Microsoft.ApiManagement service 2017-03-01

Bicep resource definition

The service resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.ApiManagement/service resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.ApiManagement/service@2017-03-01' = {
  identity: {
    type: 'string'
  }
  location: 'string'
  name: 'string'
  properties: {
    additionalLocations: [
      {
        location: 'string'
        sku: {
          capacity: int
          name: 'string'
        }
        virtualNetworkConfiguration: {
          subnetResourceId: 'string'
        }
      }
    ]
    certificates: [
      {
        certificatePassword: 'string'
        encodedCertificate: 'string'
        storeName: 'string'
      }
    ]
    customProperties: {
      {customized property}: 'string'
    }
    hostnameConfigurations: [
      {
        certificatePassword: 'string'
        defaultSslBinding: bool
        encodedCertificate: 'string'
        hostName: 'string'
        keyVaultId: 'string'
        negotiateClientCertificate: bool
        type: 'string'
      }
    ]
    notificationSenderEmail: 'string'
    publisherEmail: 'string'
    publisherName: 'string'
    virtualNetworkConfiguration: {
      subnetResourceId: 'string'
    }
    virtualNetworkType: 'string'
  }
  sku: {
    capacity: int
    name: 'string'
  }
  tags: {
    {customized property}: 'string'
  }
}

Property values

AdditionalLocation

Name Description Value
location The location name of the additional region among Azure Data center regions. string (required)
sku SKU properties of the API Management service. ApiManagementServiceSkuProperties (required)
virtualNetworkConfiguration Virtual network configuration for the location. VirtualNetworkConfiguration

ApiManagementServiceBasePropertiesCustomProperties

Name Description Value

ApiManagementServiceIdentity

Name Description Value
type The identity type. Currently the only supported type is 'SystemAssigned'. 'SystemAssigned' (required)

ApiManagementServiceProperties

Name Description Value
additionalLocations Additional datacenter locations of the API Management service. AdditionalLocation[]
certificates List of Certificates that need to be installed in the API Management service. Max supported certificates that can be installed is 10. CertificateConfiguration[]
customProperties Custom properties of the API Management service. Setting Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168 will disable the cipher TLS_RSA_WITH_3DES_EDE_CBC_SHA for all TLS(1.0, 1.1 and 1.2). Setting Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11 can be used to disable just TLS 1.1 and setting Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10 can be used to disable TLS 1.0 on an API Management service. ApiManagementServiceBasePropertiesCustomProperties
hostnameConfigurations Custom hostname configuration of the API Management service. HostnameConfiguration[]
notificationSenderEmail Email address from which the notification will be sent. string

Constraints:
Max length =
publisherEmail Publisher email. string

Constraints:
Max length = (required)
publisherName Publisher name. string

Constraints:
Max length = (required)
virtualNetworkConfiguration Virtual network configuration of the API Management service. VirtualNetworkConfiguration
virtualNetworkType The type of VPN in which API Management service needs to be configured in. None (Default Value) means the API Management service is not part of any Virtual Network, External means the API Management deployment is set up inside a Virtual Network having an Internet Facing Endpoint, and Internal means that API Management deployment is setup inside a Virtual Network having an Intranet Facing Endpoint only. 'External'
'Internal'
'None'

ApiManagementServiceSkuProperties

Name Description Value
capacity Capacity of the SKU (number of deployed units of the SKU). The default value is 1. int
name Name of the Sku. 'Basic'
'Developer'
'Premium'
'Standard' (required)

ApimResourceTags

Name Description Value

CertificateConfiguration

Name Description Value
certificatePassword Certificate Password. string
encodedCertificate Base64 Encoded certificate. string
storeName The local certificate store location. Only Root and CertificateAuthority are valid locations. 'CertificateAuthority'
'Root' (required)

HostnameConfiguration

Name Description Value
certificatePassword Certificate Password. string
defaultSslBinding Specify true to setup the certificate associated with this Hostname as the Default SSL Certificate. If a client does not send the SNI header, then this will be the certificate that will be challenged. The property is useful if a service has multiple custom hostname enabled and it needs to decide on the default ssl certificate. The setting only applied to Proxy Hostname Type. bool
encodedCertificate Base64 Encoded certificate. string
hostName Hostname to configure on the Api Management service. string (required)
keyVaultId Url to the KeyVault Secret containing the Ssl Certificate. If absolute Url containing version is provided, auto-update of ssl certificate will not work. This requires Api Management service to be configured with MSI. The secret should be of type application/x-pkcs12 string
negotiateClientCertificate Specify true to always negotiate client certificate on the hostname. Default Value is false. bool
type Hostname type. 'Management'
'Portal'
'Proxy'
'Scm' (required)

Microsoft.ApiManagement/service

Name Description Value
identity Managed service identity of the Api Management service. ApiManagementServiceIdentity
location Resource location. string (required)
name The resource name string

Constraints:
Min length = 1
Max length = 1
Pattern = ^[a-zA-Z](?:[a-zA-Z0-9-]*[a-zA-Z0-9])?$ (required)
properties Properties of the API Management service. ApiManagementServiceProperties (required)
sku SKU properties of the API Management service. ApiManagementServiceSkuProperties (required)
tags Resource tags Dictionary of tag names and values. See Tags in templates

VirtualNetworkConfiguration

Name Description Value
subnetResourceId The full resource ID of a subnet in a virtual network to deploy the API Management service in. string

Constraints:
Pattern = ^/subscriptions/[^/]*/resourceGroups/[^/]*/providers/Microsoft.(ClassicNetwork|Network)/virtualNetworks/[^/]*/subnets/[^/]*$

Quickstart samples

The following quickstart samples deploy this resource type.

Bicep File Description
Application Gateway with internal API Management and Web App Application Gateway routing Internet traffic to a virtual network (internal mode) API Management instance which services a web API hosted in an Azure Web App.
Create a multiregion Premium tier API Management instance This template demonstrates how to create an API Management instance with additional locations. The primary location is the same as location of the resource group. For additional locations, the template shows NorthCentralUs and East US2. The primary location should be different from additional locations.
Create an API Management instance having MSI Identity This template creates a developer instance of Azure API Management having an MSI Identity
Create an API Management instance using a template This template creates a developer instance of Azure API Management
Create an API Management service with a private endpoint This template will create an API Management service, a virtual network and a private endpoint exposing the API Management service to the virtual network.
Create an API Management service with SSL from KeyVault This template deploys an API Management service configured with User Assigned Identity. It uses this identity to fetch SSL certificate from KeyVault and keeps it updated by checking every 4 hours.
Create API Management in Internal VNet with App Gateway This template demonstrates how to Create a instance of Azure API Management on a private network protected by Azure Application Gateway.
Deploy API Management in external VNet with public IP This template demonstrates how to create an instance of Azure API Management in the Premium tier within your virtual network's subnet in external mode and configure recommended NSG rules on the subnet. The instance is deployed to two availability zones. The template also configures a public IP address from your subscription.
Deploy API Management in internal VNet with public IP This template demonstrates how to create an instance of Azure API Management in the Premium tier within your virtual network's subnet in internal mode and configure recommended NSG rules on the subnet. The instance is deployed to two availability zones. The template also configures a public IP address from your subscription.
Deploy API Management into Availability Zones This template creates a premium instance of Azure API Management and deploys into an Availability Zone
Deploy API Management with an external Azure Cache for Redis This template demonstrates how to create an instance of Azure API Management in the Consumption tier with an external Azure Cache for Redis instance as the API Management external cache.
Front Door Standard/Premium with API Management origin This template creates a Front Door Premium and an API Management instance, and uses an NSG and global API Management policy to validate that traffic has come through the Front Door origin.

ARM template resource definition

The service resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.ApiManagement/service resource, add the following JSON to your template.

{
  "type": "Microsoft.ApiManagement/service",
  "apiVersion": "2017-03-01",
  "name": "string",
  "identity": {
    "type": "string"
  },
  "location": "string",
  "properties": {
    "additionalLocations": [
      {
        "location": "string",
        "sku": {
          "capacity": "int",
          "name": "string"
        },
        "virtualNetworkConfiguration": {
          "subnetResourceId": "string"
        }
      }
    ],
    "certificates": [
      {
        "certificatePassword": "string",
        "encodedCertificate": "string",
        "storeName": "string"
      }
    ],
    "customProperties": {
      "{customized property}": "string"
    },
    "hostnameConfigurations": [
      {
        "certificatePassword": "string",
        "defaultSslBinding": "bool",
        "encodedCertificate": "string",
        "hostName": "string",
        "keyVaultId": "string",
        "negotiateClientCertificate": "bool",
        "type": "string"
      }
    ],
    "notificationSenderEmail": "string",
    "publisherEmail": "string",
    "publisherName": "string",
    "virtualNetworkConfiguration": {
      "subnetResourceId": "string"
    },
    "virtualNetworkType": "string"
  },
  "sku": {
    "capacity": "int",
    "name": "string"
  },
  "tags": {
    "{customized property}": "string"
  }
}

Property values

AdditionalLocation

Name Description Value
location The location name of the additional region among Azure Data center regions. string (required)
sku SKU properties of the API Management service. ApiManagementServiceSkuProperties (required)
virtualNetworkConfiguration Virtual network configuration for the location. VirtualNetworkConfiguration

ApiManagementServiceBasePropertiesCustomProperties

Name Description Value

ApiManagementServiceIdentity

Name Description Value
type The identity type. Currently the only supported type is 'SystemAssigned'. 'SystemAssigned' (required)

ApiManagementServiceProperties

Name Description Value
additionalLocations Additional datacenter locations of the API Management service. AdditionalLocation[]
certificates List of Certificates that need to be installed in the API Management service. Max supported certificates that can be installed is 10. CertificateConfiguration[]
customProperties Custom properties of the API Management service. Setting Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168 will disable the cipher TLS_RSA_WITH_3DES_EDE_CBC_SHA for all TLS(1.0, 1.1 and 1.2). Setting Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11 can be used to disable just TLS 1.1 and setting Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10 can be used to disable TLS 1.0 on an API Management service. ApiManagementServiceBasePropertiesCustomProperties
hostnameConfigurations Custom hostname configuration of the API Management service. HostnameConfiguration[]
notificationSenderEmail Email address from which the notification will be sent. string

Constraints:
Max length =
publisherEmail Publisher email. string

Constraints:
Max length = (required)
publisherName Publisher name. string

Constraints:
Max length = (required)
virtualNetworkConfiguration Virtual network configuration of the API Management service. VirtualNetworkConfiguration
virtualNetworkType The type of VPN in which API Management service needs to be configured in. None (Default Value) means the API Management service is not part of any Virtual Network, External means the API Management deployment is set up inside a Virtual Network having an Internet Facing Endpoint, and Internal means that API Management deployment is setup inside a Virtual Network having an Intranet Facing Endpoint only. 'External'
'Internal'
'None'

ApiManagementServiceSkuProperties

Name Description Value
capacity Capacity of the SKU (number of deployed units of the SKU). The default value is 1. int
name Name of the Sku. 'Basic'
'Developer'
'Premium'
'Standard' (required)

ApimResourceTags

Name Description Value

CertificateConfiguration

Name Description Value
certificatePassword Certificate Password. string
encodedCertificate Base64 Encoded certificate. string
storeName The local certificate store location. Only Root and CertificateAuthority are valid locations. 'CertificateAuthority'
'Root' (required)

HostnameConfiguration

Name Description Value
certificatePassword Certificate Password. string
defaultSslBinding Specify true to setup the certificate associated with this Hostname as the Default SSL Certificate. If a client does not send the SNI header, then this will be the certificate that will be challenged. The property is useful if a service has multiple custom hostname enabled and it needs to decide on the default ssl certificate. The setting only applied to Proxy Hostname Type. bool
encodedCertificate Base64 Encoded certificate. string
hostName Hostname to configure on the Api Management service. string (required)
keyVaultId Url to the KeyVault Secret containing the Ssl Certificate. If absolute Url containing version is provided, auto-update of ssl certificate will not work. This requires Api Management service to be configured with MSI. The secret should be of type application/x-pkcs12 string
negotiateClientCertificate Specify true to always negotiate client certificate on the hostname. Default Value is false. bool
type Hostname type. 'Management'
'Portal'
'Proxy'
'Scm' (required)

Microsoft.ApiManagement/service

Name Description Value
apiVersion The api version '2017-03-01'
identity Managed service identity of the Api Management service. ApiManagementServiceIdentity
location Resource location. string (required)
name The resource name string

Constraints:
Min length = 1
Max length = 1
Pattern = ^[a-zA-Z](?:[a-zA-Z0-9-]*[a-zA-Z0-9])?$ (required)
properties Properties of the API Management service. ApiManagementServiceProperties (required)
sku SKU properties of the API Management service. ApiManagementServiceSkuProperties (required)
tags Resource tags Dictionary of tag names and values. See Tags in templates
type The resource type 'Microsoft.ApiManagement/service'

VirtualNetworkConfiguration

Name Description Value
subnetResourceId The full resource ID of a subnet in a virtual network to deploy the API Management service in. string

Constraints:
Pattern = ^/subscriptions/[^/]*/resourceGroups/[^/]*/providers/Microsoft.(ClassicNetwork|Network)/virtualNetworks/[^/]*/subnets/[^/]*$

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
Application Gateway with internal API Management and Web App

Deploy to Azure
Application Gateway routing Internet traffic to a virtual network (internal mode) API Management instance which services a web API hosted in an Azure Web App.
Create a multiregion Premium tier API Management instance

Deploy to Azure
This template demonstrates how to create an API Management instance with additional locations. The primary location is the same as location of the resource group. For additional locations, the template shows NorthCentralUs and East US2. The primary location should be different from additional locations.
Create an API Management instance and all sub resources using template

Deploy to Azure
This template demonstrates how to create a API Management service and configure sub-entities
Create an API Management instance having MSI Identity

Deploy to Azure
This template creates a developer instance of Azure API Management having an MSI Identity
Create an API Management instance using a template

Deploy to Azure
This template creates a developer instance of Azure API Management
Create an API Management instance with custom hostnames

Deploy to Azure
This template demonstrates how to create a instance of Azure API Management with custom hostname for portal and multiple custom hostnames for proxy
Create an API Management service with a private endpoint

Deploy to Azure
This template will create an API Management service, a virtual network and a private endpoint exposing the API Management service to the virtual network.
Create an API Management service with SSL from KeyVault

Deploy to Azure
This template deploys an API Management service configured with User Assigned Identity. It uses this identity to fetch SSL certificate from KeyVault and keeps it updated by checking every 4 hours.
Create and monitor API Management instance

Deploy to Azure
This template creates an instance of Azure API Management service and Log Analytics workspace and sets up monitoring for your API Management service with Log Analytics
Create API Management in Internal VNet with App Gateway

Deploy to Azure
This template demonstrates how to Create a instance of Azure API Management on a private network protected by Azure Application Gateway.
Create API Management with custom proxy ssl using KeyVault

Deploy to Azure
This template demonstrates how to Create a instance of Azure API Management and configure custom hostname for proxy with ssl certificate from keyvault.
Create Azure Front Door in front of Azure API Management

Deploy to Azure
This sample demonstrates how to use Azure Front Door as a global load balancer in front of Azure API Management.
Deploy API Management in external VNet with public IP

Deploy to Azure
This template demonstrates how to create an instance of Azure API Management in the Premium tier within your virtual network's subnet in external mode and configure recommended NSG rules on the subnet. The instance is deployed to two availability zones. The template also configures a public IP address from your subscription.
Deploy API Management in internal VNet with public IP

Deploy to Azure
This template demonstrates how to create an instance of Azure API Management in the Premium tier within your virtual network's subnet in internal mode and configure recommended NSG rules on the subnet. The instance is deployed to two availability zones. The template also configures a public IP address from your subscription.
Deploy API Management into Availability Zones

Deploy to Azure
This template creates a premium instance of Azure API Management and deploys into an Availability Zone
Deploy API Management with an external Azure Cache for Redis

Deploy to Azure
This template demonstrates how to create an instance of Azure API Management in the Consumption tier with an external Azure Cache for Redis instance as the API Management external cache.
Front Door Standard/Premium with API Management origin

Deploy to Azure
This template creates a Front Door Premium and an API Management instance, and uses an NSG and global API Management policy to validate that traffic has come through the Front Door origin.

Terraform (AzAPI provider) resource definition

The service resource type can be deployed with operations that target:

  • Resource groups

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.ApiManagement/service resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
  type = "Microsoft.ApiManagement/service@2017-03-01"
  name = "string"
  identity = {
    type = "string"
  }
  location = "string"
  sku = {
    capacity = int
    name = "string"
  }
  tags = {
    {customized property} = "string"
  }
  body = jsonencode({
    properties = {
      additionalLocations = [
        {
          location = "string"
          sku = {
            capacity = int
            name = "string"
          }
          virtualNetworkConfiguration = {
            subnetResourceId = "string"
          }
        }
      ]
      certificates = [
        {
          certificatePassword = "string"
          encodedCertificate = "string"
          storeName = "string"
        }
      ]
      customProperties = {
        {customized property} = "string"
      }
      hostnameConfigurations = [
        {
          certificatePassword = "string"
          defaultSslBinding = bool
          encodedCertificate = "string"
          hostName = "string"
          keyVaultId = "string"
          negotiateClientCertificate = bool
          type = "string"
        }
      ]
      notificationSenderEmail = "string"
      publisherEmail = "string"
      publisherName = "string"
      virtualNetworkConfiguration = {
        subnetResourceId = "string"
      }
      virtualNetworkType = "string"
    }
  })
}

Property values

AdditionalLocation

Name Description Value
location The location name of the additional region among Azure Data center regions. string (required)
sku SKU properties of the API Management service. ApiManagementServiceSkuProperties (required)
virtualNetworkConfiguration Virtual network configuration for the location. VirtualNetworkConfiguration

ApiManagementServiceBasePropertiesCustomProperties

Name Description Value

ApiManagementServiceIdentity

Name Description Value
type The identity type. Currently the only supported type is 'SystemAssigned'. 'SystemAssigned' (required)

ApiManagementServiceProperties

Name Description Value
additionalLocations Additional datacenter locations of the API Management service. AdditionalLocation[]
certificates List of Certificates that need to be installed in the API Management service. Max supported certificates that can be installed is 10. CertificateConfiguration[]
customProperties Custom properties of the API Management service. Setting Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168 will disable the cipher TLS_RSA_WITH_3DES_EDE_CBC_SHA for all TLS(1.0, 1.1 and 1.2). Setting Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11 can be used to disable just TLS 1.1 and setting Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10 can be used to disable TLS 1.0 on an API Management service. ApiManagementServiceBasePropertiesCustomProperties
hostnameConfigurations Custom hostname configuration of the API Management service. HostnameConfiguration[]
notificationSenderEmail Email address from which the notification will be sent. string

Constraints:
Max length =
publisherEmail Publisher email. string

Constraints:
Max length = (required)
publisherName Publisher name. string

Constraints:
Max length = (required)
virtualNetworkConfiguration Virtual network configuration of the API Management service. VirtualNetworkConfiguration
virtualNetworkType The type of VPN in which API Management service needs to be configured in. None (Default Value) means the API Management service is not part of any Virtual Network, External means the API Management deployment is set up inside a Virtual Network having an Internet Facing Endpoint, and Internal means that API Management deployment is setup inside a Virtual Network having an Intranet Facing Endpoint only. 'External'
'Internal'
'None'

ApiManagementServiceSkuProperties

Name Description Value
capacity Capacity of the SKU (number of deployed units of the SKU). The default value is 1. int
name Name of the Sku. 'Basic'
'Developer'
'Premium'
'Standard' (required)

ApimResourceTags

Name Description Value

CertificateConfiguration

Name Description Value
certificatePassword Certificate Password. string
encodedCertificate Base64 Encoded certificate. string
storeName The local certificate store location. Only Root and CertificateAuthority are valid locations. 'CertificateAuthority'
'Root' (required)

HostnameConfiguration

Name Description Value
certificatePassword Certificate Password. string
defaultSslBinding Specify true to setup the certificate associated with this Hostname as the Default SSL Certificate. If a client does not send the SNI header, then this will be the certificate that will be challenged. The property is useful if a service has multiple custom hostname enabled and it needs to decide on the default ssl certificate. The setting only applied to Proxy Hostname Type. bool
encodedCertificate Base64 Encoded certificate. string
hostName Hostname to configure on the Api Management service. string (required)
keyVaultId Url to the KeyVault Secret containing the Ssl Certificate. If absolute Url containing version is provided, auto-update of ssl certificate will not work. This requires Api Management service to be configured with MSI. The secret should be of type application/x-pkcs12 string
negotiateClientCertificate Specify true to always negotiate client certificate on the hostname. Default Value is false. bool
type Hostname type. 'Management'
'Portal'
'Proxy'
'Scm' (required)

Microsoft.ApiManagement/service

Name Description Value
identity Managed service identity of the Api Management service. ApiManagementServiceIdentity
location Resource location. string (required)
name The resource name string

Constraints:
Min length = 1
Max length = 1
Pattern = ^[a-zA-Z](?:[a-zA-Z0-9-]*[a-zA-Z0-9])?$ (required)
properties Properties of the API Management service. ApiManagementServiceProperties (required)
sku SKU properties of the API Management service. ApiManagementServiceSkuProperties (required)
tags Resource tags Dictionary of tag names and values.
type The resource type "Microsoft.ApiManagement/service@2017-03-01"

VirtualNetworkConfiguration

Name Description Value
subnetResourceId The full resource ID of a subnet in a virtual network to deploy the API Management service in. string

Constraints:
Pattern = ^/subscriptions/[^/]*/resourceGroups/[^/]*/providers/Microsoft.(ClassicNetwork|Network)/virtualNetworks/[^/]*/subnets/[^/]*$