The azure-native:apimanagement:ApiManagementService resource, part of the Pulumi Azure Native provider, provisions an API Management service instance that hosts APIs, manages traffic, and provides developer portals. This guide focuses on four capabilities: basic service provisioning with publisher metadata, managed identity configuration for Azure integrations, custom hostname setup with Key Vault certificates, and virtual network integration and multi-region deployment.
API Management services reference Azure infrastructure including resource groups, Key Vault instances, virtual networks, and managed identities. The examples are intentionally small. Combine them with your own API definitions, policies, and backend configurations.
Create a basic API Management service instance
Most deployments start with a minimal service instance that defines the publisher identity, SKU tier, and Azure region.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const apiManagementService = new azure_native.apimanagement.ApiManagementService("apiManagementService", {
location: "South Central US",
publisherEmail: "foo@contoso.com",
publisherName: "foo",
resourceGroupName: "rg1",
serviceName: "apimService1",
sku: {
capacity: 1,
name: azure_native.apimanagement.SkuType.Developer,
},
tags: {
Name: "Contoso",
Test: "User",
},
});
import pulumi
import pulumi_azure_native as azure_native
api_management_service = azure_native.apimanagement.ApiManagementService("apiManagementService",
location="South Central US",
publisher_email="foo@contoso.com",
publisher_name="foo",
resource_group_name="rg1",
service_name="apimService1",
sku={
"capacity": 1,
"name": azure_native.apimanagement.SkuType.DEVELOPER,
},
tags={
"Name": "Contoso",
"Test": "User",
})
package main
import (
apimanagement "github.com/pulumi/pulumi-azure-native-sdk/apimanagement/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := apimanagement.NewApiManagementService(ctx, "apiManagementService", &apimanagement.ApiManagementServiceArgs{
Location: pulumi.String("South Central US"),
PublisherEmail: pulumi.String("foo@contoso.com"),
PublisherName: pulumi.String("foo"),
ResourceGroupName: pulumi.String("rg1"),
ServiceName: pulumi.String("apimService1"),
Sku: &apimanagement.ApiManagementServiceSkuPropertiesArgs{
Capacity: pulumi.Int(1),
Name: pulumi.String(apimanagement.SkuTypeDeveloper),
},
Tags: pulumi.StringMap{
"Name": pulumi.String("Contoso"),
"Test": pulumi.String("User"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var apiManagementService = new AzureNative.ApiManagement.ApiManagementService("apiManagementService", new()
{
Location = "South Central US",
PublisherEmail = "foo@contoso.com",
PublisherName = "foo",
ResourceGroupName = "rg1",
ServiceName = "apimService1",
Sku = new AzureNative.ApiManagement.Inputs.ApiManagementServiceSkuPropertiesArgs
{
Capacity = 1,
Name = AzureNative.ApiManagement.SkuType.Developer,
},
Tags =
{
{ "Name", "Contoso" },
{ "Test", "User" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.apimanagement.ApiManagementService;
import com.pulumi.azurenative.apimanagement.ApiManagementServiceArgs;
import com.pulumi.azurenative.apimanagement.inputs.ApiManagementServiceSkuPropertiesArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var apiManagementService = new ApiManagementService("apiManagementService", ApiManagementServiceArgs.builder()
.location("South Central US")
.publisherEmail("foo@contoso.com")
.publisherName("foo")
.resourceGroupName("rg1")
.serviceName("apimService1")
.sku(ApiManagementServiceSkuPropertiesArgs.builder()
.capacity(1)
.name("Developer")
.build())
.tags(Map.ofEntries(
Map.entry("Name", "Contoso"),
Map.entry("Test", "User")
))
.build());
}
}
resources:
apiManagementService:
type: azure-native:apimanagement:ApiManagementService
properties:
location: South Central US
publisherEmail: foo@contoso.com
publisherName: foo
resourceGroupName: rg1
serviceName: apimService1
sku:
capacity: 1
name: Developer
tags:
Name: Contoso
Test: User
The publisherEmail and publisherName properties identify the organization managing the service. The sku property sets the service tier, which determines capacity, features, and pricing. The location property places the service in an Azure region. This configuration creates a Developer-tier instance suitable for testing and development.
Enable system-assigned managed identity for Azure integrations
Services that need to authenticate to Azure resources like Key Vault or Application Insights use managed identities to avoid storing credentials.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const apiManagementService = new azure_native.apimanagement.ApiManagementService("apiManagementService", {
identity: {
type: azure_native.apimanagement.ApimIdentityType.SystemAssigned,
},
location: "West US",
publisherEmail: "apim@autorestsdk.com",
publisherName: "autorestsdk",
resourceGroupName: "rg1",
serviceName: "apimService1",
sku: {
capacity: 0,
name: azure_native.apimanagement.SkuType.Consumption,
},
tags: {
tag1: "value1",
tag2: "value2",
tag3: "value3",
},
});
import pulumi
import pulumi_azure_native as azure_native
api_management_service = azure_native.apimanagement.ApiManagementService("apiManagementService",
identity={
"type": azure_native.apimanagement.ApimIdentityType.SYSTEM_ASSIGNED,
},
location="West US",
publisher_email="apim@autorestsdk.com",
publisher_name="autorestsdk",
resource_group_name="rg1",
service_name="apimService1",
sku={
"capacity": 0,
"name": azure_native.apimanagement.SkuType.CONSUMPTION,
},
tags={
"tag1": "value1",
"tag2": "value2",
"tag3": "value3",
})
package main
import (
apimanagement "github.com/pulumi/pulumi-azure-native-sdk/apimanagement/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := apimanagement.NewApiManagementService(ctx, "apiManagementService", &apimanagement.ApiManagementServiceArgs{
Identity: &apimanagement.ApiManagementServiceIdentityArgs{
Type: pulumi.String(apimanagement.ApimIdentityTypeSystemAssigned),
},
Location: pulumi.String("West US"),
PublisherEmail: pulumi.String("apim@autorestsdk.com"),
PublisherName: pulumi.String("autorestsdk"),
ResourceGroupName: pulumi.String("rg1"),
ServiceName: pulumi.String("apimService1"),
Sku: &apimanagement.ApiManagementServiceSkuPropertiesArgs{
Capacity: pulumi.Int(0),
Name: pulumi.String(apimanagement.SkuTypeConsumption),
},
Tags: pulumi.StringMap{
"tag1": pulumi.String("value1"),
"tag2": pulumi.String("value2"),
"tag3": pulumi.String("value3"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var apiManagementService = new AzureNative.ApiManagement.ApiManagementService("apiManagementService", new()
{
Identity = new AzureNative.ApiManagement.Inputs.ApiManagementServiceIdentityArgs
{
Type = AzureNative.ApiManagement.ApimIdentityType.SystemAssigned,
},
Location = "West US",
PublisherEmail = "apim@autorestsdk.com",
PublisherName = "autorestsdk",
ResourceGroupName = "rg1",
ServiceName = "apimService1",
Sku = new AzureNative.ApiManagement.Inputs.ApiManagementServiceSkuPropertiesArgs
{
Capacity = 0,
Name = AzureNative.ApiManagement.SkuType.Consumption,
},
Tags =
{
{ "tag1", "value1" },
{ "tag2", "value2" },
{ "tag3", "value3" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.apimanagement.ApiManagementService;
import com.pulumi.azurenative.apimanagement.ApiManagementServiceArgs;
import com.pulumi.azurenative.apimanagement.inputs.ApiManagementServiceIdentityArgs;
import com.pulumi.azurenative.apimanagement.inputs.ApiManagementServiceSkuPropertiesArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var apiManagementService = new ApiManagementService("apiManagementService", ApiManagementServiceArgs.builder()
.identity(ApiManagementServiceIdentityArgs.builder()
.type("SystemAssigned")
.build())
.location("West US")
.publisherEmail("apim@autorestsdk.com")
.publisherName("autorestsdk")
.resourceGroupName("rg1")
.serviceName("apimService1")
.sku(ApiManagementServiceSkuPropertiesArgs.builder()
.capacity(0)
.name("Consumption")
.build())
.tags(Map.ofEntries(
Map.entry("tag1", "value1"),
Map.entry("tag2", "value2"),
Map.entry("tag3", "value3")
))
.build());
}
}
resources:
apiManagementService:
type: azure-native:apimanagement:ApiManagementService
properties:
identity:
type: SystemAssigned
location: West US
publisherEmail: apim@autorestsdk.com
publisherName: autorestsdk
resourceGroupName: rg1
serviceName: apimService1
sku:
capacity: 0
name: Consumption
tags:
tag1: value1
tag2: value2
tag3: value3
The identity property with type set to SystemAssigned creates an Azure AD identity for the service. Azure automatically manages the identity’s lifecycle and credentials. This identity can be granted permissions to Key Vault, storage accounts, or other Azure resources through role assignments.
Configure custom hostnames with Key Vault certificates
Production deployments typically use custom domains for the gateway, management API, and developer portal. Key Vault integration allows certificate rotation without service updates.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const apiManagementService = new azure_native.apimanagement.ApiManagementService("apiManagementService", {
apiVersionConstraint: {
minApiVersion: "2019-01-01",
},
hostnameConfigurations: [
{
defaultSslBinding: true,
hostName: "gateway1.msitesting.net",
identityClientId: "329419bc-adec-4dce-9568-25a6d486e468",
keyVaultId: "https://rpbvtkeyvaultintegration.vault.azure.net/secrets/msitestingCert",
type: azure_native.apimanagement.HostnameType.Proxy,
},
{
hostName: "mgmt.msitesting.net",
identityClientId: "329419bc-adec-4dce-9568-25a6d486e468",
keyVaultId: "https://rpbvtkeyvaultintegration.vault.azure.net/secrets/msitestingCert",
type: azure_native.apimanagement.HostnameType.Management,
},
{
hostName: "portal1.msitesting.net",
identityClientId: "329419bc-adec-4dce-9568-25a6d486e468",
keyVaultId: "https://rpbvtkeyvaultintegration.vault.azure.net/secrets/msitestingCert",
type: azure_native.apimanagement.HostnameType.Portal,
},
{
certificatePassword: "Password",
encodedCertificate: "****** Base 64 Encoded Certificate ************",
hostName: "configuration-api.msitesting.net",
type: azure_native.apimanagement.HostnameType.ConfigurationApi,
},
],
identity: {
type: azure_native.apimanagement.ApimIdentityType.UserAssigned,
userAssignedIdentities: {
"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/id1": {},
},
},
location: "North Europe",
publisherEmail: "apim@autorestsdk.com",
publisherName: "autorestsdk",
resourceGroupName: "rg1",
serviceName: "apimService1",
sku: {
capacity: 1,
name: azure_native.apimanagement.SkuType.Premium,
},
tags: {
tag1: "value1",
tag2: "value2",
tag3: "value3",
},
virtualNetworkType: azure_native.apimanagement.VirtualNetworkType.None,
});
import pulumi
import pulumi_azure_native as azure_native
api_management_service = azure_native.apimanagement.ApiManagementService("apiManagementService",
api_version_constraint={
"min_api_version": "2019-01-01",
},
hostname_configurations=[
{
"default_ssl_binding": True,
"host_name": "gateway1.msitesting.net",
"identity_client_id": "329419bc-adec-4dce-9568-25a6d486e468",
"key_vault_id": "https://rpbvtkeyvaultintegration.vault.azure.net/secrets/msitestingCert",
"type": azure_native.apimanagement.HostnameType.PROXY,
},
{
"host_name": "mgmt.msitesting.net",
"identity_client_id": "329419bc-adec-4dce-9568-25a6d486e468",
"key_vault_id": "https://rpbvtkeyvaultintegration.vault.azure.net/secrets/msitestingCert",
"type": azure_native.apimanagement.HostnameType.MANAGEMENT,
},
{
"host_name": "portal1.msitesting.net",
"identity_client_id": "329419bc-adec-4dce-9568-25a6d486e468",
"key_vault_id": "https://rpbvtkeyvaultintegration.vault.azure.net/secrets/msitestingCert",
"type": azure_native.apimanagement.HostnameType.PORTAL,
},
{
"certificate_password": "Password",
"encoded_certificate": "****** Base 64 Encoded Certificate ************",
"host_name": "configuration-api.msitesting.net",
"type": azure_native.apimanagement.HostnameType.CONFIGURATION_API,
},
],
identity={
"type": azure_native.apimanagement.ApimIdentityType.USER_ASSIGNED,
"user_assigned_identities": {
"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/id1": {},
},
},
location="North Europe",
publisher_email="apim@autorestsdk.com",
publisher_name="autorestsdk",
resource_group_name="rg1",
service_name="apimService1",
sku={
"capacity": 1,
"name": azure_native.apimanagement.SkuType.PREMIUM,
},
tags={
"tag1": "value1",
"tag2": "value2",
"tag3": "value3",
},
virtual_network_type=azure_native.apimanagement.VirtualNetworkType.NONE)
package main
import (
apimanagement "github.com/pulumi/pulumi-azure-native-sdk/apimanagement/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := apimanagement.NewApiManagementService(ctx, "apiManagementService", &apimanagement.ApiManagementServiceArgs{
ApiVersionConstraint: &apimanagement.ApiVersionConstraintArgs{
MinApiVersion: pulumi.String("2019-01-01"),
},
HostnameConfigurations: apimanagement.HostnameConfigurationArray{
&apimanagement.HostnameConfigurationArgs{
DefaultSslBinding: pulumi.Bool(true),
HostName: pulumi.String("gateway1.msitesting.net"),
IdentityClientId: pulumi.String("329419bc-adec-4dce-9568-25a6d486e468"),
KeyVaultId: pulumi.String("https://rpbvtkeyvaultintegration.vault.azure.net/secrets/msitestingCert"),
Type: pulumi.String(apimanagement.HostnameTypeProxy),
},
&apimanagement.HostnameConfigurationArgs{
HostName: pulumi.String("mgmt.msitesting.net"),
IdentityClientId: pulumi.String("329419bc-adec-4dce-9568-25a6d486e468"),
KeyVaultId: pulumi.String("https://rpbvtkeyvaultintegration.vault.azure.net/secrets/msitestingCert"),
Type: pulumi.String(apimanagement.HostnameTypeManagement),
},
&apimanagement.HostnameConfigurationArgs{
HostName: pulumi.String("portal1.msitesting.net"),
IdentityClientId: pulumi.String("329419bc-adec-4dce-9568-25a6d486e468"),
KeyVaultId: pulumi.String("https://rpbvtkeyvaultintegration.vault.azure.net/secrets/msitestingCert"),
Type: pulumi.String(apimanagement.HostnameTypePortal),
},
&apimanagement.HostnameConfigurationArgs{
CertificatePassword: pulumi.String("Password"),
EncodedCertificate: pulumi.String("****** Base 64 Encoded Certificate ************"),
HostName: pulumi.String("configuration-api.msitesting.net"),
Type: pulumi.String(apimanagement.HostnameTypeConfigurationApi),
},
},
Identity: &apimanagement.ApiManagementServiceIdentityArgs{
Type: pulumi.String(apimanagement.ApimIdentityTypeUserAssigned),
UserAssignedIdentities: apimanagement.UserIdentityPropertiesMap{
"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/id1": &apimanagement.UserIdentityPropertiesArgs{},
},
},
Location: pulumi.String("North Europe"),
PublisherEmail: pulumi.String("apim@autorestsdk.com"),
PublisherName: pulumi.String("autorestsdk"),
ResourceGroupName: pulumi.String("rg1"),
ServiceName: pulumi.String("apimService1"),
Sku: &apimanagement.ApiManagementServiceSkuPropertiesArgs{
Capacity: pulumi.Int(1),
Name: pulumi.String(apimanagement.SkuTypePremium),
},
Tags: pulumi.StringMap{
"tag1": pulumi.String("value1"),
"tag2": pulumi.String("value2"),
"tag3": pulumi.String("value3"),
},
VirtualNetworkType: pulumi.String(apimanagement.VirtualNetworkTypeNone),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var apiManagementService = new AzureNative.ApiManagement.ApiManagementService("apiManagementService", new()
{
ApiVersionConstraint = new AzureNative.ApiManagement.Inputs.ApiVersionConstraintArgs
{
MinApiVersion = "2019-01-01",
},
HostnameConfigurations = new[]
{
new AzureNative.ApiManagement.Inputs.HostnameConfigurationArgs
{
DefaultSslBinding = true,
HostName = "gateway1.msitesting.net",
IdentityClientId = "329419bc-adec-4dce-9568-25a6d486e468",
KeyVaultId = "https://rpbvtkeyvaultintegration.vault.azure.net/secrets/msitestingCert",
Type = AzureNative.ApiManagement.HostnameType.Proxy,
},
new AzureNative.ApiManagement.Inputs.HostnameConfigurationArgs
{
HostName = "mgmt.msitesting.net",
IdentityClientId = "329419bc-adec-4dce-9568-25a6d486e468",
KeyVaultId = "https://rpbvtkeyvaultintegration.vault.azure.net/secrets/msitestingCert",
Type = AzureNative.ApiManagement.HostnameType.Management,
},
new AzureNative.ApiManagement.Inputs.HostnameConfigurationArgs
{
HostName = "portal1.msitesting.net",
IdentityClientId = "329419bc-adec-4dce-9568-25a6d486e468",
KeyVaultId = "https://rpbvtkeyvaultintegration.vault.azure.net/secrets/msitestingCert",
Type = AzureNative.ApiManagement.HostnameType.Portal,
},
new AzureNative.ApiManagement.Inputs.HostnameConfigurationArgs
{
CertificatePassword = "Password",
EncodedCertificate = "****** Base 64 Encoded Certificate ************",
HostName = "configuration-api.msitesting.net",
Type = AzureNative.ApiManagement.HostnameType.ConfigurationApi,
},
},
Identity = new AzureNative.ApiManagement.Inputs.ApiManagementServiceIdentityArgs
{
Type = AzureNative.ApiManagement.ApimIdentityType.UserAssigned,
UserAssignedIdentities =
{
{ "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/id1", null },
},
},
Location = "North Europe",
PublisherEmail = "apim@autorestsdk.com",
PublisherName = "autorestsdk",
ResourceGroupName = "rg1",
ServiceName = "apimService1",
Sku = new AzureNative.ApiManagement.Inputs.ApiManagementServiceSkuPropertiesArgs
{
Capacity = 1,
Name = AzureNative.ApiManagement.SkuType.Premium,
},
Tags =
{
{ "tag1", "value1" },
{ "tag2", "value2" },
{ "tag3", "value3" },
},
VirtualNetworkType = AzureNative.ApiManagement.VirtualNetworkType.None,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.apimanagement.ApiManagementService;
import com.pulumi.azurenative.apimanagement.ApiManagementServiceArgs;
import com.pulumi.azurenative.apimanagement.inputs.ApiVersionConstraintArgs;
import com.pulumi.azurenative.apimanagement.inputs.HostnameConfigurationArgs;
import com.pulumi.azurenative.apimanagement.inputs.ApiManagementServiceIdentityArgs;
import com.pulumi.azurenative.apimanagement.inputs.ApiManagementServiceSkuPropertiesArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var apiManagementService = new ApiManagementService("apiManagementService", ApiManagementServiceArgs.builder()
.apiVersionConstraint(ApiVersionConstraintArgs.builder()
.minApiVersion("2019-01-01")
.build())
.hostnameConfigurations(
HostnameConfigurationArgs.builder()
.defaultSslBinding(true)
.hostName("gateway1.msitesting.net")
.identityClientId("329419bc-adec-4dce-9568-25a6d486e468")
.keyVaultId("https://rpbvtkeyvaultintegration.vault.azure.net/secrets/msitestingCert")
.type("Proxy")
.build(),
HostnameConfigurationArgs.builder()
.hostName("mgmt.msitesting.net")
.identityClientId("329419bc-adec-4dce-9568-25a6d486e468")
.keyVaultId("https://rpbvtkeyvaultintegration.vault.azure.net/secrets/msitestingCert")
.type("Management")
.build(),
HostnameConfigurationArgs.builder()
.hostName("portal1.msitesting.net")
.identityClientId("329419bc-adec-4dce-9568-25a6d486e468")
.keyVaultId("https://rpbvtkeyvaultintegration.vault.azure.net/secrets/msitestingCert")
.type("Portal")
.build(),
HostnameConfigurationArgs.builder()
.certificatePassword("Password")
.encodedCertificate("****** Base 64 Encoded Certificate ************")
.hostName("configuration-api.msitesting.net")
.type("ConfigurationApi")
.build())
.identity(ApiManagementServiceIdentityArgs.builder()
.type("UserAssigned")
.userAssignedIdentities(Map.of("/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/id1", UserIdentityPropertiesArgs.builder()
.build()))
.build())
.location("North Europe")
.publisherEmail("apim@autorestsdk.com")
.publisherName("autorestsdk")
.resourceGroupName("rg1")
.serviceName("apimService1")
.sku(ApiManagementServiceSkuPropertiesArgs.builder()
.capacity(1)
.name("Premium")
.build())
.tags(Map.ofEntries(
Map.entry("tag1", "value1"),
Map.entry("tag2", "value2"),
Map.entry("tag3", "value3")
))
.virtualNetworkType("None")
.build());
}
}
resources:
apiManagementService:
type: azure-native:apimanagement:ApiManagementService
properties:
apiVersionConstraint:
minApiVersion: 2019-01-01
hostnameConfigurations:
- defaultSslBinding: true
hostName: gateway1.msitesting.net
identityClientId: 329419bc-adec-4dce-9568-25a6d486e468
keyVaultId: https://rpbvtkeyvaultintegration.vault.azure.net/secrets/msitestingCert
type: Proxy
- hostName: mgmt.msitesting.net
identityClientId: 329419bc-adec-4dce-9568-25a6d486e468
keyVaultId: https://rpbvtkeyvaultintegration.vault.azure.net/secrets/msitestingCert
type: Management
- hostName: portal1.msitesting.net
identityClientId: 329419bc-adec-4dce-9568-25a6d486e468
keyVaultId: https://rpbvtkeyvaultintegration.vault.azure.net/secrets/msitestingCert
type: Portal
- certificatePassword: Password
encodedCertificate: '****** Base 64 Encoded Certificate ************'
hostName: configuration-api.msitesting.net
type: ConfigurationApi
identity:
type: UserAssigned
userAssignedIdentities:
? /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/id1
: {}
location: North Europe
publisherEmail: apim@autorestsdk.com
publisherName: autorestsdk
resourceGroupName: rg1
serviceName: apimService1
sku:
capacity: 1
name: Premium
tags:
tag1: value1
tag2: value2
tag3: value3
virtualNetworkType: None
Each hostnameConfigurations entry defines a custom domain for a specific endpoint type (Proxy for gateway, Management for admin API, Portal for developer portal). The keyVaultId property references a Key Vault secret containing the TLS certificate. The identityClientId property specifies which user-assigned identity retrieves the certificate. Azure automatically renews certificates when Key Vault secrets are updated.
Deploy into a virtual network with external access
Organizations with network isolation requirements deploy API Management into VNets to control traffic flow while maintaining internet-facing endpoints.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const apiManagementService = new azure_native.apimanagement.ApiManagementService("apiManagementService", {
location: "East US 2 EUAP",
publicIpAddressId: "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rgName/providers/Microsoft.Network/publicIPAddresses/apimazvnet",
publisherEmail: "apim@autorestsdk.com",
publisherName: "autorestsdk",
resourceGroupName: "rg1",
serviceName: "apimService1",
sku: {
capacity: 2,
name: azure_native.apimanagement.SkuType.Premium,
},
tags: {
tag1: "value1",
tag2: "value2",
tag3: "value3",
},
virtualNetworkConfiguration: {
subnetResourceId: "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rgName/providers/Microsoft.Network/virtualNetworks/apimcus/subnets/tenant",
},
virtualNetworkType: azure_native.apimanagement.VirtualNetworkType.External,
zones: [
"1",
"2",
],
});
import pulumi
import pulumi_azure_native as azure_native
api_management_service = azure_native.apimanagement.ApiManagementService("apiManagementService",
location="East US 2 EUAP",
public_ip_address_id="/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rgName/providers/Microsoft.Network/publicIPAddresses/apimazvnet",
publisher_email="apim@autorestsdk.com",
publisher_name="autorestsdk",
resource_group_name="rg1",
service_name="apimService1",
sku={
"capacity": 2,
"name": azure_native.apimanagement.SkuType.PREMIUM,
},
tags={
"tag1": "value1",
"tag2": "value2",
"tag3": "value3",
},
virtual_network_configuration={
"subnet_resource_id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rgName/providers/Microsoft.Network/virtualNetworks/apimcus/subnets/tenant",
},
virtual_network_type=azure_native.apimanagement.VirtualNetworkType.EXTERNAL,
zones=[
"1",
"2",
])
package main
import (
apimanagement "github.com/pulumi/pulumi-azure-native-sdk/apimanagement/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := apimanagement.NewApiManagementService(ctx, "apiManagementService", &apimanagement.ApiManagementServiceArgs{
Location: pulumi.String("East US 2 EUAP"),
PublicIpAddressId: pulumi.String("/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rgName/providers/Microsoft.Network/publicIPAddresses/apimazvnet"),
PublisherEmail: pulumi.String("apim@autorestsdk.com"),
PublisherName: pulumi.String("autorestsdk"),
ResourceGroupName: pulumi.String("rg1"),
ServiceName: pulumi.String("apimService1"),
Sku: &apimanagement.ApiManagementServiceSkuPropertiesArgs{
Capacity: pulumi.Int(2),
Name: pulumi.String(apimanagement.SkuTypePremium),
},
Tags: pulumi.StringMap{
"tag1": pulumi.String("value1"),
"tag2": pulumi.String("value2"),
"tag3": pulumi.String("value3"),
},
VirtualNetworkConfiguration: &apimanagement.VirtualNetworkConfigurationArgs{
SubnetResourceId: pulumi.String("/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rgName/providers/Microsoft.Network/virtualNetworks/apimcus/subnets/tenant"),
},
VirtualNetworkType: pulumi.String(apimanagement.VirtualNetworkTypeExternal),
Zones: pulumi.StringArray{
pulumi.String("1"),
pulumi.String("2"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var apiManagementService = new AzureNative.ApiManagement.ApiManagementService("apiManagementService", new()
{
Location = "East US 2 EUAP",
PublicIpAddressId = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rgName/providers/Microsoft.Network/publicIPAddresses/apimazvnet",
PublisherEmail = "apim@autorestsdk.com",
PublisherName = "autorestsdk",
ResourceGroupName = "rg1",
ServiceName = "apimService1",
Sku = new AzureNative.ApiManagement.Inputs.ApiManagementServiceSkuPropertiesArgs
{
Capacity = 2,
Name = AzureNative.ApiManagement.SkuType.Premium,
},
Tags =
{
{ "tag1", "value1" },
{ "tag2", "value2" },
{ "tag3", "value3" },
},
VirtualNetworkConfiguration = new AzureNative.ApiManagement.Inputs.VirtualNetworkConfigurationArgs
{
SubnetResourceId = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rgName/providers/Microsoft.Network/virtualNetworks/apimcus/subnets/tenant",
},
VirtualNetworkType = AzureNative.ApiManagement.VirtualNetworkType.External,
Zones = new[]
{
"1",
"2",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.apimanagement.ApiManagementService;
import com.pulumi.azurenative.apimanagement.ApiManagementServiceArgs;
import com.pulumi.azurenative.apimanagement.inputs.ApiManagementServiceSkuPropertiesArgs;
import com.pulumi.azurenative.apimanagement.inputs.VirtualNetworkConfigurationArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var apiManagementService = new ApiManagementService("apiManagementService", ApiManagementServiceArgs.builder()
.location("East US 2 EUAP")
.publicIpAddressId("/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rgName/providers/Microsoft.Network/publicIPAddresses/apimazvnet")
.publisherEmail("apim@autorestsdk.com")
.publisherName("autorestsdk")
.resourceGroupName("rg1")
.serviceName("apimService1")
.sku(ApiManagementServiceSkuPropertiesArgs.builder()
.capacity(2)
.name("Premium")
.build())
.tags(Map.ofEntries(
Map.entry("tag1", "value1"),
Map.entry("tag2", "value2"),
Map.entry("tag3", "value3")
))
.virtualNetworkConfiguration(VirtualNetworkConfigurationArgs.builder()
.subnetResourceId("/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rgName/providers/Microsoft.Network/virtualNetworks/apimcus/subnets/tenant")
.build())
.virtualNetworkType("External")
.zones(
"1",
"2")
.build());
}
}
resources:
apiManagementService:
type: azure-native:apimanagement:ApiManagementService
properties:
location: East US 2 EUAP
publicIpAddressId: /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rgName/providers/Microsoft.Network/publicIPAddresses/apimazvnet
publisherEmail: apim@autorestsdk.com
publisherName: autorestsdk
resourceGroupName: rg1
serviceName: apimService1
sku:
capacity: 2
name: Premium
tags:
tag1: value1
tag2: value2
tag3: value3
virtualNetworkConfiguration:
subnetResourceId: /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rgName/providers/Microsoft.Network/virtualNetworks/apimcus/subnets/tenant
virtualNetworkType: External
zones:
- '1'
- '2'
The virtualNetworkConfiguration property places the service in a specified subnet. The virtualNetworkType property set to External creates internet-facing endpoints while allowing the service to reach private backends. The publicIpAddressId property associates a static public IP for predictable outbound traffic. The zones property distributes capacity across availability zones for higher availability.
Scale across regions with additional locations
Global applications distribute API traffic across multiple Azure regions to reduce latency and improve availability.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const apiManagementService = new azure_native.apimanagement.ApiManagementService("apiManagementService", {
additionalLocations: [{
disableGateway: true,
location: "East US",
sku: {
capacity: 1,
name: azure_native.apimanagement.SkuType.Premium,
},
}],
apiVersionConstraint: {
minApiVersion: "2019-01-01",
},
hostnameConfigurations: [
{
certificatePassword: "Password",
defaultSslBinding: true,
encodedCertificate: "****** Base 64 Encoded Certificate ************",
hostName: "gateway1.msitesting.net",
type: azure_native.apimanagement.HostnameType.Proxy,
},
{
certificatePassword: "Password",
encodedCertificate: "****** Base 64 Encoded Certificate ************",
hostName: "mgmt.msitesting.net",
type: azure_native.apimanagement.HostnameType.Management,
},
{
certificatePassword: "Password",
encodedCertificate: "****** Base 64 Encoded Certificate ************",
hostName: "portal1.msitesting.net",
type: azure_native.apimanagement.HostnameType.Portal,
},
{
certificatePassword: "Password",
encodedCertificate: "****** Base 64 Encoded Certificate ************",
hostName: "configuration-api.msitesting.net",
type: azure_native.apimanagement.HostnameType.ConfigurationApi,
},
],
location: "West US",
publisherEmail: "apim@autorestsdk.com",
publisherName: "autorestsdk",
resourceGroupName: "rg1",
serviceName: "apimService1",
sku: {
capacity: 1,
name: azure_native.apimanagement.SkuType.Premium,
},
tags: {
tag1: "value1",
tag2: "value2",
tag3: "value3",
},
virtualNetworkType: azure_native.apimanagement.VirtualNetworkType.None,
});
import pulumi
import pulumi_azure_native as azure_native
api_management_service = azure_native.apimanagement.ApiManagementService("apiManagementService",
additional_locations=[{
"disable_gateway": True,
"location": "East US",
"sku": {
"capacity": 1,
"name": azure_native.apimanagement.SkuType.PREMIUM,
},
}],
api_version_constraint={
"min_api_version": "2019-01-01",
},
hostname_configurations=[
{
"certificate_password": "Password",
"default_ssl_binding": True,
"encoded_certificate": "****** Base 64 Encoded Certificate ************",
"host_name": "gateway1.msitesting.net",
"type": azure_native.apimanagement.HostnameType.PROXY,
},
{
"certificate_password": "Password",
"encoded_certificate": "****** Base 64 Encoded Certificate ************",
"host_name": "mgmt.msitesting.net",
"type": azure_native.apimanagement.HostnameType.MANAGEMENT,
},
{
"certificate_password": "Password",
"encoded_certificate": "****** Base 64 Encoded Certificate ************",
"host_name": "portal1.msitesting.net",
"type": azure_native.apimanagement.HostnameType.PORTAL,
},
{
"certificate_password": "Password",
"encoded_certificate": "****** Base 64 Encoded Certificate ************",
"host_name": "configuration-api.msitesting.net",
"type": azure_native.apimanagement.HostnameType.CONFIGURATION_API,
},
],
location="West US",
publisher_email="apim@autorestsdk.com",
publisher_name="autorestsdk",
resource_group_name="rg1",
service_name="apimService1",
sku={
"capacity": 1,
"name": azure_native.apimanagement.SkuType.PREMIUM,
},
tags={
"tag1": "value1",
"tag2": "value2",
"tag3": "value3",
},
virtual_network_type=azure_native.apimanagement.VirtualNetworkType.NONE)
package main
import (
apimanagement "github.com/pulumi/pulumi-azure-native-sdk/apimanagement/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := apimanagement.NewApiManagementService(ctx, "apiManagementService", &apimanagement.ApiManagementServiceArgs{
AdditionalLocations: apimanagement.AdditionalLocationArray{
&apimanagement.AdditionalLocationArgs{
DisableGateway: pulumi.Bool(true),
Location: pulumi.String("East US"),
Sku: &apimanagement.ApiManagementServiceSkuPropertiesArgs{
Capacity: pulumi.Int(1),
Name: pulumi.String(apimanagement.SkuTypePremium),
},
},
},
ApiVersionConstraint: &apimanagement.ApiVersionConstraintArgs{
MinApiVersion: pulumi.String("2019-01-01"),
},
HostnameConfigurations: apimanagement.HostnameConfigurationArray{
&apimanagement.HostnameConfigurationArgs{
CertificatePassword: pulumi.String("Password"),
DefaultSslBinding: pulumi.Bool(true),
EncodedCertificate: pulumi.String("****** Base 64 Encoded Certificate ************"),
HostName: pulumi.String("gateway1.msitesting.net"),
Type: pulumi.String(apimanagement.HostnameTypeProxy),
},
&apimanagement.HostnameConfigurationArgs{
CertificatePassword: pulumi.String("Password"),
EncodedCertificate: pulumi.String("****** Base 64 Encoded Certificate ************"),
HostName: pulumi.String("mgmt.msitesting.net"),
Type: pulumi.String(apimanagement.HostnameTypeManagement),
},
&apimanagement.HostnameConfigurationArgs{
CertificatePassword: pulumi.String("Password"),
EncodedCertificate: pulumi.String("****** Base 64 Encoded Certificate ************"),
HostName: pulumi.String("portal1.msitesting.net"),
Type: pulumi.String(apimanagement.HostnameTypePortal),
},
&apimanagement.HostnameConfigurationArgs{
CertificatePassword: pulumi.String("Password"),
EncodedCertificate: pulumi.String("****** Base 64 Encoded Certificate ************"),
HostName: pulumi.String("configuration-api.msitesting.net"),
Type: pulumi.String(apimanagement.HostnameTypeConfigurationApi),
},
},
Location: pulumi.String("West US"),
PublisherEmail: pulumi.String("apim@autorestsdk.com"),
PublisherName: pulumi.String("autorestsdk"),
ResourceGroupName: pulumi.String("rg1"),
ServiceName: pulumi.String("apimService1"),
Sku: &apimanagement.ApiManagementServiceSkuPropertiesArgs{
Capacity: pulumi.Int(1),
Name: pulumi.String(apimanagement.SkuTypePremium),
},
Tags: pulumi.StringMap{
"tag1": pulumi.String("value1"),
"tag2": pulumi.String("value2"),
"tag3": pulumi.String("value3"),
},
VirtualNetworkType: pulumi.String(apimanagement.VirtualNetworkTypeNone),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var apiManagementService = new AzureNative.ApiManagement.ApiManagementService("apiManagementService", new()
{
AdditionalLocations = new[]
{
new AzureNative.ApiManagement.Inputs.AdditionalLocationArgs
{
DisableGateway = true,
Location = "East US",
Sku = new AzureNative.ApiManagement.Inputs.ApiManagementServiceSkuPropertiesArgs
{
Capacity = 1,
Name = AzureNative.ApiManagement.SkuType.Premium,
},
},
},
ApiVersionConstraint = new AzureNative.ApiManagement.Inputs.ApiVersionConstraintArgs
{
MinApiVersion = "2019-01-01",
},
HostnameConfigurations = new[]
{
new AzureNative.ApiManagement.Inputs.HostnameConfigurationArgs
{
CertificatePassword = "Password",
DefaultSslBinding = true,
EncodedCertificate = "****** Base 64 Encoded Certificate ************",
HostName = "gateway1.msitesting.net",
Type = AzureNative.ApiManagement.HostnameType.Proxy,
},
new AzureNative.ApiManagement.Inputs.HostnameConfigurationArgs
{
CertificatePassword = "Password",
EncodedCertificate = "****** Base 64 Encoded Certificate ************",
HostName = "mgmt.msitesting.net",
Type = AzureNative.ApiManagement.HostnameType.Management,
},
new AzureNative.ApiManagement.Inputs.HostnameConfigurationArgs
{
CertificatePassword = "Password",
EncodedCertificate = "****** Base 64 Encoded Certificate ************",
HostName = "portal1.msitesting.net",
Type = AzureNative.ApiManagement.HostnameType.Portal,
},
new AzureNative.ApiManagement.Inputs.HostnameConfigurationArgs
{
CertificatePassword = "Password",
EncodedCertificate = "****** Base 64 Encoded Certificate ************",
HostName = "configuration-api.msitesting.net",
Type = AzureNative.ApiManagement.HostnameType.ConfigurationApi,
},
},
Location = "West US",
PublisherEmail = "apim@autorestsdk.com",
PublisherName = "autorestsdk",
ResourceGroupName = "rg1",
ServiceName = "apimService1",
Sku = new AzureNative.ApiManagement.Inputs.ApiManagementServiceSkuPropertiesArgs
{
Capacity = 1,
Name = AzureNative.ApiManagement.SkuType.Premium,
},
Tags =
{
{ "tag1", "value1" },
{ "tag2", "value2" },
{ "tag3", "value3" },
},
VirtualNetworkType = AzureNative.ApiManagement.VirtualNetworkType.None,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.apimanagement.ApiManagementService;
import com.pulumi.azurenative.apimanagement.ApiManagementServiceArgs;
import com.pulumi.azurenative.apimanagement.inputs.AdditionalLocationArgs;
import com.pulumi.azurenative.apimanagement.inputs.ApiManagementServiceSkuPropertiesArgs;
import com.pulumi.azurenative.apimanagement.inputs.ApiVersionConstraintArgs;
import com.pulumi.azurenative.apimanagement.inputs.HostnameConfigurationArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var apiManagementService = new ApiManagementService("apiManagementService", ApiManagementServiceArgs.builder()
.additionalLocations(AdditionalLocationArgs.builder()
.disableGateway(true)
.location("East US")
.sku(ApiManagementServiceSkuPropertiesArgs.builder()
.capacity(1)
.name("Premium")
.build())
.build())
.apiVersionConstraint(ApiVersionConstraintArgs.builder()
.minApiVersion("2019-01-01")
.build())
.hostnameConfigurations(
HostnameConfigurationArgs.builder()
.certificatePassword("Password")
.defaultSslBinding(true)
.encodedCertificate("****** Base 64 Encoded Certificate ************")
.hostName("gateway1.msitesting.net")
.type("Proxy")
.build(),
HostnameConfigurationArgs.builder()
.certificatePassword("Password")
.encodedCertificate("****** Base 64 Encoded Certificate ************")
.hostName("mgmt.msitesting.net")
.type("Management")
.build(),
HostnameConfigurationArgs.builder()
.certificatePassword("Password")
.encodedCertificate("****** Base 64 Encoded Certificate ************")
.hostName("portal1.msitesting.net")
.type("Portal")
.build(),
HostnameConfigurationArgs.builder()
.certificatePassword("Password")
.encodedCertificate("****** Base 64 Encoded Certificate ************")
.hostName("configuration-api.msitesting.net")
.type("ConfigurationApi")
.build())
.location("West US")
.publisherEmail("apim@autorestsdk.com")
.publisherName("autorestsdk")
.resourceGroupName("rg1")
.serviceName("apimService1")
.sku(ApiManagementServiceSkuPropertiesArgs.builder()
.capacity(1)
.name("Premium")
.build())
.tags(Map.ofEntries(
Map.entry("tag1", "value1"),
Map.entry("tag2", "value2"),
Map.entry("tag3", "value3")
))
.virtualNetworkType("None")
.build());
}
}
resources:
apiManagementService:
type: azure-native:apimanagement:ApiManagementService
properties:
additionalLocations:
- disableGateway: true
location: East US
sku:
capacity: 1
name: Premium
apiVersionConstraint:
minApiVersion: 2019-01-01
hostnameConfigurations:
- certificatePassword: Password
defaultSslBinding: true
encodedCertificate: '****** Base 64 Encoded Certificate ************'
hostName: gateway1.msitesting.net
type: Proxy
- certificatePassword: Password
encodedCertificate: '****** Base 64 Encoded Certificate ************'
hostName: mgmt.msitesting.net
type: Management
- certificatePassword: Password
encodedCertificate: '****** Base 64 Encoded Certificate ************'
hostName: portal1.msitesting.net
type: Portal
- certificatePassword: Password
encodedCertificate: '****** Base 64 Encoded Certificate ************'
hostName: configuration-api.msitesting.net
type: ConfigurationApi
location: West US
publisherEmail: apim@autorestsdk.com
publisherName: autorestsdk
resourceGroupName: rg1
serviceName: apimService1
sku:
capacity: 1
name: Premium
tags:
tag1: value1
tag2: value2
tag3: value3
virtualNetworkType: None
The additionalLocations property adds gateway capacity in other regions beyond the primary location. Each additional location specifies its own sku capacity and can set disableGateway to control traffic routing. The hostnameConfigurations property defines custom domains for all endpoints across all regions. Traffic is automatically distributed based on client proximity.
Beyond these examples
These snippets focus on specific service-level features: service provisioning and SKU selection, managed identity and Key Vault integration, custom hostname configuration, and virtual network and multi-region deployment. They’re intentionally minimal rather than full API management solutions.
The examples may reference pre-existing infrastructure such as Azure resource groups and subscriptions, Key Vault instances with certificate secrets, virtual networks, subnets, and public IP addresses, and user-assigned managed identities for Key Vault scenarios. They focus on configuring the service instance rather than provisioning everything around it.
To keep things focused, common API Management patterns are omitted, including:
- API definitions and backend service configuration
- Policy definitions and transformation rules
- Developer portal customization and content
- Monitoring, diagnostics, and Application Insights integration
- Certificate rotation and renewal workflows
- Backup and disaster recovery configuration
These omissions are intentional: the goal is to illustrate how each service feature is wired, not provide drop-in API management modules. See the API Management Service resource reference for all available configuration options.
Let's deploy Azure API Management Services
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
SKU & Capacity
What are the available SKU tiers and their use cases?
API Management offers six SKU tiers: Developer (dev/test), Basic (small production), Standard (medium production), Premium (enterprise with multi-region and VNet), Consumption (serverless), and StandardV2 (new generation standard tier). Premium SKU is required for multi-region deployment and VNet integration.
How do I deploy API Management with availability zones?
Specify availability zones using the
zones property (e.g., ["1", "2"]). This requires Premium SKU with capacity of 2 or more. Zones provide high availability within a region.What's the Consumption SKU and how is it different?
Consumption SKU is serverless with capacity 0 and pay-per-execution pricing. It requires
enableClientCertificate: true to authenticate certificates in gateway policies. It doesn’t support VNet integration or multi-region deployment.Networking & VNet Integration
What are the VNet integration options?
Three options via
virtualNetworkType: None (default, no VNet), External (VNet with internet-facing endpoint), or Internal (VNet with intranet-facing endpoint only). VNet integration requires Premium SKU and virtualNetworkConfiguration with subnet details.How do I deploy API Management in a VNet with a public IP?
Set
virtualNetworkType to External, configure virtualNetworkConfiguration with subnetResourceId, and specify publicIpAddressId pointing to a Standard SKU public IP address. This is supported for Premium SKU only.How do I restrict access to private endpoints only?
Set
publicNetworkAccess to ‘Disabled’. This makes private endpoints the exclusive access method. The default value is ‘Enabled’.How do I enable NAT Gateway for outbound connectivity?
Set
natGatewayState to ‘Enabled’. This is available for Premium SKU and provides dedicated outbound IP addresses for backend connections.Identity & Authentication
What's the difference between SystemAssigned and UserAssigned managed identity?
SystemAssigned identity is automatically created and tied to the service lifecycle. UserAssigned identity is a standalone Azure resource you create separately and can be shared across services. UserAssigned identity is required for Key Vault certificate integration.
How do I enforce client certificate authentication?
Set
enableClientCertificate: true. This is specifically for Consumption SKU and enforces client certificate presentation on each gateway request, enabling certificate authentication in policies.Custom Hostnames & Certificates
How do I configure custom hostnames with certificates?
Use
hostnameConfigurations to specify custom hostnames. Four types are available: Proxy (gateway), Management (management API), Portal (developer portal), and ConfigurationApi (legacy configuration API). Each requires a certificate via encodedCertificate or Key Vault reference.How do I use Key Vault certificates for custom hostnames?
Configure a UserAssigned managed identity, grant it Key Vault access, then set
keyVaultId (certificate URL) and identityClientId in each hostname configuration instead of encodedCertificate.What's the limit on system certificates?
You can install a maximum of 10 certificates using the
certificates property. These are system certificates stored in the CertificateAuthority or Root store.Multi-Region Deployment
How do I deploy API Management across multiple regions?
Use
additionalLocations to specify additional datacenters with their own SKU capacity. This requires Premium SKU. You can disable the gateway in specific regions using disableGateway: true in the location configuration.Service Management
How do I restore a soft-deleted API Management service?
Set
restore: true when creating the service. When this flag is specified, all other properties are ignored and the service is undeleted from its soft-deleted state.How do I disable the legacy configuration API?
Set
configurationApi.legacyApi to ‘Disabled’. This removes the legacy configuration API endpoint while keeping the modern management API.How do I configure TLS versions and ciphers?
Use
customProperties to control TLS protocols and ciphers. For example, set Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10 to false to disable TLS 1.0. You can also disable specific ciphers like TLS_RSA_WITH_AES_128_CBC_SHA256. Note that some ciphers required by internal components cannot be disabled.What properties are immutable after creation?
Three properties cannot be changed after creation:
location, resourceGroupName, and serviceName. To change these, you must delete and recreate the service.Using a different cloud?
Explore integration guides for other cloud providers: