This chapter covers Azure API Management (APIM), a critical service for publishing, securing, transforming, maintaining, and monitoring APIs. For the AZ-204 exam, approximately 10-15% of questions touch on API Management, focusing on policies, caching, versioning, and security. You will learn how to design and implement an API gateway, configure policies for transformation and throttling, manage API versions and revisions, and integrate with Azure services like Application Insights and Azure AD. Mastery of APIM is essential for building scalable, secure, and developer-friendly API platforms.
Jump to a section
Imagine a large corporation with a single public phone number and thousands of employees with internal extensions. When an external caller dials the main number, the switchboard operator answers, authenticates the caller by checking their employee ID against a whitelist, then routes the call to the correct department based on the requested extension. The operator can also enforce rate limits: if a caller dials too many times in a minute, the operator puts them on hold for a while. Additionally, the operator logs every call—who called, when, what extension they asked for, and the duration. The operator can transform the call: if a caller asks for "Sales" but the sales department recently changed its name to "Revenue," the operator automatically redirects. The operator can also cache responses: if a caller asks for the company's stock price, the operator reads it from a whiteboard updated every 5 minutes instead of calling the finance department every time. Finally, the operator can combine multiple internal departments to fulfill a single request—for example, to get a customer's full profile, the operator calls HR for name, IT for email, and Sales for purchase history, then compiles the information. This switchboard is Azure API Management: the single entry point for all external API calls, handling authentication, throttling, logging, transformation, caching, and composition before reaching backend services.
What is Azure API Management and Why It Exists
Azure API Management (APIM) is a fully managed service that acts as an API gateway for backend services. It addresses common challenges in exposing APIs to external or internal consumers: security (authentication, authorization, threat protection), rate limiting, transformation (protocol conversion, data format changes), observability (logging, analytics), and developer onboarding (API documentation, testing console). APIM decouples the API facade from the backend implementation, allowing backend services to evolve independently without breaking consumers.
How It Works Internally
APIM sits between the API consumer and the backend. Each API call passes through the gateway, which consists of three main components: - Proxy Layer: Receives HTTP requests, applies policies in a defined order (inbound, backend, outbound, on-error), and forwards the request to the backend. The response travels back through the outbound policies. - Management Plane: Provides the REST API, Azure portal, and Azure CLI/ PowerShell for configuration. It also publishes the developer portal. - Developer Portal: A customizable website where API consumers can discover APIs, read documentation, test endpoints, and subscribe to products.
Policies are XML or JSON documents that define the processing pipeline. They are executed in this order: 1. Inbound: Applied to the request before it is sent to the backend. Common uses: authentication, rate limiting, IP filtering, URL transformation. 2. Backend: Applied just before the request is sent to the backend service. Typically used to set backend-specific headers or modify the URL. 3. Outbound: Applied to the response from the backend before it is sent to the consumer. Common uses: response transformation, caching, CORS headers. 4. On-error: Applied when an error occurs in any policy or backend call. Allows custom error handling.
Policies can be scoped at different levels: - Global: Applied to all APIs in the APIM instance. - Product: Applied to all APIs within a product (a grouping of APIs). - API: Applied to all operations of a specific API. - Operation: Applied to a single HTTP method+URL path combination.
Key Components, Values, Defaults, and Timers
Tiers: Consumption, Developer, Basic, Standard, Premium. The Consumption tier is serverless and pay-per-execution; others have dedicated capacity units (units = scale). Default SLA: 99.9% for Standard, 99.95% for Premium.
Capacity units: Each unit supports a certain throughput. For Standard tier, one unit handles approximately 1,000 requests per second (RPS). Premium tier supports multiple units and virtual network injection.
Timeouts: Default backend request timeout is 60 seconds (configurable in policies). The gateway itself has no hard timeout for the overall request, but backend timeout is critical.
Caching: Built-in caching uses Azure Redis Cache. Default cache duration is 3600 seconds (1 hour) for responses. You can set cache-control headers or use the cache-lookup and cache-store policies.
Rate limiting: The rate-limit policy (per key) defaults to 100 calls per minute per subscription key. The quota policy sets a volume limit per time period (e.g., 10,000 calls per month).
Authentication: Supports OAuth 2.0, OpenID Connect, client certificates, IP whitelisting, and basic auth via policies. APIM can validate JWT tokens using the validate-jwt policy.
Subscription keys: Each API call must include a subscription key (in header Ocp-Apim-Subscription-Key or query parameter). Default key length is 32 characters. Keys can be regenerated.
Developer Portal: Customizable domain, built-in Swagger/OpenAPI support, and interactive test console.
Configuration and Verification Commands
Azure CLI commands for common tasks:
# Create an APIM instance
az apim create --name myapim --resource-group myrg --publisher-email admin@contoso.com --publisher-name Contoso --sku-name Developer
# Import an API from OpenAPI specification
az apim api import --service-name myapim --resource-group myrg --api-id myapi --path /api --specification-url https://specs.example.com/swagger.json --specification-format OpenApi
# Add a policy to an API
az apim api policy set --service-name myapim --resource-group myrg --api-id myapi --policy-xml @policy.xml
# List all APIs
az apim api list --service-name myapim --resource-group myrg --output tablePowerShell:
New-AzApiManagement -Name myapim -ResourceGroupName myrg -Location eastus -Organization Contoso -AdminEmail admin@contoso.com -Sku DeveloperVerification: Use the developer portal's test console or curl with subscription key:
curl -H "Ocp-Apim-Subscription-Key: your-key" https://myapim.azure-api.net/api/v1/endpointHow It Interacts with Related Technologies
Azure AD: APIM can validate tokens issued by Azure AD for OAuth 2.0 flows. It can also use Azure AD as an identity provider for the developer portal.
Application Insights: APIM can send telemetry (requests, failures, dependencies) to Application Insights for monitoring and alerting.
Azure Functions: Commonly used as a backend for serverless APIs. APIM can trigger functions and apply policies.
Azure Logic Apps: APIM can expose Logic Apps as APIs with policies for security and transformation.
Azure Redis Cache: Used for external caching in APIM. The built-in cache is internal; for Premium tier, you can bring your own Redis instance.
Virtual Networks: Premium tier APIM can be injected into a VNet to access on-premises or private Azure resources securely.
Create an APIM Instance
In the Azure portal, click Create a resource > API Management. Fill in subscription, resource group, region, and a unique DNS name (e.g., myapim). Choose a tier: Developer (no SLA, for testing), Standard (99.9% SLA), or Premium (99.95%, VNet support). Set the organization name and admin email. The creation takes 30-40 minutes. For CLI, use `az apim create`. The instance has a management endpoint (https://myapim.management.azure-api.net) and a gateway endpoint (https://myapim.azure-api.net).
Import or Define an API
You can import an API from an OpenAPI (Swagger) specification, a WSDL, a Logic App, a Function App, or create it manually. Go to the APIM instance > APIs > Add API. Choose the import method. For OpenAPI, provide the specification URL or upload a file. The API will be created with all operations (GET, POST, etc.) and their request/response schemas. Set the API URL suffix (e.g., /api) and the backend URL (e.g., https://mybackend.azurewebsites.net).
Apply Policies for Security and Transformation
Navigate to the API or operation > Design > Inbound/Outbound Processing. Add policies via the code editor or wizard. For example, to validate a JWT token: `<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized"><openid-config url="https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration" /></validate-jwt>`. To set a rate limit: `<rate-limit calls="100" renewal-period="60" />`. Policies are XML and execute in order. Test using the developer portal's Test tab.
Create Products and Subscriptions
Products group APIs for consumption. Go to Products > Add. Choose a name, description, and whether it requires approval. Set subscription requirement: if enabled, consumers must subscribe with a key. Create a subscription (either automatically for approved products or manually). Each subscription generates a primary and secondary key. These keys are used in API calls via the `Ocp-Apim-Subscription-Key` header. You can also use OAuth 2.0 instead of subscription keys.
Publish the Developer Portal
The developer portal is a self-service site for API consumers. Go to Developer Portal > Portal Overview. You can customize the look and feel (HTML, CSS, JavaScript) using the built-in content management system. Publish the portal to make it available at https://myapim.developer.azure-api.net. Add API documentation, code samples, and enable the interactive test console. Users can sign up, sign in, and subscribe to products to get subscription keys.
Monitor and Analyze API Usage
APIM integrates with Azure Monitor and Application Insights. Enable Application Insights in the APIM instance > Application Insights. You can then view metrics like requests, errors, and latency. Use Azure Monitor to set alerts (e.g., if error rate > 5%). APIM also provides analytics dashboards (APIs > Analytics) showing top APIs, operations, and geographies. For advanced logging, add the `<log-to-eventhub>` policy to send logs to Event Hubs for custom processing.
Enterprise Scenario 1: E-commerce API Platform
A large retailer exposes product catalog, shopping cart, and order APIs to mobile apps and third-party sellers. They use APIM to enforce authentication (OAuth 2.0 with Azure AD), rate limit per seller (1000 calls/hour), and transform responses (remove internal pricing fields for external partners). They use caching for product details (10-minute TTL) to reduce backend load. In production, they run on Premium tier with 4 capacity units behind an Azure Front Door for global distribution. Misconfiguration example: setting too low a rate limit caused a seller's bulk update to fail intermittently. They fixed it by using a quota policy (10,000 calls/day) instead of rate-limit for bulk operations.
Enterprise Scenario 2: Banking API Gateway
A bank exposes account balance, transaction history, and fund transfer APIs to its mobile app and partner fintechs. Security is paramount: they use client certificate authentication on the backend, JWT validation with Azure AD B2C, and IP whitelisting for sensitive operations. They use APIM's on-error policy to return generic error messages (e.g., "An error occurred") to avoid leaking internal details. They also use versioning (v1, v2) to support legacy mobile apps while rolling out new features. Performance considerations: they use Premium tier with VNet injection to keep traffic within the bank's network. A common mistake: forgetting to set the backend policy to pass client certificates, causing backend authentication failures.
Enterprise Scenario 3: SaaS Multi-Tenant API
A SaaS company provides a REST API for its customers to integrate with its platform. Each customer gets a separate subscription key that identifies them. APIM uses the set-header policy to inject the tenant ID into backend requests based on the subscription key (via a lookup in Azure Cosmos DB). They use the quota policy to enforce per-tenant limits (e.g., 100,000 calls/month). They use the developer portal for customer onboarding and documentation. Scaling: they use Standard tier with auto-scaling (manual scaling required in Standard, auto-scaling in Premium). A pitfall: not properly handling subscription key rotation—they had to implement a grace period where both old and new keys work simultaneously.
Exactly What AZ-204 Tests on API Management
The AZ-204 exam (objective: Integrate, 5.1) tests your ability to implement API Management. Key sub-objectives:
Create an API Management instance (tiers, scaling, regions)
Configure authentication and authorization (OAuth 2.0, client certificates, IP filtering)
Define policies (caching, rate limiting, transformation, CORS)
Manage API versions and revisions
Integrate with Application Insights for monitoring
Use the developer portal
Common Wrong Answers and Why Candidates Choose Them
Choosing the Consumption tier for production: Candidates think it's cheaper and serverless, but it lacks SLA, has lower throughput, and no VNet support. The correct answer for production is Standard or Premium.
Using the `quota` policy for rate limiting per minute: Quota is for volume over a period (e.g., 10,000 calls/month), not for burst control. Use rate-limit for calls per second/minute.
Forgetting subscription key in API call: The exam may ask why a call returns 401. The reason is missing Ocp-Apim-Subscription-Key header, not an invalid backend.
Confusing API version with revision: Versions (v1, v2) are for breaking changes; revisions are for non-breaking changes (edits). Revisions can be made current without changing the URL.
Specific Numbers, Values, and Terms That Appear on the Exam
Default backend timeout: 60 seconds
Default cache duration: 3600 seconds (1 hour)
Rate limit default: 100 calls per minute per key
Subscription key header: Ocp-Apim-Subscription-Key
Tiers: Consumption (pay-per-call), Developer (no SLA), Basic (SLA, limited), Standard (SLA, 1 unit ~1000 RPS), Premium (SLA, VNet, multi-region)
Policy scopes: Global, Product, API, Operation
VNet injection: Premium tier only
Edge Cases and Exceptions the Exam Loves to Test
If you need to access a backend in a VNet, you must use Premium tier and VNet injection.
The Consumption tier does not support custom domains or VNet.
For caching, you must use the cache-store and cache-lookup policies explicitly; built-in caching is not automatic.
When using OAuth 2.0, you must configure the JWT validation policy; just enabling OAuth in the developer portal is not enough.
API revisions are numbered (1, 2, 3) and can be made current; versions can be path-based or header-based.
How to Eliminate Wrong Answers Using the Underlying Mechanism
Understand that APIM is a proxy: it receives requests, applies policies, forwards to backend, applies policies on response. If a question asks about transforming a response, think outbound policy. If about authentication, think inbound policy. If about backend timeout, think backend policy or gateway timeout setting. If about scaling, consider tier and capacity units. Eliminate answers that mix these layers.
APIM acts as a gateway that applies policies (inbound, backend, outbound, on-error) to API calls.
Policies are XML documents that can be scoped globally, per product, per API, or per operation.
Default backend timeout is 60 seconds; default cache duration is 3600 seconds.
Rate-limit policy controls calls per time window (e.g., 100 calls per minute); quota policy controls total volume (e.g., 10,000 calls per month).
Subscription keys are sent via the `Ocp-Apim-Subscription-Key` header; they are optional if using OAuth 2.0 or client certificates.
Only Premium tier supports VNet injection and multi-region deployment.
API versions (v1, v2) are for breaking changes; revisions are for non-breaking edits within a version.
Application Insights integration provides monitoring and diagnostics for API calls.
The developer portal is a customizable site for API consumers to discover and test APIs.
When importing an API from OpenAPI, the operations and schemas are automatically created.
These come up on the exam all the time. Here's how to tell them apart.
Azure API Management
Fully managed API gateway with policies, caching, and analytics.
Supports multiple backend services (Functions, Logic Apps, Web Apps).
Built-in developer portal for API documentation and testing.
Tiers: Consumption, Developer, Basic, Standard, Premium.
Rich policy engine for transformation, validation, throttling.
Azure Functions API Proxy
Simple proxy built into Azure Functions runtime.
Only works with Azure Functions backends.
No developer portal; documentation must be separate.
No tiering; scales with the Functions plan.
Limited to URL rewriting and header manipulation; no advanced policies.
Azure API Management (Standard)
99.9% SLA.
Up to 10 capacity units per region.
No VNet support.
No multi-region deployment.
Lower cost per unit.
Azure API Management (Premium)
99.95% SLA.
Up to 10 capacity units per region, plus multiple regions.
Supports VNet injection for private backend access.
Multi-region deployment for high availability.
Higher cost; includes dedicated caching and scaling.
Mistake
APIM can automatically scale based on load in any tier.
Correct
Only the Premium tier supports auto-scaling via Azure Monitor autoscale. Standard and Basic require manual scaling by adding capacity units. Consumption tier scales automatically but with limited throughput.
Mistake
API versions and revisions are the same concept.
Correct
Revisions are for non-breaking changes (edits) within a version; you can make a revision current without changing the URL. Versions (v1, v2) are for breaking changes and can be path-based (e.g., /api/v1/) or header-based.
Mistake
You must use subscription keys for all API calls.
Correct
Subscription keys are optional. You can configure APIs to use OAuth 2.0, client certificates, or IP whitelisting instead. The `validate-jwt` policy can replace subscription key validation.
Mistake
APIM can cache responses without any configuration.
Correct
Caching requires explicit policies (`cache-lookup` and `cache-store`). By default, no caching is applied. Also, you must enable caching in the APIM instance settings.
Mistake
The Consumption tier supports custom domains and VNet integration.
Correct
The Consumption tier does not support custom domains or VNet integration. For custom domains, use Developer, Standard, or Premium. For VNet, only Premium.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
An API revision is a non-breaking change to an existing API version. You can edit an API and create a revision (e.g., rev 2), then make it current without changing the URL. Revisions are numbered sequentially. An API version is a separate endpoint that represents a breaking change (e.g., /api/v1 vs /api/v2). Versions can be path-based (e.g., /api/v1) or header-based. On the exam, remember: revisions for minor edits, versions for major changes.
First, enable caching in the APIM instance settings (Caching > Enable). Then, use the `<cache-lookup>` policy in the inbound section to check the cache, and `<cache-store>` in the outbound section to store the response. You can specify the cache duration using the `duration` attribute in seconds. By default, caching is not applied unless you explicitly add these policies. The built-in cache uses an internal Redis instance; for Premium tier, you can use an external Azure Redis Cache.
Yes, you can configure APIs to not require a subscription key by setting the product to 'requires subscription' = false. However, for security, it is recommended to use subscription keys or OAuth 2.0. You can also use client certificates or IP whitelisting for authentication. On the exam, know that subscription keys are optional and can be replaced by other authentication methods.
Only the Premium tier supports VNet injection. This allows the APIM gateway to access backend services inside a virtual network (e.g., private Azure VMs, on-premises via VPN). The Consumption, Developer, Basic, and Standard tiers do not support VNet integration. For the exam, remember: if a question involves accessing a private network backend, the answer is Premium tier.
Use the `<rate-limit>` policy in the inbound section. Example: `<rate-limit calls="100" renewal-period="60" />` limits to 100 calls per 60 seconds per subscription key. For monthly quotas, use `<quota calls="10000" renewal-period="2592000" />`. Rate-limit is for burst control; quota is for volume. Both can be applied at different scopes (API, product, operation).
The default backend request timeout is 60 seconds. You can change it using the `<set-backend-service>` policy with a `timeout` attribute, or by modifying the backend settings. If the backend does not respond within 60 seconds, APIM returns a 504 Gateway Timeout. On the exam, this default is often tested.
Enable Application Insights integration in the APIM instance. Go to Application Insights under the APIM menu, and either create a new resource or link an existing one. Once enabled, APIM sends telemetry (requests, failures, dependencies, traces) to Application Insights. You can then use metrics, logs, and alerts in Azure Monitor. You can also use the `<log-to-eventhub>` policy to send logs to Event Hubs for custom processing.
You've just covered Azure API Management — now see how well it sticks with free AZ-204 practice questions. Full explanations included, no account needed.
Done with this chapter?