Azure API Management
As organizations build more APIs to expose services to internal teams, partners, and customers, managing them becomes a major challenge. Who is allowed to call which API? How many calls per minute? How is a broken backend hidden from callers? Azure API Management (APIM) is a fully managed gateway that sits in front of all APIs — handling security, rate limiting, documentation, monitoring, and versioning from one central place.
What is Azure API Management?
Azure API Management is an API gateway and developer portal platform. It acts as the single entry point for all API consumers. The actual backend APIs (deployed on App Service, AKS, Azure Functions, or any server) remain unchanged — APIM sits in front of them and adds governance, security, analytics, and a developer experience layer.
APIM Architecture
API Consumers Azure API Management Backend APIs
┌──────────────┐ ┌────────────────────┐ ┌──────────────────┐
│ Web App │─────────► │ │─────────►│ App Service API │
│ Mobile App │─────────► │ API Gateway │─────────►│ Azure Function │
│ Partner App │─────────► │ (Policies, │─────────►│ AKS Microservice │
│ Third-party │─────────► │ Auth, Rate Limit │─────────►│ Legacy System │
└──────────────┘ │ Transform, Cache)│ └──────────────────┘
│ │
│ Developer Portal │
│ (Docs, Testing) │
└────────────────────┘
APIM Components
API Gateway
The gateway is the runtime component that receives all API calls and forwards them to the appropriate backend. It applies configured policies (authentication, rate limiting, caching, logging) on every request.
Developer Portal
The developer portal is an automatically generated, customizable website where API consumers can discover APIs, read documentation, test API calls interactively, and subscribe to get API keys. It turns API documentation into a self-service experience.
Management Plane
The management plane is where administrators configure APIs, policies, products, users, and analytics — through the Azure Portal, CLI, ARM templates, or REST API.
APIs and Operations
In APIM, an API represents a set of related operations (endpoints). APIM can import API definitions from:
- OpenAPI (Swagger) specification — most common way to import REST APIs
- Azure Functions — auto-import all HTTP-triggered functions
- App Service — import from App Service directly
- WSDL — import SOAP web services
- OData — import OData feeds
- Manual definition — define operations one by one
Policies
Policies are the most powerful APIM feature. A policy is a piece of XML configuration that executes at specific points in the API request/response pipeline — transforming, validating, or routing calls. Policies are applied at four levels of the pipeline:
Policy Pipeline
Request comes in from consumer
│
▼
┌───────────────────┐
│ Inbound Section │ ← Validate JWT, check rate limit, add headers
└────────┬──────────┘
│
▼
┌───────────────────┐
│ Backend Section │ ← Forward request to backend, retry policy
└────────┬──────────┘
│
▼
┌───────────────────┐
│ Outbound Section │ ← Transform response, remove sensitive headers, cache
└────────┬──────────┘
│
▼
┌───────────────────┐
│ On-Error Section │ ← Handle errors, return custom error response
└───────────────────┘
│
▼
Response returned to consumer
Commonly Used Policies
| Policy | Purpose |
|---|---|
| validate-jwt | Verify a JWT token from Azure AD — reject calls without a valid token |
| rate-limit | Allow only N calls per period — e.g., 100 calls per minute per subscriber |
| quota | Limit total calls per day/week/month per subscription |
| cache-lookup / cache-store | Cache API responses — return cached result without hitting the backend |
| set-header | Add, modify, or remove HTTP headers on requests or responses |
| rewrite-uri | Change the URL path before forwarding to the backend |
| mock-response | Return a hardcoded mock response without hitting the backend — for development |
| ip-filter | Allow or block calls from specific IP addresses or ranges |
| cors | Handle Cross-Origin Resource Sharing headers for browser-based consumers |
| retry | Automatically retry the backend call if it fails with specific status codes |
Products and Subscriptions
A product in APIM groups one or more APIs together and defines access terms (open or requiring a subscription key). API consumers subscribe to a product to get access.
Example Products
Product: "Free Tier" └── APIs: Weather API, News API Rate limit: 50 calls/minute, 1,000 calls/day No approval required — open subscription Product: "Business Plan" └── APIs: All APIs Rate limit: 1,000 calls/minute, unlimited/day Requires admin approval to subscribe Monthly fee applies
Versioning and Revisions
- Versions: Allow running multiple major versions of an API simultaneously (v1, v2). Consumers choose which version to call. Version strategy can be path-based (/v1/products), query string-based (?api-version=2024-01), or header-based.
- Revisions: Allow making non-breaking changes to an API without creating a new version. A revision can be tested before making it the current active revision.
Analytics and Monitoring
APIM provides built-in analytics showing request volume, response times, error rates, and usage by API, operation, product, and consumer. Integration with Azure Monitor sends detailed request logs and metrics for deeper analysis in Log Analytics.
APIM Tiers
| Tier | Scale | Features |
|---|---|---|
| Consumption | Serverless, per-call billing | Core features, no developer portal, no caching |
| Developer | 1 unit (not for production) | All features including developer portal — for development only, no SLA |
| Basic | 2 units | Production-ready, basic scale |
| Standard | 4 units | VNet integration, higher scale |
| Premium | Multiple units, multi-region | Multi-region deployment, VNet, Availability Zones, 99.99% SLA |
Key Takeaways
- Azure API Management is an API gateway that adds security, rate limiting, caching, transformation, and documentation to any API.
- Policies are XML configurations applied at inbound, backend, outbound, and error stages to control every aspect of API calls.
- Products group APIs and define access terms; subscribers get API keys to access them.
- Versioning supports running multiple API versions simultaneously; revisions allow safe non-breaking changes.
- The Developer Portal provides a self-service documentation and testing hub for API consumers.