Azure API Management (APIM) is the enterprise API gateway for exposing backend services securely. It handles authentication, rate limiting, transformation, caching, and observability. This guide covers deployment tiers, policy configuration, developer portal customization, and production architecture patterns for high-availability deployments.
APIM Tiers Comparison
| Feature | Consumption | Developer | Standard | Premium |
|---|---|---|---|---|
| Pricing | Pay-per-call | Fixed | Fixed | Fixed |
| SLA | 99.95% | None | 99.95% | 99.99% |
| Scale Units | Auto | 1 | 1-4 | 1-12 |
| VNET | ❌ | ✅ (External) | ✅ (External) | ✅ (Internal/External) |
| Multi-Region | ❌ | ❌ | ❌ | ✅ |
Architecture Pattern: Internal API Gateway
flowchart TB
Internet["Internet"] --> WAF["Azure WAF / Front Door"]
WAF --> APIM["API Management (External VNET)"]
subgraph VNET ["Virtual Network"]
APIM --> Backend1["Microservice A"]
APIM --> Backend2["Microservice B"]
APIM --> AKS["AKS Cluster"]
end
APIM --> AppInsights["Application Insights"]
style APIM fill:#E1F5FE,stroke:#0277BD
Policy Configuration
APIM policies are XML-based interceptors at four scopes: global, product, API, and operation.
<policies>
<inbound>
<!-- Validate JWT from Azure AD -->
<validate-jwt header-name="Authorization">
<openid-config url="https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration" />
<required-claims>
<claim name="aud" match="all">
<value>api://my-api</value>
</claim>
</required-claims>
</validate-jwt>
<!-- Rate limiting -->
<rate-limit-by-key calls="100" renewal-period="60"
counter-key="@(context.Request.IpAddress)" />
<!-- Cache responses -->
<cache-lookup vary-by-developer="false" vary-by-developer-groups="false">
<vary-by-query-parameter>version</vary-by-query-parameter>
</cache-lookup>
<set-backend-service base-url="https://internal-api.mycompany.com" />
</inbound>
<backend>
<forward-request timeout="30" />
</backend>
<outbound>
<cache-store duration="3600" />
<set-header name="X-Request-Id" exists-action="override">
<value>@(context.RequestId.ToString())</value>
</set-header>
</outbound>
<on-error>
<set-header name="X-Error" exists-action="override">
<value>@(context.LastError.Message)</value>
</set-header>
</on-error>
</policies>GraphQL Support
APIM now supports GraphQL APIs with schema validation and synthetic GraphQL from REST:
az apim graphql-api import \
--resource-group mygroup \
--service-name myapim \
--api-id graphql-api \
--display-name "GraphQL API" \
--path /graphql \
--specification-path ./schema.graphqlKey Takeaways
- Premium tier for production (VNET, multi-region, SLA)
- Use policies for JWT validation, rate limiting, caching
- Deploy in External VNET mode with Front Door for WAF
- Application Insights integration for observability
- GraphQL support enables modern API patterns
Discover more from C4: Container, Code, Cloud & Context
Subscribe to get the latest posts sent to your email.