Built-in observability and analyticsobservability:traces:enabled:truesamplingRate:0.1metrics:customMetrics:["response-time","error-rate"]alerts:channels:["teams","slack","email"]
Conclusion
API Ops represents a significant evolution in API management, bringing the proven practices of DevOps to the API development lifecycle. Whether you choose Azure DevOps or GitHub, both platforms provide robust capabilities for implementing API Ops with Azure API Management.
Key Takeaways
🎯 Automation First: API Ops eliminates manual configuration drift between environments
🔄 Git as Source of Truth: All API configurations versioned and auditable 🚀 Faster Deployments: Automated pipelines reduce deployment time from hours to minutes
🛡️ Improved Quality: Built-in validation with Spectral ensures API consistency
📊 Better Visibility: Clear audit trail of all API changes and deployments
Platform Decision Matrix
Factor
Azure DevOps
GitHub
Azure Integration
⭐⭐⭐⭐⭐ Native
⭐⭐⭐ Good
Setup Complexity
⭐⭐⭐⭐ Easy (with permissions)
⭐⭐ Moderate
Enterprise Features
⭐⭐⭐⭐⭐ Comprehensive
⭐⭐⭐ Good
Developer Experience
⭐⭐⭐ Good
⭐⭐⭐⭐⭐ Excellent
Cost
⭐⭐⭐ Moderate
⭐⭐⭐⭐ Lower
Community
⭐⭐⭐ Corporate
⭐⭐⭐⭐⭐ Vibrant
Getting Started Checklist
Phase 1: Foundation (Week 1)
Choose platform (Azure DevOps vs GitHub)
Set up service connections/authentication
Configure repository permissions
Download and customize API Ops toolkit
Phase 2: Basic Implementation (Week 2-3)
Run extractor to baseline current state
Set up basic publisher pipeline
Configure environment-specific settings
Test deployment to development environment
Phase 3: Production Readiness (Week 4-6)
Implement approval workflows
Add Spectral validation rules
Set up monitoring and alerting
Create documentation and runbooks
Deploy to production with approval gates
Phase 4: Advanced Features (Ongoing)
Implement automated testing
Add custom policy fragments
Set up advanced monitoring dashboards
Create reusable pipeline templates
Call to Action
Start your API Ops journey today! Choose the platform that best fits your organization’s needs and begin with a simple pilot project. The investment in automation will pay dividends as your API portfolio grows.
Remember: API Ops is not just about tools - it’s about culture, collaboration, and continuous improvement in your API development lifecycle.
Ready to transform your API management with API Ops? Start with our step-by-step implementation guide and join the growing community of API Ops practitioners! 🚀
Join the conversation! Share your thoughts and connect with other readers.