Azure API Management

First PublishedFeb 17, 2026ByAtif Alam

Azure API Management (APIM) is a fully managed API gateway that sits in front of your backend APIs. It handles authentication, rate limiting, caching, transformation, monitoring, and developer documentation — so your backend services focus on business logic.

Why an API Gateway?

Without a gateway, every backend service handles its own:

Authentication and authorization
Rate limiting and throttling
Request/response transformation
Monitoring and logging
API versioning

An API gateway centralizes these concerns:

1
Clients (mobile, web, partners)
2
    │
3
    ▼
4
Azure API Management
5
  ├── Authentication (OAuth 2.0, API keys, JWT)
6
  ├── Rate limiting / throttling
7
  ├── Caching
8
  ├── Request transformation
9
  ├── Monitoring / analytics
10
  │
11
  ├──► Backend: Order Service
12
  ├──► Backend: Product Service
13
  ├──► Backend: User Service
14
  └──► Backend: Azure Function

APIM Components

Component	What It Does
Gateway	Receives API calls, applies policies, routes to backends
Management plane	Configure APIs, products, policies (portal or ARM)
Developer portal	Auto-generated API documentation for consumers
Analytics	Usage metrics, error rates, latency

Core Concepts

APIs, Operations, Products

1
Product: "Free Tier" (rate limit: 100 calls/min)
2
  └── API: Orders API (v1)
3
        ├── Operation: GET  /orders
4
        ├── Operation: POST /orders
5
        └── Operation: GET  /orders/{id}
6

7
Product: "Premium" (rate limit: 10,000 calls/min)
8
  ├── API: Orders API (v1)
9
  └── API: Analytics API (v2)

Concept	Description
API	A set of operations that map to a backend service
Operation	A single HTTP method + path (e.g. `GET /orders`)
Product	Groups APIs with usage policies (subscriptions, rate limits)
Subscription	An API key that grants access to a product
Policy	XML rules applied at various scopes (inbound, backend, outbound, on-error)

Creating an APIM Instance

1
# Create an API Management instance (Developer tier for testing)
2
az apim create \
3
  --resource-group myapp-rg \
4
  --name myapp-api \
5
  --publisher-name "My Company" \
6
  --publisher-email "[email protected]" \
7
  --sku-name Developer \
8
  --location eastus

APIM Tiers

Tier	Use Case	SLA	Gateway Capacity	Cost
Consumption	Serverless, pay-per-call	99.95%	Auto-scale	~$3.50 per 10K calls
Developer	Testing and development	No SLA	1 unit	~$50/month
Basic	Small production	99.95%	Up to 2 units	~$150/month
Standard	Medium production	99.95%	Up to 4 units	~$700/month
Premium	Enterprise, multi-region	99.99%	Up to 12+ units	~$2,800/month

Importing APIs

From OpenAPI Specification

1
# Import from an OpenAPI/Swagger file
2
az apim api import \
3
  --resource-group myapp-rg \
4
  --service-name myapp-api \
5
  --path "orders" \
6
  --specification-format OpenApi \
7
  --specification-url "https://myapp.azurewebsites.net/swagger/v1/swagger.json" \
8
  --display-name "Orders API" \
9
  --api-id "orders-api"

From Azure Function App

1
az apim api import \
2
  --resource-group myapp-rg \
3
  --service-name myapp-api \
4
  --path "functions" \
5
  --specification-format OpenApi \
6
  --specification-url "https://my-func-app.azurewebsites.net/api/swagger.json" \
7
  --display-name "Functions API"

APIM can also import from Azure App Service, Logic Apps, or manually defined operations.

Policies

Policies are XML rules that transform requests and responses at four stages:

1
<policies>
2
    <inbound>
3
        <!-- Applied before the request reaches the backend -->
4
    </inbound>
5
    <backend>
6
        <!-- Applied just before forwarding to the backend -->
7
    </backend>
8
    <outbound>
9
        <!-- Applied to the response before sending to the client -->
10
    </outbound>
11
    <on-error>
12
        <!-- Applied when an error occurs at any stage -->
13
    </on-error>
14
</policies>

Common Policies

Rate Limiting

1
<inbound>
2
    <!-- 100 calls per 60 seconds per subscription key -->
3
    <rate-limit calls="100" renewal-period="60" />
4

5
    <!-- Or by IP address -->
6
    <rate-limit-by-key calls="50" renewal-period="60"
7
        counter-key="@(context.Request.IpAddress)" />
8
</inbound>

JWT Validation

1
<inbound>
2
    <validate-jwt header-name="Authorization" require-scheme="Bearer"
3
        failed-validation-httpcode="401">
4
        <openid-config url="https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration" />
5
        <required-claims>
6
            <claim name="aud" match="all">
7
                <value>{api-client-id}</value>
8
            </claim>
9
        </required-claims>
10
    </validate-jwt>
11
</inbound>

Caching

1
<inbound>
2
    <!-- Cache GET responses for 300 seconds -->
3
    <cache-lookup vary-by-developer="false" vary-by-developer-groups="false"
4
        downstream-caching-type="none" />
5
</inbound>
6
<outbound>
7
    <cache-store duration="300" />
8
</outbound>

Request Transformation

1
<inbound>
2
    <!-- Add a header -->
3
    <set-header name="X-Request-Source" exists-action="override">
4
        <value>api-gateway</value>
5
    </set-header>
6

7
    <!-- Remove a header -->
8
    <set-header name="X-Internal-Token" exists-action="delete" />
9

10
    <!-- Rewrite URL -->
11
    <rewrite-uri template="/api/v2/orders" />
12
</inbound>

CORS

1
<inbound>
2
    <cors allow-credentials="true">
3
        <allowed-origins>
4
            <origin>https://myapp.com</origin>
5
            <origin>https://admin.myapp.com</origin>
6
        </allowed-origins>
7
        <allowed-methods>
8
            <method>GET</method>
9
            <method>POST</method>
10
            <method>PUT</method>
11
            <method>DELETE</method>
12
        </allowed-methods>
13
        <allowed-headers>
14
            <header>Authorization</header>
15
            <header>Content-Type</header>
16
        </allowed-headers>
17
    </cors>
18
</inbound>

Backend Circuit Breaker

1
<backend>
2
    <forward-request timeout="30" />
3
</backend>
4
<on-error>
5
    <return-response>
6
        <set-status code="503" reason="Service Unavailable" />
7
        <set-body>{"error": "Backend temporarily unavailable"}</set-body>
8
    </return-response>
9
</on-error>

Policy Scope

Policies can be applied at different scopes (inner scopes inherit outer):

1
Global (all APIs)
2
  └── Product (all APIs in a product)
3
        └── API (all operations in an API)
4
              └── Operation (single endpoint)

Authentication Methods

Method	Use Case	Configuration
Subscription key	Simple API key in header or query	Built-in, per-product
OAuth 2.0 / JWT	Token-based auth (Entra ID)	`validate-jwt` policy
Client certificate	Mutual TLS	`validate-client-certificate` policy
Basic auth	Legacy systems	`authentication-basic` policy
Managed identity	Backend auth (APIM → backend)	`authentication-managed-identity` policy

Subscription Keys

1
# Clients include the key in the header
2
curl -H "Ocp-Apim-Subscription-Key: abc123..." \
3
  https://myapp-api.azure-api.net/orders

API Versioning

APIM supports multiple versioning schemes:

Scheme	Example
URL path	`/v1/orders`, `/v2/orders`
Query string	`/orders?api-version=2026-02-01`
Header	`Api-Version: v2`

1
# Create a version set
2
az apim api versionset create \
3
  --resource-group myapp-rg \
4
  --service-name myapp-api \
5
  --display-name "Orders API" \
6
  --versioning-scheme "Segment" \
7
  --version-set-id "orders-versions"
8

9
# Create v2 of the API
10
az apim api create \
11
  --resource-group myapp-rg \
12
  --service-name myapp-api \
13
  --api-id "orders-v2" \
14
  --display-name "Orders API v2" \
15
  --path "orders" \
16
  --api-version "v2" \
17
  --api-version-set-id "orders-versions" \
18
  --service-url "https://myapp-v2.azurewebsites.net"

Developer Portal

APIM includes a self-service developer portal where API consumers can:

Browse available APIs and operations.
View request/response schemas and examples.
Test APIs interactively (built-in test console).
Sign up for products and get subscription keys.
View usage analytics and quotas.

The portal is auto-generated from your API definitions and can be customized with branding.

Monitoring and Analytics

APIM provides built-in analytics:

Metric	What It Shows
Requests	Total calls, success rate, error breakdown (4xx, 5xx)
Latency	Gateway processing time + backend response time
Capacity	Gateway resource utilization
Cache hit ratio	Percentage of requests served from cache

Integrate with:

Application Insights — Detailed request tracing, dependency maps.
Azure Monitor — Alerts on error rates or latency.
Event Hubs — Stream API logs for custom analytics.

APIM vs Application Gateway vs Azure Front Door

	APIM	Application Gateway	Azure Front Door
Primary role	API gateway (L7 API management)	Load balancer (L7 web traffic)	Global CDN + load balancer
Policies	Rate limiting, JWT, caching, transformation	WAF, SSL, routing	WAF, caching, routing
Developer portal	Yes	No	No
API versioning	Yes	No	No
Best for	API consumers, partners, mobile backends	Web applications, WAF	Global web apps, CDN

Key Takeaways

APIM centralizes authentication, rate limiting, caching, and monitoring for your APIs.
Policies (XML) are the core mechanism — applied at inbound, backend, outbound, and on-error stages.
Products group APIs with shared policies and subscription keys.
JWT validation with Entra ID is the recommended auth method for modern APIs.
The developer portal gives API consumers self-service documentation and testing.
Consumption tier is serverless and cost-effective for low-traffic APIs; Standard/Premium for production.
Use APIM for API management; use Application Gateway for web traffic and WAF.