What is Azure API Management?
APPLIES TO: All API Management tiers
This article provides an overview of common scenarios and key components of Azure API Management. Azure API Management is a hybrid, multicloud management platform for APIs across all environments. As a platform-as-a-service, API Management supports the complete API lifecycle.
Tip
If you're already familiar with API Management and ready to start, see these resources:
Scenarios
APIs enable digital experiences, simplify application integration, underpin new digital products, and make data and services reusable and universally accessible. With the proliferation and increasing dependency on APIs, organizations need to manage them as first-class assets throughout their lifecycle.
Azure API Management helps customers meet these challenges:
- Abstract backend architecture diversity and complexity from API consumers
- Securely expose services hosted on and outside of Azure as APIs
- Protect, accelerate, and observe APIs
- Enable API discovery and consumption by internal and external users
Common scenarios include:
- Unlocking legacy assets - APIs are used to abstract and modernize legacy backends and make them accessible from new cloud services and modern applications. APIs allow innovation without the risk, cost, and delays of migration.
- API-centric app integration - APIs are easily consumable, standards-based, and self-describing mechanisms for exposing and accessing data, applications, and processes. They simplify and reduce the cost of app integration.
- Multi-channel user experiences - APIs are frequently used to enable user experiences such as web, mobile, wearable, or Internet of Things applications. Reuse APIs to accelerate development and ROI.
- B2B integration - APIs exposed to partners and customers lower the barrier to integrate business processes and exchange data between business entities. APIs eliminate the overhead inherent in point-to-point integration. Especially with self-service discovery and onboarding enabled, APIs are the primary tools for scaling B2B integration.
API Management components
Azure API Management is made up of an API gateway, a management plane, and a developer portal. These components are Azure-hosted and fully managed by default. API Management is available in various tiers differing in capacity and features.
API gateway
All requests from client applications first reach the API gateway, which then forwards them to respective backend services. The API gateway acts as a facade to the backend services, allowing API providers to abstract API implementations and evolve backend architecture without impacting API consumers. The gateway enables consistent configuration of routing, security, throttling, caching, and observability.
Specifically, the gateway:
- Acts as a facade to backend services by accepting API calls and routing them to appropriate backends
- Verifies API keys and other credentials such as JWT tokens and certificates presented with requests
- Enforces usage quotas and rate limits
- Optionally transforms requests and responses as specified in policy statements
- If configured, caches responses to improve response latency and minimize the load on backend services
- Emits logs, metrics, and traces for monitoring, reporting, and troubleshooting
Self-hosted gateway
With the self-hosted gateway, customers can deploy the API gateway to the same environments where they host their APIs, to optimize API traffic and ensure compliance with local regulations and guidelines. The self-hosted gateway enables customers with hybrid IT infrastructure to manage APIs hosted on-premises and across clouds from a single API Management service in Azure.
The self-hosted gateway is packaged as a Linux-based Docker container and is commonly deployed to Kubernetes, including to Azure Kubernetes Service and Azure Arc-enabled Kubernetes.
More information:
Management plane
API providers interact with the service through the management plane, which provides full access to the API Management service capabilities.
Customers interact with the management plane through Azure tools including the Azure portal, Azure PowerShell, Azure CLI, a Visual Studio Code extension, a REST API, or client SDKs in several popular programming languages.
Use the management plane to:
- Provision and configure API Management service settings
- Define or import API schemas from a wide range of sources, including OpenAPI, WSDL, and OData definitions, Azure compute services, and WebSocket, GraphQL, and gRPC backends
- Package APIs into products
- Set up policies like quotas or transformations on the APIs
- Get insights from analytics
- Manage users
Developer portal
The open-source developer portal is an automatically generated, fully customizable website with the documentation of your APIs.
API providers can customize the look and feel of the developer portal by adding custom content, customizing styles, and adding their branding. Extend the developer portal further by self-hosting.
App developers use the open-source developer portal to discover the APIs, onboard to use them, and learn how to consume them in applications. (APIs can also be exported to the Power Platform for discovery and use by citizen developers.)
Using the developer portal, developers can:
- Read API documentation
- Call an API via the interactive console
- Create an account and subscribe to get API keys
- Access analytics on their own usage
- Download API definitions
- Manage API keys
API Management tiers
API Management is offered in a variety of pricing tiers to meet the needs of different customers. Each tier offers a distinct combination of features, performance, capacity limits, scalability, SLA, and pricing for different scenarios. The tiers are grouped as follows:
- Classic - The original API Management offering, including the Developer, Basic, Standard, and Premium tiers. The Premium tier is designed for enterprises requiring access to private backends, enhanced security features, multi-region deployments, availability zones, and high scalability. The Developer tier is an economical option for non-production use, while the Basic, Standard, and Premium tiers are production-ready tiers.
- V2 - A new set of tiers that offer fast provisioning and scaling, including Basic v2 for development and testing, and Standard v2 and Premium v2 for production workloads. Standard v2 and Premium v2 support virtual network integration for simplified connection to network-isolated backends. Premium v2 also supports virtual network injection for full isolation of network traffic to and from the gateway.
- Consumption - The Consumption tier is a serverless gateway for managing APIs that scales based on demand and billed per execution. It is designed for applications with serverless compute, microservices-based architectures, and those with variable traffic patterns.
More information:
Integration with Azure services
API Management integrates with many complementary Azure services to create enterprise solutions, including:
- Azure API Center to build a complete inventory of APIs in the organization - regardless of their type, lifecycle stage, or deployment location - for API discovery, reuse, and governance
- Copilot in Azure to help author API Management policies or explain already configured policies
- Azure Key Vault for secure safekeeping and management of client certificates and secrets
- Azure Monitor for logging, reporting, and alerting on management operations, systems events, and API requests
- Application Insights for live metrics, end-to-end tracing, and troubleshooting
- Virtual networks, private endpoints, Application Gateway, and Azure Front Door for network-level protection
- Azure Defender for APIs and Azure DDoS Protection for runtime protection against malicious attacks
- Microsoft Entra ID for developer authentication and request authorization
- Event Hubs for streaming events
- Several Azure compute offerings commonly used to build and host APIs on Azure, including Functions, Logic Apps, Web Apps, Service Fabric, and others including Azure OpenAI service.
More information:
Key concepts
APIs
APIs are the foundation of an API Management service instance. Each API represents a set of operations available to app developers. Each API contains a reference to the backend service that implements the API, and its operations map to backend operations.
Operations in API Management are highly configurable, with control over URL mapping, query and path parameters, request and response content, and operation response caching.
More information:
Products
Products are how APIs are surfaced to developers. Products in API Management have one or more APIs, and can be open or protected. Protected products require a subscription key, while open products can be consumed freely.
When a product is ready for use by developers, it can be published. Once published, it can be viewed or subscribed to by developers using the developer portal. Subscription approval is configured at the product level and can either require an administrator's approval or be automatic.
More information:
Groups
Groups are used to manage the visibility of products to developers. API Management has the following built-in groups for developers:
Developers - Authenticated developer portal users that build applications using your APIs. Developers are granted access to the developer portal and build applications that call the operations of an API.
Guests - Unauthenticated developer portal users, such as prospective customers visiting the developer portal. They can be granted certain read-only access, such as the ability to view APIs but not call them.
API Management service owners can also create custom groups or use external groups in an associated Microsoft Entra tenant to give developers visibility and access to API products. For example, create a custom group for developers in a partner organization to access a specific subset of APIs in a product. A user can belong to more than one group.
More information:
Developers
Developers represent the user accounts in an API Management service instance. Developers can be created or invited to join by administrators, or they can sign up from the developer portal. Each developer is a member of one or more groups, and can subscribe to the products that grant visibility to those groups.
When developers subscribe to a product, they're granted the primary and secondary key for the product for use when calling the product's APIs.
More information:
Workspaces
Workspaces allow decentralized API development teams to manage and productize their own APIs, while a central API platform team maintains the API Management infrastructure. Each workspace contains APIs, products, subscriptions, and related entities that are accessible only to the workspace collaborators. Access is controlled through Azure role-based access control (RBAC). Each workspace is associated with a workspace gateway that routes API traffic to its backend services.
More information:
Policies
With policies, an API publisher can change the behavior of an API through configuration. Policies are a collection of statements that are executed sequentially on the request or response of an API. Popular statements include format conversion from XML to JSON and call-rate limiting to restrict the number of incoming calls from a developer. For a complete list, see API Management policies.
Policy expressions can be used as attribute values or text values in any of the API Management policies, unless the policy specifies otherwise. Some policies such as the Control flow and Set variable policies are based on policy expressions.
Policies can be applied at different scopes, depending on your needs: global (all APIs), a workspace, a product, a specific API, or an API operation.
More information:
Next steps
Complete the following quickstart and start using Azure API Management: