The azure-native:apimanagement:ApiManagementService resource, part of the Pulumi Azure Native provider, provisions the API Management service instance itself: its SKU, publisher identity, regional placement, and network configuration. This guide focuses on four capabilities: basic service creation with publisher details, custom hostname configuration with Key Vault, VNet integration for private connectivity, and multi-region deployment.
API Management services require Azure resource groups and may reference VNets, Key Vault secrets, managed identities, and public IP addresses. The examples are intentionally small. Combine them with your own API definitions, policies, and backend configurations.
Create a basic API Management service
Most deployments start with a single-region service that defines the publisher identity and SKU tier.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const apiManagementService = new azure_native.apimanagement.ApiManagementService("apiManagementService", {
location: "South Central US",
publisherEmail: "foo@contoso.com",
publisherName: "foo",
resourceGroupName: "rg1",
serviceName: "apimService1",
sku: {
capacity: 1,
name: azure_native.apimanagement.SkuType.Developer,
},
tags: {
Name: "Contoso",
Test: "User",
},
});
import pulumi
import pulumi_azure_native as azure_native
api_management_service = azure_native.apimanagement.ApiManagementService("apiManagementService",
location="South Central US",
publisher_email="foo@contoso.com",
publisher_name="foo",
resource_group_name="rg1",
service_name="apimService1",
sku={
"capacity": 1,
"name": azure_native.apimanagement.SkuType.DEVELOPER,
},
tags={
"Name": "Contoso",
"Test": "User",
})
package main
import (
apimanagement "github.com/pulumi/pulumi-azure-native-sdk/apimanagement/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := apimanagement.NewApiManagementService(ctx, "apiManagementService", &apimanagement.ApiManagementServiceArgs{
Location: pulumi.String("South Central US"),
PublisherEmail: pulumi.String("foo@contoso.com"),
PublisherName: pulumi.String("foo"),
ResourceGroupName: pulumi.String("rg1"),
ServiceName: pulumi.String("apimService1"),
Sku: &apimanagement.ApiManagementServiceSkuPropertiesArgs{
Capacity: pulumi.Int(1),
Name: pulumi.String(apimanagement.SkuTypeDeveloper),
},
Tags: pulumi.StringMap{
"Name": pulumi.String("Contoso"),
"Test": pulumi.String("User"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var apiManagementService = new AzureNative.ApiManagement.ApiManagementService("apiManagementService", new()
{
Location = "South Central US",
PublisherEmail = "foo@contoso.com",
PublisherName = "foo",
ResourceGroupName = "rg1",
ServiceName = "apimService1",
Sku = new AzureNative.ApiManagement.Inputs.ApiManagementServiceSkuPropertiesArgs
{
Capacity = 1,
Name = AzureNative.ApiManagement.SkuType.Developer,
},
Tags =
{
{ "Name", "Contoso" },
{ "Test", "User" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.apimanagement.ApiManagementService;
import com.pulumi.azurenative.apimanagement.ApiManagementServiceArgs;
import com.pulumi.azurenative.apimanagement.inputs.ApiManagementServiceSkuPropertiesArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var apiManagementService = new ApiManagementService("apiManagementService", ApiManagementServiceArgs.builder()
.location("South Central US")
.publisherEmail("foo@contoso.com")
.publisherName("foo")
.resourceGroupName("rg1")
.serviceName("apimService1")
.sku(ApiManagementServiceSkuPropertiesArgs.builder()
.capacity(1)
.name("Developer")
.build())
.tags(Map.ofEntries(
Map.entry("Name", "Contoso"),
Map.entry("Test", "User")
))
.build());
}
}
resources:
apiManagementService:
type: azure-native:apimanagement:ApiManagementService
properties:
location: South Central US
publisherEmail: foo@contoso.com
publisherName: foo
resourceGroupName: rg1
serviceName: apimService1
sku:
capacity: 1
name: Developer
tags:
Name: Contoso
Test: User
The publisherEmail and publisherName properties identify the organization managing the service. The sku property controls capacity and feature availability; Developer SKU provides full features for non-production use. The location property determines the Azure region where the service runs.
Configure custom hostnames with Key Vault certificates
Production deployments often require custom domains for the gateway, management API, and developer portal, with certificates managed centrally in Key Vault.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const apiManagementService = new azure_native.apimanagement.ApiManagementService("apiManagementService", {
apiVersionConstraint: {
minApiVersion: "2019-01-01",
},
hostnameConfigurations: [
{
defaultSslBinding: true,
hostName: "gateway1.msitesting.net",
identityClientId: "329419bc-adec-4dce-9568-25a6d486e468",
keyVaultId: "https://rpbvtkeyvaultintegration.vault.azure.net/secrets/msitestingCert",
type: azure_native.apimanagement.HostnameType.Proxy,
},
{
hostName: "mgmt.msitesting.net",
identityClientId: "329419bc-adec-4dce-9568-25a6d486e468",
keyVaultId: "https://rpbvtkeyvaultintegration.vault.azure.net/secrets/msitestingCert",
type: azure_native.apimanagement.HostnameType.Management,
},
{
hostName: "portal1.msitesting.net",
identityClientId: "329419bc-adec-4dce-9568-25a6d486e468",
keyVaultId: "https://rpbvtkeyvaultintegration.vault.azure.net/secrets/msitestingCert",
type: azure_native.apimanagement.HostnameType.Portal,
},
],
identity: {
type: azure_native.apimanagement.ApimIdentityType.UserAssigned,
userAssignedIdentities: {
"/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/id1": {},
},
},
location: "North Europe",
publisherEmail: "apim@autorestsdk.com",
publisherName: "autorestsdk",
resourceGroupName: "rg1",
serviceName: "apimService1",
sku: {
capacity: 1,
name: azure_native.apimanagement.SkuType.Premium,
},
tags: {
tag1: "value1",
tag2: "value2",
tag3: "value3",
},
virtualNetworkType: azure_native.apimanagement.VirtualNetworkType.None,
});
import pulumi
import pulumi_azure_native as azure_native
api_management_service = azure_native.apimanagement.ApiManagementService("apiManagementService",
api_version_constraint={
"min_api_version": "2019-01-01",
},
hostname_configurations=[
{
"default_ssl_binding": True,
"host_name": "gateway1.msitesting.net",
"identity_client_id": "329419bc-adec-4dce-9568-25a6d486e468",
"key_vault_id": "https://rpbvtkeyvaultintegration.vault.azure.net/secrets/msitestingCert",
"type": azure_native.apimanagement.HostnameType.PROXY,
},
{
"host_name": "mgmt.msitesting.net",
"identity_client_id": "329419bc-adec-4dce-9568-25a6d486e468",
"key_vault_id": "https://rpbvtkeyvaultintegration.vault.azure.net/secrets/msitestingCert",
"type": azure_native.apimanagement.HostnameType.MANAGEMENT,
},
{
"host_name": "portal1.msitesting.net",
"identity_client_id": "329419bc-adec-4dce-9568-25a6d486e468",
"key_vault_id": "https://rpbvtkeyvaultintegration.vault.azure.net/secrets/msitestingCert",
"type": azure_native.apimanagement.HostnameType.PORTAL,
},
],
identity={
"type": azure_native.apimanagement.ApimIdentityType.USER_ASSIGNED,
"user_assigned_identities": {
"/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/id1": {},
},
},
location="North Europe",
publisher_email="apim@autorestsdk.com",
publisher_name="autorestsdk",
resource_group_name="rg1",
service_name="apimService1",
sku={
"capacity": 1,
"name": azure_native.apimanagement.SkuType.PREMIUM,
},
tags={
"tag1": "value1",
"tag2": "value2",
"tag3": "value3",
},
virtual_network_type=azure_native.apimanagement.VirtualNetworkType.NONE)
package main
import (
apimanagement "github.com/pulumi/pulumi-azure-native-sdk/apimanagement/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := apimanagement.NewApiManagementService(ctx, "apiManagementService", &apimanagement.ApiManagementServiceArgs{
ApiVersionConstraint: &apimanagement.ApiVersionConstraintArgs{
MinApiVersion: pulumi.String("2019-01-01"),
},
HostnameConfigurations: apimanagement.HostnameConfigurationArray{
&apimanagement.HostnameConfigurationArgs{
DefaultSslBinding: pulumi.Bool(true),
HostName: pulumi.String("gateway1.msitesting.net"),
IdentityClientId: pulumi.String("329419bc-adec-4dce-9568-25a6d486e468"),
KeyVaultId: pulumi.String("https://rpbvtkeyvaultintegration.vault.azure.net/secrets/msitestingCert"),
Type: pulumi.String(apimanagement.HostnameTypeProxy),
},
&apimanagement.HostnameConfigurationArgs{
HostName: pulumi.String("mgmt.msitesting.net"),
IdentityClientId: pulumi.String("329419bc-adec-4dce-9568-25a6d486e468"),
KeyVaultId: pulumi.String("https://rpbvtkeyvaultintegration.vault.azure.net/secrets/msitestingCert"),
Type: pulumi.String(apimanagement.HostnameTypeManagement),
},
&apimanagement.HostnameConfigurationArgs{
HostName: pulumi.String("portal1.msitesting.net"),
IdentityClientId: pulumi.String("329419bc-adec-4dce-9568-25a6d486e468"),
KeyVaultId: pulumi.String("https://rpbvtkeyvaultintegration.vault.azure.net/secrets/msitestingCert"),
Type: pulumi.String(apimanagement.HostnameTypePortal),
},
},
Identity: &apimanagement.ApiManagementServiceIdentityArgs{
Type: pulumi.String(apimanagement.ApimIdentityTypeUserAssigned),
UserAssignedIdentities: apimanagement.UserIdentityPropertiesMap{
"/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/id1": &apimanagement.UserIdentityPropertiesArgs{},
},
},
Location: pulumi.String("North Europe"),
PublisherEmail: pulumi.String("apim@autorestsdk.com"),
PublisherName: pulumi.String("autorestsdk"),
ResourceGroupName: pulumi.String("rg1"),
ServiceName: pulumi.String("apimService1"),
Sku: &apimanagement.ApiManagementServiceSkuPropertiesArgs{
Capacity: pulumi.Int(1),
Name: pulumi.String(apimanagement.SkuTypePremium),
},
Tags: pulumi.StringMap{
"tag1": pulumi.String("value1"),
"tag2": pulumi.String("value2"),
"tag3": pulumi.String("value3"),
},
VirtualNetworkType: pulumi.String(apimanagement.VirtualNetworkTypeNone),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var apiManagementService = new AzureNative.ApiManagement.ApiManagementService("apiManagementService", new()
{
ApiVersionConstraint = new AzureNative.ApiManagement.Inputs.ApiVersionConstraintArgs
{
MinApiVersion = "2019-01-01",
},
HostnameConfigurations = new[]
{
new AzureNative.ApiManagement.Inputs.HostnameConfigurationArgs
{
DefaultSslBinding = true,
HostName = "gateway1.msitesting.net",
IdentityClientId = "329419bc-adec-4dce-9568-25a6d486e468",
KeyVaultId = "https://rpbvtkeyvaultintegration.vault.azure.net/secrets/msitestingCert",
Type = AzureNative.ApiManagement.HostnameType.Proxy,
},
new AzureNative.ApiManagement.Inputs.HostnameConfigurationArgs
{
HostName = "mgmt.msitesting.net",
IdentityClientId = "329419bc-adec-4dce-9568-25a6d486e468",
KeyVaultId = "https://rpbvtkeyvaultintegration.vault.azure.net/secrets/msitestingCert",
Type = AzureNative.ApiManagement.HostnameType.Management,
},
new AzureNative.ApiManagement.Inputs.HostnameConfigurationArgs
{
HostName = "portal1.msitesting.net",
IdentityClientId = "329419bc-adec-4dce-9568-25a6d486e468",
KeyVaultId = "https://rpbvtkeyvaultintegration.vault.azure.net/secrets/msitestingCert",
Type = AzureNative.ApiManagement.HostnameType.Portal,
},
},
Identity = new AzureNative.ApiManagement.Inputs.ApiManagementServiceIdentityArgs
{
Type = AzureNative.ApiManagement.ApimIdentityType.UserAssigned,
UserAssignedIdentities =
{
{ "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/id1", null },
},
},
Location = "North Europe",
PublisherEmail = "apim@autorestsdk.com",
PublisherName = "autorestsdk",
ResourceGroupName = "rg1",
ServiceName = "apimService1",
Sku = new AzureNative.ApiManagement.Inputs.ApiManagementServiceSkuPropertiesArgs
{
Capacity = 1,
Name = AzureNative.ApiManagement.SkuType.Premium,
},
Tags =
{
{ "tag1", "value1" },
{ "tag2", "value2" },
{ "tag3", "value3" },
},
VirtualNetworkType = AzureNative.ApiManagement.VirtualNetworkType.None,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.apimanagement.ApiManagementService;
import com.pulumi.azurenative.apimanagement.ApiManagementServiceArgs;
import com.pulumi.azurenative.apimanagement.inputs.ApiVersionConstraintArgs;
import com.pulumi.azurenative.apimanagement.inputs.HostnameConfigurationArgs;
import com.pulumi.azurenative.apimanagement.inputs.ApiManagementServiceIdentityArgs;
import com.pulumi.azurenative.apimanagement.inputs.ApiManagementServiceSkuPropertiesArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var apiManagementService = new ApiManagementService("apiManagementService", ApiManagementServiceArgs.builder()
.apiVersionConstraint(ApiVersionConstraintArgs.builder()
.minApiVersion("2019-01-01")
.build())
.hostnameConfigurations(
HostnameConfigurationArgs.builder()
.defaultSslBinding(true)
.hostName("gateway1.msitesting.net")
.identityClientId("329419bc-adec-4dce-9568-25a6d486e468")
.keyVaultId("https://rpbvtkeyvaultintegration.vault.azure.net/secrets/msitestingCert")
.type("Proxy")
.build(),
HostnameConfigurationArgs.builder()
.hostName("mgmt.msitesting.net")
.identityClientId("329419bc-adec-4dce-9568-25a6d486e468")
.keyVaultId("https://rpbvtkeyvaultintegration.vault.azure.net/secrets/msitestingCert")
.type("Management")
.build(),
HostnameConfigurationArgs.builder()
.hostName("portal1.msitesting.net")
.identityClientId("329419bc-adec-4dce-9568-25a6d486e468")
.keyVaultId("https://rpbvtkeyvaultintegration.vault.azure.net/secrets/msitestingCert")
.type("Portal")
.build())
.identity(ApiManagementServiceIdentityArgs.builder()
.type("UserAssigned")
.userAssignedIdentities(Map.of("/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/id1", UserIdentityPropertiesArgs.builder()
.build()))
.build())
.location("North Europe")
.publisherEmail("apim@autorestsdk.com")
.publisherName("autorestsdk")
.resourceGroupName("rg1")
.serviceName("apimService1")
.sku(ApiManagementServiceSkuPropertiesArgs.builder()
.capacity(1)
.name("Premium")
.build())
.tags(Map.ofEntries(
Map.entry("tag1", "value1"),
Map.entry("tag2", "value2"),
Map.entry("tag3", "value3")
))
.virtualNetworkType("None")
.build());
}
}
resources:
apiManagementService:
type: azure-native:apimanagement:ApiManagementService
properties:
apiVersionConstraint:
minApiVersion: 2019-01-01
hostnameConfigurations:
- defaultSslBinding: true
hostName: gateway1.msitesting.net
identityClientId: 329419bc-adec-4dce-9568-25a6d486e468
keyVaultId: https://rpbvtkeyvaultintegration.vault.azure.net/secrets/msitestingCert
type: Proxy
- hostName: mgmt.msitesting.net
identityClientId: 329419bc-adec-4dce-9568-25a6d486e468
keyVaultId: https://rpbvtkeyvaultintegration.vault.azure.net/secrets/msitestingCert
type: Management
- hostName: portal1.msitesting.net
identityClientId: 329419bc-adec-4dce-9568-25a6d486e468
keyVaultId: https://rpbvtkeyvaultintegration.vault.azure.net/secrets/msitestingCert
type: Portal
identity:
type: UserAssigned
userAssignedIdentities:
/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/id1: {}
location: North Europe
publisherEmail: apim@autorestsdk.com
publisherName: autorestsdk
resourceGroupName: rg1
serviceName: apimService1
sku:
capacity: 1
name: Premium
tags:
tag1: value1
tag2: value2
tag3: value3
virtualNetworkType: None
The hostnameConfigurations array defines custom domains for each endpoint type (Proxy, Management, Portal). Each configuration references a Key Vault secret via keyVaultId and uses identityClientId to specify which managed identity retrieves the certificate. The identity property grants the service access to Key Vault through a user-assigned managed identity.
Deploy into a virtual network with external access
Organizations with network isolation requirements deploy API Management into VNets while maintaining internet-facing endpoints.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const apiManagementService = new azure_native.apimanagement.ApiManagementService("apiManagementService", {
location: "East US 2 EUAP",
publicIpAddressId: "/subscriptions/subid/resourceGroups/rgName/providers/Microsoft.Network/publicIPAddresses/apimazvnet",
publisherEmail: "apim@autorestsdk.com",
publisherName: "autorestsdk",
resourceGroupName: "rg1",
serviceName: "apimService1",
sku: {
capacity: 2,
name: azure_native.apimanagement.SkuType.Premium,
},
tags: {
tag1: "value1",
tag2: "value2",
tag3: "value3",
},
virtualNetworkConfiguration: {
subnetResourceId: "/subscriptions/subid/resourceGroups/rgName/providers/Microsoft.Network/virtualNetworks/apimcus/subnets/tenant",
},
virtualNetworkType: azure_native.apimanagement.VirtualNetworkType.External,
zones: [
"1",
"2",
],
});
import pulumi
import pulumi_azure_native as azure_native
api_management_service = azure_native.apimanagement.ApiManagementService("apiManagementService",
location="East US 2 EUAP",
public_ip_address_id="/subscriptions/subid/resourceGroups/rgName/providers/Microsoft.Network/publicIPAddresses/apimazvnet",
publisher_email="apim@autorestsdk.com",
publisher_name="autorestsdk",
resource_group_name="rg1",
service_name="apimService1",
sku={
"capacity": 2,
"name": azure_native.apimanagement.SkuType.PREMIUM,
},
tags={
"tag1": "value1",
"tag2": "value2",
"tag3": "value3",
},
virtual_network_configuration={
"subnet_resource_id": "/subscriptions/subid/resourceGroups/rgName/providers/Microsoft.Network/virtualNetworks/apimcus/subnets/tenant",
},
virtual_network_type=azure_native.apimanagement.VirtualNetworkType.EXTERNAL,
zones=[
"1",
"2",
])
package main
import (
apimanagement "github.com/pulumi/pulumi-azure-native-sdk/apimanagement/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := apimanagement.NewApiManagementService(ctx, "apiManagementService", &apimanagement.ApiManagementServiceArgs{
Location: pulumi.String("East US 2 EUAP"),
PublicIpAddressId: pulumi.String("/subscriptions/subid/resourceGroups/rgName/providers/Microsoft.Network/publicIPAddresses/apimazvnet"),
PublisherEmail: pulumi.String("apim@autorestsdk.com"),
PublisherName: pulumi.String("autorestsdk"),
ResourceGroupName: pulumi.String("rg1"),
ServiceName: pulumi.String("apimService1"),
Sku: &apimanagement.ApiManagementServiceSkuPropertiesArgs{
Capacity: pulumi.Int(2),
Name: pulumi.String(apimanagement.SkuTypePremium),
},
Tags: pulumi.StringMap{
"tag1": pulumi.String("value1"),
"tag2": pulumi.String("value2"),
"tag3": pulumi.String("value3"),
},
VirtualNetworkConfiguration: &apimanagement.VirtualNetworkConfigurationArgs{
SubnetResourceId: pulumi.String("/subscriptions/subid/resourceGroups/rgName/providers/Microsoft.Network/virtualNetworks/apimcus/subnets/tenant"),
},
VirtualNetworkType: pulumi.String(apimanagement.VirtualNetworkTypeExternal),
Zones: pulumi.StringArray{
pulumi.String("1"),
pulumi.String("2"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var apiManagementService = new AzureNative.ApiManagement.ApiManagementService("apiManagementService", new()
{
Location = "East US 2 EUAP",
PublicIpAddressId = "/subscriptions/subid/resourceGroups/rgName/providers/Microsoft.Network/publicIPAddresses/apimazvnet",
PublisherEmail = "apim@autorestsdk.com",
PublisherName = "autorestsdk",
ResourceGroupName = "rg1",
ServiceName = "apimService1",
Sku = new AzureNative.ApiManagement.Inputs.ApiManagementServiceSkuPropertiesArgs
{
Capacity = 2,
Name = AzureNative.ApiManagement.SkuType.Premium,
},
Tags =
{
{ "tag1", "value1" },
{ "tag2", "value2" },
{ "tag3", "value3" },
},
VirtualNetworkConfiguration = new AzureNative.ApiManagement.Inputs.VirtualNetworkConfigurationArgs
{
SubnetResourceId = "/subscriptions/subid/resourceGroups/rgName/providers/Microsoft.Network/virtualNetworks/apimcus/subnets/tenant",
},
VirtualNetworkType = AzureNative.ApiManagement.VirtualNetworkType.External,
Zones = new[]
{
"1",
"2",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.apimanagement.ApiManagementService;
import com.pulumi.azurenative.apimanagement.ApiManagementServiceArgs;
import com.pulumi.azurenative.apimanagement.inputs.ApiManagementServiceSkuPropertiesArgs;
import com.pulumi.azurenative.apimanagement.inputs.VirtualNetworkConfigurationArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var apiManagementService = new ApiManagementService("apiManagementService", ApiManagementServiceArgs.builder()
.location("East US 2 EUAP")
.publicIpAddressId("/subscriptions/subid/resourceGroups/rgName/providers/Microsoft.Network/publicIPAddresses/apimazvnet")
.publisherEmail("apim@autorestsdk.com")
.publisherName("autorestsdk")
.resourceGroupName("rg1")
.serviceName("apimService1")
.sku(ApiManagementServiceSkuPropertiesArgs.builder()
.capacity(2)
.name("Premium")
.build())
.tags(Map.ofEntries(
Map.entry("tag1", "value1"),
Map.entry("tag2", "value2"),
Map.entry("tag3", "value3")
))
.virtualNetworkConfiguration(VirtualNetworkConfigurationArgs.builder()
.subnetResourceId("/subscriptions/subid/resourceGroups/rgName/providers/Microsoft.Network/virtualNetworks/apimcus/subnets/tenant")
.build())
.virtualNetworkType("External")
.zones(
"1",
"2")
.build());
}
}
resources:
apiManagementService:
type: azure-native:apimanagement:ApiManagementService
properties:
location: East US 2 EUAP
publicIpAddressId: /subscriptions/subid/resourceGroups/rgName/providers/Microsoft.Network/publicIPAddresses/apimazvnet
publisherEmail: apim@autorestsdk.com
publisherName: autorestsdk
resourceGroupName: rg1
serviceName: apimService1
sku:
capacity: 2
name: Premium
tags:
tag1: value1
tag2: value2
tag3: value3
virtualNetworkConfiguration:
subnetResourceId: /subscriptions/subid/resourceGroups/rgName/providers/Microsoft.Network/virtualNetworks/apimcus/subnets/tenant
virtualNetworkType: External
zones:
- '1'
- '2'
The virtualNetworkConfiguration property places the service in a specified subnet via subnetResourceId. Setting virtualNetworkType to External exposes the gateway publicly while allowing private backend connectivity. The publicIpAddressId associates a static public IP, and zones distributes instances across availability zones for resilience.
Deploy across multiple regions with custom domains
Global applications distribute API Management across regions to reduce latency and improve availability.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const apiManagementService = new azure_native.apimanagement.ApiManagementService("apiManagementService", {
additionalLocations: [{
disableGateway: true,
location: "East US",
sku: {
capacity: 1,
name: azure_native.apimanagement.SkuType.Premium,
},
}],
apiVersionConstraint: {
minApiVersion: "2019-01-01",
},
hostnameConfigurations: [
{
certificatePassword: "Password",
defaultSslBinding: true,
encodedCertificate: "****** Base 64 Encoded Certificate ************",
hostName: "gateway1.msitesting.net",
type: azure_native.apimanagement.HostnameType.Proxy,
},
{
certificatePassword: "Password",
encodedCertificate: "****** Base 64 Encoded Certificate ************",
hostName: "mgmt.msitesting.net",
type: azure_native.apimanagement.HostnameType.Management,
},
{
certificatePassword: "Password",
encodedCertificate: "****** Base 64 Encoded Certificate ************",
hostName: "portal1.msitesting.net",
type: azure_native.apimanagement.HostnameType.Portal,
},
],
location: "West US",
publisherEmail: "apim@autorestsdk.com",
publisherName: "autorestsdk",
resourceGroupName: "rg1",
serviceName: "apimService1",
sku: {
capacity: 1,
name: azure_native.apimanagement.SkuType.Premium,
},
tags: {
tag1: "value1",
tag2: "value2",
tag3: "value3",
},
virtualNetworkType: azure_native.apimanagement.VirtualNetworkType.None,
});
import pulumi
import pulumi_azure_native as azure_native
api_management_service = azure_native.apimanagement.ApiManagementService("apiManagementService",
additional_locations=[{
"disable_gateway": True,
"location": "East US",
"sku": {
"capacity": 1,
"name": azure_native.apimanagement.SkuType.PREMIUM,
},
}],
api_version_constraint={
"min_api_version": "2019-01-01",
},
hostname_configurations=[
{
"certificate_password": "Password",
"default_ssl_binding": True,
"encoded_certificate": "****** Base 64 Encoded Certificate ************",
"host_name": "gateway1.msitesting.net",
"type": azure_native.apimanagement.HostnameType.PROXY,
},
{
"certificate_password": "Password",
"encoded_certificate": "****** Base 64 Encoded Certificate ************",
"host_name": "mgmt.msitesting.net",
"type": azure_native.apimanagement.HostnameType.MANAGEMENT,
},
{
"certificate_password": "Password",
"encoded_certificate": "****** Base 64 Encoded Certificate ************",
"host_name": "portal1.msitesting.net",
"type": azure_native.apimanagement.HostnameType.PORTAL,
},
],
location="West US",
publisher_email="apim@autorestsdk.com",
publisher_name="autorestsdk",
resource_group_name="rg1",
service_name="apimService1",
sku={
"capacity": 1,
"name": azure_native.apimanagement.SkuType.PREMIUM,
},
tags={
"tag1": "value1",
"tag2": "value2",
"tag3": "value3",
},
virtual_network_type=azure_native.apimanagement.VirtualNetworkType.NONE)
package main
import (
apimanagement "github.com/pulumi/pulumi-azure-native-sdk/apimanagement/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := apimanagement.NewApiManagementService(ctx, "apiManagementService", &apimanagement.ApiManagementServiceArgs{
AdditionalLocations: apimanagement.AdditionalLocationArray{
&apimanagement.AdditionalLocationArgs{
DisableGateway: pulumi.Bool(true),
Location: pulumi.String("East US"),
Sku: &apimanagement.ApiManagementServiceSkuPropertiesArgs{
Capacity: pulumi.Int(1),
Name: pulumi.String(apimanagement.SkuTypePremium),
},
},
},
ApiVersionConstraint: &apimanagement.ApiVersionConstraintArgs{
MinApiVersion: pulumi.String("2019-01-01"),
},
HostnameConfigurations: apimanagement.HostnameConfigurationArray{
&apimanagement.HostnameConfigurationArgs{
CertificatePassword: pulumi.String("Password"),
DefaultSslBinding: pulumi.Bool(true),
EncodedCertificate: pulumi.String("****** Base 64 Encoded Certificate ************"),
HostName: pulumi.String("gateway1.msitesting.net"),
Type: pulumi.String(apimanagement.HostnameTypeProxy),
},
&apimanagement.HostnameConfigurationArgs{
CertificatePassword: pulumi.String("Password"),
EncodedCertificate: pulumi.String("****** Base 64 Encoded Certificate ************"),
HostName: pulumi.String("mgmt.msitesting.net"),
Type: pulumi.String(apimanagement.HostnameTypeManagement),
},
&apimanagement.HostnameConfigurationArgs{
CertificatePassword: pulumi.String("Password"),
EncodedCertificate: pulumi.String("****** Base 64 Encoded Certificate ************"),
HostName: pulumi.String("portal1.msitesting.net"),
Type: pulumi.String(apimanagement.HostnameTypePortal),
},
},
Location: pulumi.String("West US"),
PublisherEmail: pulumi.String("apim@autorestsdk.com"),
PublisherName: pulumi.String("autorestsdk"),
ResourceGroupName: pulumi.String("rg1"),
ServiceName: pulumi.String("apimService1"),
Sku: &apimanagement.ApiManagementServiceSkuPropertiesArgs{
Capacity: pulumi.Int(1),
Name: pulumi.String(apimanagement.SkuTypePremium),
},
Tags: pulumi.StringMap{
"tag1": pulumi.String("value1"),
"tag2": pulumi.String("value2"),
"tag3": pulumi.String("value3"),
},
VirtualNetworkType: pulumi.String(apimanagement.VirtualNetworkTypeNone),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var apiManagementService = new AzureNative.ApiManagement.ApiManagementService("apiManagementService", new()
{
AdditionalLocations = new[]
{
new AzureNative.ApiManagement.Inputs.AdditionalLocationArgs
{
DisableGateway = true,
Location = "East US",
Sku = new AzureNative.ApiManagement.Inputs.ApiManagementServiceSkuPropertiesArgs
{
Capacity = 1,
Name = AzureNative.ApiManagement.SkuType.Premium,
},
},
},
ApiVersionConstraint = new AzureNative.ApiManagement.Inputs.ApiVersionConstraintArgs
{
MinApiVersion = "2019-01-01",
},
HostnameConfigurations = new[]
{
new AzureNative.ApiManagement.Inputs.HostnameConfigurationArgs
{
CertificatePassword = "Password",
DefaultSslBinding = true,
EncodedCertificate = "****** Base 64 Encoded Certificate ************",
HostName = "gateway1.msitesting.net",
Type = AzureNative.ApiManagement.HostnameType.Proxy,
},
new AzureNative.ApiManagement.Inputs.HostnameConfigurationArgs
{
CertificatePassword = "Password",
EncodedCertificate = "****** Base 64 Encoded Certificate ************",
HostName = "mgmt.msitesting.net",
Type = AzureNative.ApiManagement.HostnameType.Management,
},
new AzureNative.ApiManagement.Inputs.HostnameConfigurationArgs
{
CertificatePassword = "Password",
EncodedCertificate = "****** Base 64 Encoded Certificate ************",
HostName = "portal1.msitesting.net",
Type = AzureNative.ApiManagement.HostnameType.Portal,
},
},
Location = "West US",
PublisherEmail = "apim@autorestsdk.com",
PublisherName = "autorestsdk",
ResourceGroupName = "rg1",
ServiceName = "apimService1",
Sku = new AzureNative.ApiManagement.Inputs.ApiManagementServiceSkuPropertiesArgs
{
Capacity = 1,
Name = AzureNative.ApiManagement.SkuType.Premium,
},
Tags =
{
{ "tag1", "value1" },
{ "tag2", "value2" },
{ "tag3", "value3" },
},
VirtualNetworkType = AzureNative.ApiManagement.VirtualNetworkType.None,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.apimanagement.ApiManagementService;
import com.pulumi.azurenative.apimanagement.ApiManagementServiceArgs;
import com.pulumi.azurenative.apimanagement.inputs.AdditionalLocationArgs;
import com.pulumi.azurenative.apimanagement.inputs.ApiManagementServiceSkuPropertiesArgs;
import com.pulumi.azurenative.apimanagement.inputs.ApiVersionConstraintArgs;
import com.pulumi.azurenative.apimanagement.inputs.HostnameConfigurationArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var apiManagementService = new ApiManagementService("apiManagementService", ApiManagementServiceArgs.builder()
.additionalLocations(AdditionalLocationArgs.builder()
.disableGateway(true)
.location("East US")
.sku(ApiManagementServiceSkuPropertiesArgs.builder()
.capacity(1)
.name("Premium")
.build())
.build())
.apiVersionConstraint(ApiVersionConstraintArgs.builder()
.minApiVersion("2019-01-01")
.build())
.hostnameConfigurations(
HostnameConfigurationArgs.builder()
.certificatePassword("Password")
.defaultSslBinding(true)
.encodedCertificate("****** Base 64 Encoded Certificate ************")
.hostName("gateway1.msitesting.net")
.type("Proxy")
.build(),
HostnameConfigurationArgs.builder()
.certificatePassword("Password")
.encodedCertificate("****** Base 64 Encoded Certificate ************")
.hostName("mgmt.msitesting.net")
.type("Management")
.build(),
HostnameConfigurationArgs.builder()
.certificatePassword("Password")
.encodedCertificate("****** Base 64 Encoded Certificate ************")
.hostName("portal1.msitesting.net")
.type("Portal")
.build())
.location("West US")
.publisherEmail("apim@autorestsdk.com")
.publisherName("autorestsdk")
.resourceGroupName("rg1")
.serviceName("apimService1")
.sku(ApiManagementServiceSkuPropertiesArgs.builder()
.capacity(1)
.name("Premium")
.build())
.tags(Map.ofEntries(
Map.entry("tag1", "value1"),
Map.entry("tag2", "value2"),
Map.entry("tag3", "value3")
))
.virtualNetworkType("None")
.build());
}
}
resources:
apiManagementService:
type: azure-native:apimanagement:ApiManagementService
properties:
additionalLocations:
- disableGateway: true
location: East US
sku:
capacity: 1
name: Premium
apiVersionConstraint:
minApiVersion: 2019-01-01
hostnameConfigurations:
- certificatePassword: Password
defaultSslBinding: true
encodedCertificate: '****** Base 64 Encoded Certificate ************'
hostName: gateway1.msitesting.net
type: Proxy
- certificatePassword: Password
encodedCertificate: '****** Base 64 Encoded Certificate ************'
hostName: mgmt.msitesting.net
type: Management
- certificatePassword: Password
encodedCertificate: '****** Base 64 Encoded Certificate ************'
hostName: portal1.msitesting.net
type: Portal
location: West US
publisherEmail: apim@autorestsdk.com
publisherName: autorestsdk
resourceGroupName: rg1
serviceName: apimService1
sku:
capacity: 1
name: Premium
tags:
tag1: value1
tag2: value2
tag3: value3
virtualNetworkType: None
The additionalLocations array defines secondary regions, each with its own SKU capacity. Setting disableGateway to true on a location prevents it from serving traffic while maintaining configuration synchronization. The apiVersionConstraint property enforces a minimum API version for all operations. Multi-region deployment requires Premium SKU.
Enable system-assigned managed identity
Services that integrate with Azure resources benefit from managed identities, which eliminate credential management.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const apiManagementService = new azure_native.apimanagement.ApiManagementService("apiManagementService", {
identity: {
type: azure_native.apimanagement.ApimIdentityType.SystemAssigned,
},
location: "West US",
publisherEmail: "apim@autorestsdk.com",
publisherName: "autorestsdk",
resourceGroupName: "rg1",
serviceName: "apimService1",
sku: {
capacity: 0,
name: azure_native.apimanagement.SkuType.Consumption,
},
tags: {
tag1: "value1",
tag2: "value2",
tag3: "value3",
},
});
import pulumi
import pulumi_azure_native as azure_native
api_management_service = azure_native.apimanagement.ApiManagementService("apiManagementService",
identity={
"type": azure_native.apimanagement.ApimIdentityType.SYSTEM_ASSIGNED,
},
location="West US",
publisher_email="apim@autorestsdk.com",
publisher_name="autorestsdk",
resource_group_name="rg1",
service_name="apimService1",
sku={
"capacity": 0,
"name": azure_native.apimanagement.SkuType.CONSUMPTION,
},
tags={
"tag1": "value1",
"tag2": "value2",
"tag3": "value3",
})
package main
import (
apimanagement "github.com/pulumi/pulumi-azure-native-sdk/apimanagement/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := apimanagement.NewApiManagementService(ctx, "apiManagementService", &apimanagement.ApiManagementServiceArgs{
Identity: &apimanagement.ApiManagementServiceIdentityArgs{
Type: pulumi.String(apimanagement.ApimIdentityTypeSystemAssigned),
},
Location: pulumi.String("West US"),
PublisherEmail: pulumi.String("apim@autorestsdk.com"),
PublisherName: pulumi.String("autorestsdk"),
ResourceGroupName: pulumi.String("rg1"),
ServiceName: pulumi.String("apimService1"),
Sku: &apimanagement.ApiManagementServiceSkuPropertiesArgs{
Capacity: pulumi.Int(0),
Name: pulumi.String(apimanagement.SkuTypeConsumption),
},
Tags: pulumi.StringMap{
"tag1": pulumi.String("value1"),
"tag2": pulumi.String("value2"),
"tag3": pulumi.String("value3"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var apiManagementService = new AzureNative.ApiManagement.ApiManagementService("apiManagementService", new()
{
Identity = new AzureNative.ApiManagement.Inputs.ApiManagementServiceIdentityArgs
{
Type = AzureNative.ApiManagement.ApimIdentityType.SystemAssigned,
},
Location = "West US",
PublisherEmail = "apim@autorestsdk.com",
PublisherName = "autorestsdk",
ResourceGroupName = "rg1",
ServiceName = "apimService1",
Sku = new AzureNative.ApiManagement.Inputs.ApiManagementServiceSkuPropertiesArgs
{
Capacity = 0,
Name = AzureNative.ApiManagement.SkuType.Consumption,
},
Tags =
{
{ "tag1", "value1" },
{ "tag2", "value2" },
{ "tag3", "value3" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.apimanagement.ApiManagementService;
import com.pulumi.azurenative.apimanagement.ApiManagementServiceArgs;
import com.pulumi.azurenative.apimanagement.inputs.ApiManagementServiceIdentityArgs;
import com.pulumi.azurenative.apimanagement.inputs.ApiManagementServiceSkuPropertiesArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var apiManagementService = new ApiManagementService("apiManagementService", ApiManagementServiceArgs.builder()
.identity(ApiManagementServiceIdentityArgs.builder()
.type("SystemAssigned")
.build())
.location("West US")
.publisherEmail("apim@autorestsdk.com")
.publisherName("autorestsdk")
.resourceGroupName("rg1")
.serviceName("apimService1")
.sku(ApiManagementServiceSkuPropertiesArgs.builder()
.capacity(0)
.name("Consumption")
.build())
.tags(Map.ofEntries(
Map.entry("tag1", "value1"),
Map.entry("tag2", "value2"),
Map.entry("tag3", "value3")
))
.build());
}
}
resources:
apiManagementService:
type: azure-native:apimanagement:ApiManagementService
properties:
identity:
type: SystemAssigned
location: West US
publisherEmail: apim@autorestsdk.com
publisherName: autorestsdk
resourceGroupName: rg1
serviceName: apimService1
sku:
capacity: 0
name: Consumption
tags:
tag1: value1
tag2: value2
tag3: value3
The identity property with type set to SystemAssigned creates a managed identity automatically tied to the service lifecycle. Azure manages the identity’s credentials and lifecycle, allowing the service to authenticate to other Azure resources without storing secrets.
Beyond these examples
These snippets focus on specific service-level features: single and multi-region deployment, custom hostname configuration with certificates, and VNet integration and managed identities. They’re intentionally minimal rather than full API management solutions.
The examples may reference pre-existing infrastructure such as Azure resource groups and regions, Key Vault secrets for TLS certificates, and VNet subnets, public IP addresses, and managed identities. They focus on configuring the service instance rather than provisioning everything around it.
To keep things focused, common API Management patterns are omitted, including:
- API definitions and backend service configuration
- Policy definitions and transformation rules
- Developer portal customization
- Monitoring and diagnostics configuration
- Backup and disaster recovery settings
- Certificate rotation and renewal automation
These omissions are intentional: the goal is to illustrate how each service feature is wired, not provide drop-in API management modules. See the API Management Service resource reference for all available configuration options.
Let's deploy Azure API Management Services
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
SKU Selection & Capabilities
What features require Premium SKU?
Premium SKU is required for multi-region deployment (
additionalLocations), Virtual Network integration with public IP (publicIpAddressId), availability zones (zones), and NAT Gateway support. Premium SKU also supports higher capacity scaling.What's special about the Consumption SKU?
Consumption SKU uses capacity 0 and is the only SKU where
enableClientCertificate should be used. This property enforces client certificate presentation on each gateway request and enables certificate authentication in policies.Can I use Virtual Network with Developer SKU?
Yes, Developer SKU supports Virtual Network deployment with
publicIpAddressId, but multi-region deployment and availability zones require Premium SKU.Networking & Virtual Network
How do I deploy API Management in a Virtual Network?
Configure
virtualNetworkConfiguration with subnetResourceId and set virtualNetworkType to External (internet-facing endpoint) or Internal (intranet-facing endpoint only). The default virtualNetworkType is None.What's the difference between External and Internal VNet types?
External means the API Management deployment has an internet-facing endpoint inside a Virtual Network. Internal means the deployment has only an intranet-facing endpoint, with no public internet access.How do I enable NAT Gateway for my API Management service?
Set
natGatewayState to Enabled. This feature is available for Premium SKU and provides outbound connectivity through NAT Gateway.Custom Hostnames & Certificates
How do I configure custom hostnames with SSL certificates?
Use
hostnameConfigurations to specify custom hostnames for Proxy, Management, and Portal endpoints. You can either provide certificates directly using encodedCertificate and certificatePassword, or reference them from Key Vault using keyVaultId and identityClientId.Can I use Key Vault for certificate management?
Yes, set
keyVaultId to your Key Vault secret URL and identityClientId to specify which managed identity should access the certificate. You’ll need to configure a user-assigned managed identity with Key Vault access.Identity & Security
How do I enable managed identity for my API Management service?
Set the
identity property with type as SystemAssigned or UserAssigned. For user-assigned identity, specify the identity resource IDs in userAssignedIdentities.How do I configure TLS protocols and ciphers?
Use
customProperties to disable specific TLS versions or ciphers. For example, set Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10 to false to disable TLS 1.0. Note that some ciphers (TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256, and others) cannot be disabled as they’re required by platform components.High Availability & Service Management
How do I deploy API Management across multiple regions?
Use
additionalLocations with Premium SKU to specify additional datacenter locations. Each location can have its own SKU capacity and can optionally disable the gateway using disableGateway.How do I restore a soft-deleted API Management service?
Set
restore to true when creating the service. When this flag is set, all other properties are ignored, so you’ll need to configure the service in a separate update operation after restoration.Using a different cloud?
Explore integration guides for other cloud providers: