Understanding APIM's Mechanism for Importing Open API Specification Files via URL

Question

When you import an API to APIM via azure cli you can either provide the path to your Open API Specification (OAS) file (--specification-path) or you can provide the URL to the OAS (--specification-url).

Question 1: Why is importing OAS via URL able to import larger specification files?

When you pass the OAS file inline (via specification path), you are limited to file sizes upto 4mb. However, when you pass the specification url you are able to import larger OAS files to APIM. My first question is why is that? I suspect the azure cli behind the scenes is parsing my specification file and using the Resource Management API to build the API in segments on APIM. But I am unable to find any concrete documentation behind this.

Question 2: Who (APIM or Compute Service where az cli is used) is making the call to fetch the OAS?
My next question is who is making the call to fetch the API Specification? Let's consider this scenario -
My specification file is present on a blob in a storage account on azure and I am executing the az apim api import command on a GitHub Runner. I fetch a SAS token and use that along with the URL to my blob.
Then is it the APIM that makes the network call to the storage account directly to fetch the file?
Is it the GitHub Runner that makes the call to the storage account, and then pass on the specification to APIM?
I am trying to understand networking constraints for my use case. If my storage account is behind a private network, will my APIM be able to use the URL for specification then?
Any links to documentation that highlights relevant behavior will be highly appreciated.

Question 3: Is header-based auth possible for specification-url?
And my third and last question is it possible to have some kind of header-based authentication tied with the specification-url. Can my specification be provided by an API that uses a beaker token for auth? The documentation to import the API does not highlight any details regarding this.

Any links to documentation, white papers or answers to previous questions will be appreciated! Thanks a lot

Answer 1

Hi @Divyam CHADHA,

• ARM imposes a 4MB limit when the OAS specification is provided inline in the create API request. However, this limitation is bypassed when the specification is provided by reference and fetched from the URL by API Management.
• Authentication credentials must be included in the URL.
• APIM calls Azure Storage using SAS URL. GitHub runner only sends SAS URL to APIM, It does not download it. If the storage account has a private endpoint, APIM should also be in the Vnet where the private endpoint is there. Else, APIM cannot fetch the file.

Hope this helps.

If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.