Merge pull request #227058 from dlepow/gqlgaover

[APIM][GraphQL GA] Conceptual updates

Author: v-regandowner

articles/api-management/TOC.yml

@@ -88,6 +88,8 @@
         href: devops-api-development-templates.md  
       - name: APIs
         items:
+            - name: GraphQL APIs
+              href: graphql-apis-overview.md
             - name: API design ebook
               href: https://azure.microsoft.com/mediahandler/files/resourcefiles/api-design/Azure_API-Design_Guide_eBook.pdf?toc=%2Fazure%2Fapi-management%2Ftoc.json&bc=/azure/api-management/breadcrumb/toc.json
             - name: RESTful web API design
@@ -436,6 +438,8 @@
               href: forward-request-policy.md
             - name: get-authorization-context
               href: get-authorization-context-policy.md
+            - name: http-data-source
+              href: http-data-source-policy.md
             - name: include-fragment
               href: include-fragment-policy.md
             - name: invoke-dapr-binding
@@ -452,6 +456,8 @@
               href: mock-response-policy.md
             - name: proxy
               href: proxy-policy.md
+            - name: publish-event
+              href: publish-event-policy.md
             - name: publish-to-dapr
               href: publish-to-dapr-policy.md
             - name: quota

articles/api-management/api-management-features.md

@@ -7,7 +7,7 @@ author: dlepow
 
 ms.service: api-management
 ms.topic: article
-ms.date: 02/07/2022
+ms.date: 02/22/2023
 ms.author: danlep
 ---
 
@@ -38,12 +38,11 @@ Each API Management [pricing tier](https://aka.ms/apimpricing) offers a distinct
 | Direct management API                                                                        | No          | Yes       | Yes   | Yes      | Yes     |
 | Azure Monitor logs and metrics                                                               | No          | Yes       | Yes   | Yes      | Yes     |
 | Static IP                                                                                    | No          | Yes       | Yes   | Yes      | Yes     |
-| [WebSocket APIs](websocket-api.md)                                                                                    | No          | Yes       | Yes   | Yes      | Yes     |
-| [GraphQL APIs](graphql-api.md)<sup>5</sup>                                                                               | Yes          | Yes       | Yes   | Yes      | Yes     |
-| [Synthetic GraphQL APIs (preview)](graphql-schema-resolve-api.md)                                            | No           | Yes       | Yes   | Yes      | Yes     |
+| [Pass-through WebSocket APIs](websocket-api.md)                                                                                    | No          | Yes       | Yes   | Yes      | Yes     |
+| [Pass-through GraphQL APIs](graphql-apis-overview.md)                                                                               | Yes          | Yes       | Yes   | Yes      | Yes     |
+| [Synthetic GraphQL APIs](graphql-apis-overview.md)                                            | Yes           | Yes       | Yes   | Yes      | Yes     |
 
 <sup>1</sup> Enables the use of Azure AD (and Azure AD B2C) as an identity provider for user sign in on the developer portal.<br/>
 <sup>2</sup> Including related functionality such as users, groups, issues, applications, and email templates and notifications.<br/>
 <sup>3</sup> See [Gateway overview](api-management-gateways-overview.md#feature-comparison-managed-versus-self-hosted-gateways) for a feature comparison of managed versus self-hosted gateways. In the Developer tier self-hosted gateways are limited to a single gateway node. <br/>
-<sup>4</sup> The following policies aren't available in the Consumption tier: rate limit by key and quota by key. <br/>
-<sup>5</sup> GraphQL subscriptions aren't supported in the Consumption tier.
+<sup>4</sup> The following policies aren't available in the Consumption tier: rate limit by key and quota by key.

articles/api-management/api-management-gateways-overview.md

@@ -7,7 +7,7 @@ author: dlepow
 
 ms.service: api-management
 ms.topic: conceptual
-ms.date: 08/04/2022
+ms.date: 02/22/2023
 ms.author: danlep
 ---
 
@@ -91,11 +91,9 @@ The following table compares features available in the managed gateway versus th
 | [Function App](import-function-app-as-api.md) |  ✔️ | ✔️ | ✔️ |
 | [Container App](import-container-app-with-oas.md) |  ✔️ | ✔️ | ✔️ |
 | [Service Fabric](../service-fabric/service-fabric-api-management-overview.md) |  Developer, Premium |  ❌ | ❌ |
-| [Passthrough GraphQL](graphql-api.md) |  ✔️ | ✔️<sup>1</sup> | ❌ |
-| [Synthetic GraphQL](graphql-schema-resolve-api.md) |  ✔️ |  ❌ | ❌ |
-| [Passthrough WebSocket](websocket-api.md) |  ✔️ |  ❌ | ❌ |
-
-<sup>1</sup> GraphQL subscriptions aren't supported in the Consumption tier.
+| [Pass-through GraphQL](graphql-apis-overview.md) |  ✔️ | ✔️ | ❌ |
+| [Synthetic GraphQL](graphql-apis-overview.md)|  ✔️ |  ✔️ | ❌ |
+| [Pass-through WebSocket](websocket-api.md) |  ✔️ |  ❌ | ❌ |
 
 ### Policies
 
@@ -104,9 +102,9 @@ Managed and self-hosted gateways support all available [policies](api-management
 | Policy | Managed (Dedicated)  | Managed (Consumption) | Self-hosted<sup>1</sup>  |
 | --- | ----- | ----- | ---------- |
 | [Dapr integration](api-management-policies.md#dapr-integration-policies) |  ❌ | ❌ | ✔️ |
+| [GraphQL resolvers](api-management-policies.md#graphql-resolver-policies) and [GraphQL validation](api-management-policies.md#validation-policies)|  ✔️ | ✔️ | ❌ |
 | [Get authorization context](get-authorization-context-policy.md) |  ✔️ |  ✔️ | ❌ |
 | [Quota and rate limit](api-management-policies.md#access-restriction-policies) |  ✔️ |  ✔️<sup>2</sup> | ✔️<sup>3</sup>
-| [Set GraphQL resolver](set-graphql-resolver-policy.md) |  ✔️ |  ❌ | ❌ |
 
 <sup>1</sup> Configured policies that aren't supported by the self-hosted gateway are skipped during policy execution.<br/>
 <sup>2</sup> The rate limit by key and quota by key policies aren't available in the Consumption tier.<br/>

articles/api-management/api-management-policies.md

@@ -73,9 +73,8 @@ More information about policies:
 -  [Send message to Pub/Sub topic](publish-to-dapr-policy.md): Uses Dapr runtime to publish a message to a Publish/Subscribe topic. To learn more about Publish/Subscribe messaging in Dapr, see the description in this [README](https://github.com/dapr/docs/blob/master/README.md) file.
 -  [Trigger output binding](invoke-dapr-binding-policy.md): Uses Dapr runtime to invoke an external system via output binding. To learn more about bindings in Dapr, see the description in this [README](https://github.com/dapr/docs/blob/master/README.md) file.
 
-## GraphQL API policies
-- [Validate GraphQL request](validate-graphql-request-policy.md) - Validates and authorizes a request to a GraphQL API. 
-- [Set GraphQL resolver](set-graphql-resolver-policy.md) - Retrieves or sets data for a GraphQL field in an object type specified in a GraphQL schema.
+## GraphQL resolver policies
+- [Publish event to GraphQL subscription](publish-event-policy.md) - Publishes an event to one or more subscriptions specified in a GraphQL API schema. Used in the `http-response` element of the `http-data-source` policy
 
 ## Transformation policies
 -   [Convert JSON to XML](json-to-xml-policy.md) - Converts request or response body from JSON to XML.
@@ -92,6 +91,7 @@ More information about policies:
 ## Validation policies
 
 - [Validate content](validate-content-policy.md) - Validates the size or content of a request or response body against one or more API schemas. The supported schema formats are JSON and XML.
+- [Validate GraphQL request](validate-graphql-request-policy.md) - Validates and authorizes a request to a GraphQL API. 
 - [Validate parameters](validate-parameters-policy.md) - Validates the request header, query, or path parameters against the API schema.
 - [Validate headers](validate-headers-policy.md) - Validates the response headers against the API schema.
 - [Validate status code](validate-status-code-policy.md) - Validates the HTTP status codes in

articles/api-management/graphql-apis-overview.md

@@ -0,0 +1,102 @@
+---
+title: Support for GraphQL APIs - Azure API Management
+description: Learn about GraphQL and how Azure API Management helps you manage GraphQL APIs.
+services: api-management
+author: dlepow
+
+ms.service: api-management
+ms.topic: conceptual
+ms.date: 02/14/2023
+ms.author: danlep
+---
+
+# Overview of GraphQL APIs in Azure API Management
+
+You can use API Management to manage GraphQL APIs - APIs based on the GraphQL query language. GraphQL provides a complete and understandable description of the data in an API, giving clients the power to efficiently retrieve exactly the data they need. [Learn more about GraphQL]( https://graphql.org/learn/)
+
+API Management helps you import, manage, protect, test, publish, and monitor GraphQL APIs. You can choose one of two API models:
+
+
+|Pass-through GraphQL   |Synthetic GraphQL  |
+|---------|---------|
+| ▪️ Pass-through API to existing GraphQL service endpoint<br><br/>▪️ Support for GraphQL queries, mutations, and subscriptions  |   ▪️ API based on a custom GraphQL schema<br></br>▪️ Support for GraphQL queries, mutations, and subscriptions<br/><br/>▪️  Configure custom resolvers, for example, to HTTP data sources<br/><br/>▪️ Develop GraphQL schemas and GraphQL-based clients while consuming data from legacy APIs     |
+
+## Availability
+
+* GraphQL APIs are supported in all API Management service tiers
+* Pass-through and synthetic GraphQL APIs currently aren't supported in a self-hosted gateway
+* GraphQL subscription support in synthetic GraphQL APIs is currently in preview
+
+## What is GraphQL?
+
+GraphQL is an open-source, industry-standard query language for APIs. Unlike REST-style APIs designed around actions over resources, GraphQL APIs support a broader set of use cases and focus on data types, schemas, and queries.
+
+The GraphQL specification explicitly solves common issues experienced by client web apps that rely on REST APIs:
+
+* It can take a large number of requests to fulfill the data needs for a single page
+* REST APIs often return more data than needed the page being rendered
+* The client app needs to poll to get new information
+
+Using a GraphQL API, the client app can specify the data they need to render a page in a query document that is sent as a single request to a GraphQL service. A client app can also subscribe to data updates pushed from the GraphQL service in real time.
+
+## Schema and operation types
+
+In API Management, add a GraphQL API from a GraphQL schema, either retrieved from a backend GraphQL API endpoint or uploaded by you. A GraphQL schema describes:
+
+* Data object types and fields that clients can request from a GraphQL API
+* Operation types allowed on the data, such as queries 
+
+For example, a basic GraphQL schema for user data and a query for all users might look like:
+
+```
+type Query {
+    users: [User]
+}
+
+type User {
+    id: String!
+    name: String!
+}
+```
+
+API Management supports the following operation types in GraphQL schemas. For more information about these operation types, see the [GraphQL specification](https://spec.graphql.org/October2021/#sec-Subscription-Operation-Definitions).
+
+* **Query** - Fetches data, similar to a `GET` operation in REST
+*  **Mutation** - Modifies server-side data, similar to a `PUT` or `PATCH` operation in REST
+* **Subscription** - Enables notifying subscribed clients in real time about changes to data on the GraphQL service
+
+    For example, when data is modified via a GraphQL mutation, subscribed clients could be automatically notified about the change. 
+
+> [!IMPORTANT]
+> API Management supports subscriptions implemented using  the [graphql-ws](https://github.com/enisdenjo/graphql-ws) WebSocket protocol. Queries and mutations aren't supported over WebSocket.
+> 
+
+## Resolvers
+
+*Resolvers* take care of mapping the GraphQL schema to backend data, producing the data for each field in an object type. The data source could be an API, a database, or another service. For example, a resolver function would be responsible for returning data for the `users` query in the preceding example. 
+
+In API Management, you can create a *custom resolver* to map a field in an object type to a backend data source. You configure resolvers for fields in synthetic GraphQL API schemas, but you can also configure them to override the default field resolvers used by pass-through GraphQL APIs.
+
+API Management currently supports HTTP-based resolvers to return the data for fields in a GraphQL schema. To use an HTTP-based resolver, configure a [`http-data-source`](http-data-source-policy.md) policy that transforms the API request (and optionally the response) into an HTTP request/response.
+
+For example, a resolver for the preceding `users` query might map to a `GET` operation in a backend REST API:
+
+```xml
+<http-data-source>
+	<http-request>
+		<set-method>GET</set-method>
+		<set-url>https://myapi.contoso.com/api/users</set-url>
+	</http-request>
+</http-data-source>
+```
+
+## Manage GraphQL APIs
+
+* Secure GraphQL APIs by applying both existing access control policies and a [GraphQL validation policy](validate-graphql-request-policy.md) to secure and protect against GraphQL-specific attacks.
+* Explore the GraphQL schema and run test queries against the GraphQL APIs in the Azure and developer portals.
+
+
+## Next steps
+
+- [Import a GraphQL API](graphql-api.md)
+- [Import a GraphQL schema and set up field resolvers](graphql-schema-resolve-api.md)