We are excited to announce the general availability of workspaces in Azure API Management! Workspaces enable organizations to manage APIs more productively, securely, and reliably using a federated approach.
Enhanced Autonomy and Productivity
Workspaces bring a new level of autonomy to API teams, enabling them to create, manage, and publish APIs faster, more reliably, securely, and productively within an API Management service. By providing isolated administrative access and API runtime, workspaces empower API teams, while allowing the API platform team to retain oversight with central monitoring, enforcement of API policies and compliance, and publishing APIs for discovery through a unified developer portal.
Isolated Administrative Access and API Runtime
Workspaces function like "folders" within an API Management service. Each workspace contains APIs, products, subscriptions, named values, and related resources. Access to resources within a workspace is managed through Azure's role-based access control (RBAC) with built-in or custom roles assignable to Microsoft Entra accounts.
Workspaces now offer API runtime isolation through association with a workspace API gateway, allowing teams to manage gateways and their configurations. Segregated runtimes ensure that faults, such as gateway resource starvation or cybersecurity incidents, are contained within individual workspaces, preventing them from affecting all organization’s APIs. Runtime isolation also enables attribution of issues and platform usage to a workspace.
Learn how to create a workspace in API Management.
Independent Deployment Lifecycles
Each workspace typically follows its own deployment lifecycle. The APIOps toolkit release 6.0.2 introduces support for automated deployment of workspaces across API Management services representing different environments. Additionally, the management API version 2023-09-01-preview enables programmatic management of workspaces.
Federated API Management with Workspaces
Workspaces bring first-class support for a federated model of managing APIs in Azure API Management, complementing the existing centralized and siloed models.
Centralized Model
In the centralized model, organizations use a single API Management service shared among multiple API teams without isolating administrative access or API runtime. While this setup simplifies API governance and discovery, it can cause the platform team to become a bottleneck as more API teams are onboarded. Additionally, runtime issues or misconfigurations can lead to platform-wide outages, with the API gateway being a single point of failure.
Siloed Model
In the siloed API management model, each API team owns and operates its own API Management service. While this approach provides full isolation of administrative access and API runtime missing in the centralized model, it leads to internal proliferation of services, making infrastructure maintenance challenging, increasing costs, and resulting in fragmented and ineffective API governance and discovery.
Federated Model with Workspaces
Workspaces enable organizations to adopt a federated approach to API management, combining the benefits of both centralized and siloed models. Workspaces allow API teams to independently, effectively, and efficiently manage APIs throughout their lifecycle, while platform teams can enforce runtime policies for APIs across workspaces, centralize platform logs and metrics (coming soon), implement chargeback by attributing gateway costs to teams in the organization, and facilitate API discovery and onboarding through a unified developer portal.
Upcoming Improvements
With their general availability, workspaces serve as an excellent tool for federating API management in organizations where teams need or benefit from full API runtime isolation. We are actively working on new features and improvements to workspaces:
- Shared gateways: Optimize platform costs by associating multiple workspaces with a shared gateway, if complete runtime isolation between workspaces isn’t required
- Managed identity support: Authenticate with user-assigned managed identity within workspaces
- Regional availability: Use workspaces in API Management services in more regions
- Faster provisioning: Create workspace gateways in minutes
- Enhanced monitoring: Complement Application Insights telemetry with Azure Monitor logs and metrics
Get Started Today
By isolating administrative access and API runtime for API teams and centralizing API governance and discovery, workspaces increase productivity and improve the reliability and security of APIs managed with API Management. Learn how to get started with workspaces.
Migrating from Preview to Generally Available Workspaces
As part of the general availability of workspaces, we are discontinuing support for preview workspaces in API Management. To continue using workspaces created during the preview, you need to make the following changes:
- Associate workspaces with a workspace gateway: Each workspace must be associated with a workspace gateway that isolates the workspace's runtime traffic, enhancing API reliability, resiliency, and observability. In preview, workspaces shared a gateway with the service.
- Remove workspaces’ dependency on service-level managed identity: Service-level managed identity can no longer be used in workspaces, as it may compromise the platform’s reliability and security. We are working on enabling managed identity support within workspaces.
Workspaces without a workspace gateway or relying on service-level managed identity will stop working after March 31, 2025. Learn more about these changes and how to migrate your preview workspaces. If you need to associate multiple workspaces with a shared gateway to migrate to the general availability version of workspaces, this feature will be available before the changes take effect.
Explore the power of workspaces and take your API management to the next level today!