This chapter covers Azure API Management (APIM), a fully managed service that enables organizations to publish, secure, transform, maintain, and monitor APIs. As part of the Azure Architecture Services domain (Objective 2.2), APIM is a medium-weight topic on the AZ-900 exam, typically appearing in 2-4 questions. Understanding APIM's core components—API gateway, management plane, and developer portal—and its use cases for exposing legacy systems, aggregating microservices, and enabling partner integrations is critical. You will learn how APIM acts as a facade between consumers and backend services, and how it differs from other integration services like Azure Logic Apps and Azure Functions.
Jump to a section
Imagine you run a busy restaurant with multiple kitchens (backend services) and many different types of customers (client applications). Without a maître d', customers would walk directly into the kitchens, causing chaos: some kitchens would be overwhelmed, others idle; some customers would demand special treatment while others wait forever; and the chefs would have to deal with every request, including rude or malicious guests. Azure API Management is like hiring a professional maître d' who stands at the front door. The maître d' (API gateway) greets every customer, checks their reservation (API key or token), and decides which kitchen to send them to based on the menu item they ordered (the API endpoint). If too many customers arrive at once, the maître d' politely asks some to wait in a lounge (rate limiting and throttling). The maître d' also keeps a log of every order (analytics) and can even transform the customer's order into a format the kitchen understands (request/response transformation). If a kitchen changes its menu (backend update), the maître d' updates the menu board (API versioning) without bothering the customers. And if a customer is consistently rude, the maître d' can ban them (IP filtering or revocation). The maître d' never cooks the food, but ensures the whole operation runs smoothly, securely, and at scale.
What is Azure API Management and Why Does It Exist?
Azure API Management (APIM) is a hybrid, multicloud API management platform that sits between your backend services (the APIs you want to expose) and the consumers of those APIs (e.g., mobile apps, web apps, partner systems). Its primary purpose is to solve the common challenges of exposing APIs at scale: security, rate limiting, analytics, versioning, and documentation. Without APIM, developers would have to build these capabilities into each backend service, leading to duplication, inconsistency, and maintenance nightmares. APIM provides a centralized, policy-driven gateway that enforces cross-cutting concerns without modifying backend code.
How It Works – Step by Step
Client Request Arrives: A client (e.g., a mobile app) sends an HTTP request to the APIM gateway endpoint, e.g., https://myapim.azure-api.net/api/orders.
Gateway Processes Request: The gateway applies inbound policies (defined in XML or JSON policies) such as IP filtering, authentication (API key, OAuth2, or JWT validation), and rate limiting.
Backend Call: The gateway forwards the request to the configured backend service (e.g., a Function App, App Service, or on-premises API) after optionally transforming the request (e.g., adding headers or modifying the URL).
Backend Response: The backend sends a response back to the gateway.
Gateway Processes Response: The gateway applies outbound policies (e.g., caching, response transformation, or logging) and sends the response to the client.
Analytics & Logging: The gateway logs every request and response, enabling monitoring and analytics in the Azure portal or via Application Insights.
Key Components
API Gateway: The endpoint that accepts API calls and enforces policies. It can be deployed in three modes: Consumption (serverless, pay-per-call), Developer (for testing, no SLA), Basic/Standard (for production, with SLA and VNet support), and Premium (for high-scale, multi-region, and VNet).
Management Plane: The Azure portal, REST API, or CLI used to configure APIs, policies, and users. It stores all configuration in an internal database.
Developer Portal: A customizable website where external developers can discover APIs, read documentation, test API calls, and subscribe to products. It supports OpenAPI (Swagger) import.
Pricing Tiers (Important for AZ-900)
Consumption: Serverless, billed per million calls. No SLA, no VNet support, no caching. Best for low-traffic or dev/test scenarios.
Developer: Fixed monthly cost, unlimited calls, but no SLA. Includes full feature set for testing.
Basic, Standard, Premium: Production tiers with SLA (99.95% for Basic, 99.95% for Standard, 99.99% for Premium in multi-region). Premium supports multi-region deployment and VNet injection.
Policies – The Heart of APIM
Policies are a collection of statements that are executed sequentially on the request or response. They are defined as XML documents. Common policies include: - Rate limit: Limits calls per time window per subscription. - IP filter: Allows or blocks calls from specific IP addresses. - Set backend service: Dynamically changes the backend URL. - CORS: Enables cross-origin requests. - Cache responses: Caches backend responses to reduce load. - Convert XML to JSON: Transforms response format.
Comparison to On-Premises Equivalent
Before cloud API management, organizations used on-premises API gateways like IBM DataPower, Apigee (now Google), or custom-built solutions using NGINX or Kong. These required hardware procurement, manual scaling, and significant operational overhead. Azure APIM eliminates infrastructure management, provides built-in high availability, and integrates natively with Azure AD, Application Insights, and other Azure services. The trade-off is vendor lock-in and potential egress costs.
Azure Portal and CLI Touchpoints
- Azure Portal: Navigate to "API Management services" -> Create -> Select tier -> Configure virtual network (Premium) -> Add APIs (import from OpenAPI, App Service, Function App, or blank) -> Add policies -> Publish to developer portal. - Azure CLI: Create an APIM instance:
az apim create --name myapim --resource-group myRG --publisher-email admin@contoso.com --publisher-name Contoso --sku-name Consumption- Import an API:
az apim api import --service-name myapim --resource-group myRG --api-id orders-api --path /orders --specification-format OpenApi --specification-path ./swagger.jsonBusiness Scenarios
Legacy System Exposure: A bank has a mainframe COBOL system. By wrapping it with a REST API via APIM, they expose account balance and transaction history to mobile apps without modifying the mainframe. APIM handles authentication and rate limiting.
Microservices Aggregation: An e-commerce platform uses multiple microservices (inventory, pricing, shipping). APIM provides a single endpoint that routes to the correct service based on the URL path, and can aggregate responses from multiple services into one response (using policies with send-request).
Partner Integration: A SaaS company allows partners to access customer data via APIs. APIM provides a developer portal with API keys, usage quotas, and analytics to track partner usage and bill accordingly.
Create an APIM Instance
In the Azure portal, click 'Create a resource' and search for 'API Management'. Fill in the basics: subscription, resource group, region, and a globally unique DNS name (e.g., 'myapim'). Choose a pricing tier: Consumption for dev/test, Developer for full-featured testing, or Standard for production. For Premium, you can also select multi-region deployment. Behind the scenes, Azure provisions the gateway endpoints, management database, and developer portal. The process takes 20-40 minutes for non-Consumption tiers; Consumption is faster (~5 minutes). During creation, you can also configure a virtual network (Premium only) for private access to backend services.
Import or Create an API
After the instance is ready, go to 'APIs' in the left menu. You can import an API from an OpenAPI (Swagger) file, a WSDL, an Azure App Service, a Function App, a Logic App, or build it from scratch. For example, import a Swagger JSON that describes your existing REST API. APIM parses the definition and creates operations (GET, POST, etc.) automatically. You can also set a URL suffix (e.g., '/orders') that becomes part of the gateway URL. The backend URL is the actual service endpoint. APIM will proxy requests to that backend.
Configure Policies for Security
Policies are added at the product, API, or operation scope. For security, common policies include 'validate-jwt' (for JWT tokens), 'check-header' (for API keys), and 'ip-filter'. To add a rate limit policy, go to the API's 'Inbound processing' and add a policy like: <rate-limit calls="10" renewal-period="60" />. This limits the subscription to 10 calls per 60 seconds. Policies are written in XML and can be edited in the portal's policy editor. Azure stores these policies in the management database and applies them at the gateway.
Publish to Developer Portal
To make your API discoverable, you must publish it to the developer portal. Go to 'Products' and create a product (e.g., 'Starter' or 'Unlimited'). Add your API to the product. Then, in the developer portal settings, enable 'Developer portal' and publish the site. External developers will see the API documentation, can sign up, get subscription keys, and test calls in the interactive console. The portal is customizable with branding. You can also require approval for subscriptions.
Monitor and Analyze Usage
APIM provides built-in analytics in the portal under 'Analytics'. You can view API call counts, response times, error rates, and top products. For deeper insights, integrate with Azure Application Insights. Enable 'Application Insights' in the APIM instance settings and provide an instrumentation key. Then, every request is logged with custom dimensions. You can also set up alerts (e.g., when error rate exceeds 5%). This step is critical for understanding usage patterns and troubleshooting issues.
Scenario 1: Exposing a Legacy On-Premises System
A large insurance company has a claims processing system running on IBM CICS on a mainframe. They want to build a mobile app for adjusters to submit claims. Instead of rewriting the mainframe, they deploy Azure API Management with a Premium tier instance that is connected to their on-premises network via a site-to-site VPN. The backend is an Azure Function that translates REST calls into CICS transactions. APIM handles authentication via Azure AD B2C and applies rate limiting to prevent overload. The developer portal provides documentation for the mobile dev team. Without APIM, each mobile client would need direct access to the mainframe, creating a security risk and requiring complex VPN management. The cost is about $3,000/month for Premium tier plus data transfer costs. A common mistake is underestimating the need for VNet integration; using Standard tier without VNet would expose the on-premises backend over the internet, violating compliance.
Scenario 2: Aggregating Microservices for a Retail Platform
An e-commerce startup uses multiple microservices: product catalog, inventory, pricing, and shipping. They want a single API endpoint for their web frontend. They deploy APIM in Standard tier and import each microservice as a separate API under a common URL suffix. They use policies to add CORS headers, transform JSON responses (e.g., remove internal fields), and cache product catalog responses for 60 seconds. The 'send-request' policy is used to aggregate data from inventory and pricing services into a single response. This reduces frontend complexity and backend calls. However, if the cache policy is misconfigured (e.g., too long a TTL), the frontend may show stale inventory data, causing overselling. The team monitors cache hit ratio in analytics and adjusts TTL based on update frequency.
Scenario 3: Partner API Monetization
A weather data provider sells API access to various clients (mobile apps, news websites, agriculture firms). They use APIM Consumption tier for low-cost entry and create multiple products: 'Starter' (100 calls/day), 'Pro' (10,000 calls/day), and 'Enterprise' (unlimited). Each product has a different rate limit policy. Partners sign up via the developer portal and receive a subscription key. APIM tracks usage per key, and the provider bills monthly based on analytics reports. The Consumption tier works well because traffic is bursty and they don't need a fixed gateway cost. However, they hit a limit of 100 API management units per region (soft limit) which required a support ticket to increase. Misconfiguring rate limits (e.g., setting too low a limit) caused legitimate partners to get 429 errors, leading to complaints. They added a custom error message policy to return a friendly JSON response instead of the default HTML error.
Exactly What AZ-900 Tests
Objective 2.2: Describe the core architecture services. For API Management, the exam focuses on:
The purpose of APIM as a facade for managing, securing, and monitoring APIs.
The three main components: API gateway, management plane, developer portal.
Key capabilities: rate limiting, IP filtering, authentication, caching, transformation, analytics.
Pricing tiers: Consumption (serverless, no SLA), Developer (no SLA), Basic/Standard (99.95% SLA), Premium (99.99% SLA with multi-region).
Common use cases: exposing legacy services, microservices aggregation, partner enablement.
Common Wrong Answers and Why
"Azure API Management is used to build APIs from scratch." Wrong. APIM is a gateway for existing APIs; it does not host API code. Use Azure Functions or App Service to build APIs.
"APIM replaces the need for a backend service." Wrong. APIM proxies to a backend; the backend still handles business logic and data.
"All tiers provide an SLA." Wrong. Consumption and Developer tiers have no SLA (Developer has no SLA despite fixed cost). Only Basic, Standard, and Premium have SLAs.
"APIM can only manage REST APIs." Wrong. It also supports SOAP (via pass-through or REST mapping) and WebSocket APIs (in Premium tier).
"APIM is a database service." Wrong. It is a gateway, not a data store. It can cache responses but not persist data.
Specific Terms and Values
API Gateway: The endpoint that accepts calls. Note: In Consumption tier, the gateway is fully managed and scales automatically.
Policies: XML-based rules. Common exam examples: <rate-limit>, <ip-filter>, <validate-jwt>.
Products: How APIs are grouped and offered to developers. Products have visibility (public, private) and require subscription.
Subscriptions: Keys that identify consumers. Can be scoped to product or API.
SLA: 99.95% for Basic/Standard, 99.99% for Premium (multi-region). No SLA for Consumption/Developer.
Edge Cases and Tricky Distinctions
APIM vs. Azure Front Door: Front Door is a global load balancer and web application firewall; APIM is an API gateway with policy enforcement. They can be used together (Front Door in front of APIM).
APIM vs. Azure Application Gateway: Application Gateway is a layer-7 load balancer with WAF; APIM is layer-7 with API-specific policies (rate limiting, transformation).
Self-hosted gateway: APIM allows deploying the gateway component in containers (e.g., on-premises or other clouds) for hybrid scenarios. This is a Premium tier feature.
API versioning: APIM supports version sets; you can have multiple versions (v1, v2) under the same API, each with different policies.
Memory Trick
Think of APIM as a Police Officer: Policies (enforce rules), Observes (analytics), Manages (security, versioning). The three components: Gateway (the officer at the door), Management plane (the police station), Developer portal (the public information desk).
Azure API Management (APIM) is a fully managed service that provides an API gateway, management plane, and developer portal.
APIM does not host API code; it proxies requests to backend services (e.g., Azure Functions, App Service, on-premises).
Key capabilities: rate limiting, IP filtering, authentication (API key, JWT, OAuth2), caching, request/response transformation, and analytics.
Pricing tiers: Consumption (serverless, no SLA, pay-per-call), Developer (no SLA, fixed cost), Basic/Standard (99.95% SLA), Premium (99.99% SLA, multi-region, VNet).
Policies are XML rules applied at the gateway to enforce cross-cutting concerns.
APIM can import APIs from OpenAPI (Swagger), WSDL, or create from Azure services.
Common use cases: exposing legacy systems, aggregating microservices, and partner API monetization.
APIM integrates with Azure AD, Application Insights, and Azure Monitor for security and observability.
Self-hosted gateway (Premium) allows running the gateway in containers for hybrid scenarios.
On AZ-900, remember that Consumption and Developer tiers have no SLA; only Basic, Standard, and Premium have SLAs.
These come up on the exam all the time. Here's how to tell them apart.
Azure API Management
Acts as a gateway for existing APIs, enforcing policies like rate limiting and authentication.
Does not execute business logic; it proxies requests to backends.
Primarily used for API management, security, and developer portal.
Supports REST, SOAP, and WebSocket APIs.
Pricing based on per-call (Consumption) or fixed monthly (other tiers).
Azure Logic Apps
Is a serverless workflow orchestrator that can call APIs as part of a workflow.
Executes business logic through connectors and integrations.
Used for automating processes, integrating systems, and orchestrating APIs.
Supports 200+ connectors (e.g., Office 365, SQL, Salesforce) and custom APIs.
Pricing based on execution actions and connector usage.
Mistake
Azure API Management hosts and runs your API code.
Correct
APIM is a proxy/gateway only. It does not execute business logic or store data. Your backend (e.g., Azure Functions, App Service, or on-premises) handles the actual API logic.
Mistake
All pricing tiers of APIM include a service-level agreement (SLA).
Correct
Consumption and Developer tiers have no SLA. Basic, Standard, and Premium tiers have an SLA (99.95% for Basic/Standard, 99.99% for Premium in multi-region).
Mistake
APIM can only be used for REST APIs.
Correct
APIM supports REST, SOAP (via SOAP-to-REST mapping), and WebSocket APIs (in Premium tier). It can also import WSDL definitions.
Mistake
APIM is a database or caching service like Azure Redis Cache.
Correct
APIM can cache responses to reduce backend load, but it is not a primary data store. It uses an internal cache (or external Azure Redis Cache) for caching, but its main role is API management.
Mistake
APIM requires backend services to be in Azure.
Correct
APIM can proxy to any HTTP/HTTPS endpoint, including on-premises services, other clouds, or even public APIs. VNet integration (Premium tier) enables private connectivity to on-premises.
Azure Functions is a serverless compute service that runs your code in response to events (e.g., HTTP requests). You can build an API using Functions. Azure API Management is a gateway that sits in front of your API (which could be built with Functions or any other service) to add security, rate limiting, caching, and a developer portal. They are often used together: Functions provides the backend logic, APIM provides the management layer. On the exam, remember that APIM does not execute code; it manages APIs.
Yes, WebSocket API support is available in the Premium tier of Azure API Management. This allows you to manage WebSocket connections with policies for authentication, rate limiting, and logging. The Consumption, Developer, Basic, and Standard tiers do not support WebSocket APIs. This is a common exam detail — know that WebSocket support is a Premium-only feature.
Yes, you can. APIM can proxy to any HTTP/HTTPS endpoint, including on-premises APIs. For secure connectivity, you can use a site-to-site VPN or Azure ExpressRoute. The Premium tier also supports VNet injection, allowing the APIM gateway to be placed inside your virtual network for private access to on-premises backends. The Consumption tier does not support VNet integration.
The SLA depends on the tier: Consumption and Developer tiers have no SLA. Basic and Standard tiers offer 99.95% uptime. Premium tier offers 99.95% for single-region deployments and 99.99% for multi-region deployments. The SLA covers the gateway endpoint only, not the management plane or developer portal. This is a frequently tested fact on AZ-900.
APIM supports API versioning through version sets. You can create multiple versions of an API (e.g., v1, v2) under the same API name. Each version can have its own backend URL, policies, and lifecycle. Clients access a specific version via a URL path (e.g., /api/v1/orders) or a query string. This allows you to introduce breaking changes without affecting existing consumers.
A product is a grouping of one or more APIs that are offered to developers through the developer portal. Products have visibility settings (public or private) and require a subscription (with approval or open). Each product can have its own policies (e.g., rate limits). Developers subscribe to a product to get an API key that grants access to the APIs within that product. This is a key concept for understanding how APIM organizes and monetizes APIs.
Yes, APIM supports multiple authentication methods, including Azure AD (via OAuth2 and JWT validation). You can configure a policy to validate JWT tokens issued by Azure AD, ensuring only authenticated users can call your API. APIM also supports integration with Azure AD B2C for consumer-facing applications. This is a common exam scenario for enterprise security.
You've just covered Azure API Management — now see how well it sticks with free AZ-900 practice questions. Full explanations included, no account needed.
Done with this chapter?