Azure Policy built-in policy definitions for Azure API Management
This page is an index of Azure Policy built-in policy definitions for Azure API Management. For additional Azure Policy built-ins for other services, see Azure Policy built-in definitions. For API Management policy samples, see API Management - Policy index.
The name of each built-in policy definition links to the policy definition in the Azure portal. Use the link in the Version column to view the source on the Azure Policy GitHub repo.
Azure API Management
|API Management APIs should use encrypted protocols only||APIs should use encrypted protocols. APIs should not use the unencrypted protocols such as HTTP or WS.||Audit, Disabled, Deny||2.0.1|
|API Management calls to API backends should be authenticated||Calls from API Management to backends should use some form of authentication, whether via certificates or credentials. Does not apply to Service Fabric backends.||Audit, Disabled, Deny||1.0.1|
|API Management calls to API backends should not bypass certificate thumbprint or name validation||Calls from API Management to API backends should validate certificate thumbprint and certificate name.||Audit, Disabled, Deny||1.0.1|
|API Management direct API Management endpoint should not be enabled||Azure API Management provides a direct management REST API, which can bypass certain limits of the Azure Resource Manager based API, and should not be enabled by default.||Audit, Disabled, Deny||1.0.1|
|API Management minimum API version should be set to 2019-12-01 or higher||To prevent service secrets from being shared with read-only users, the minimum API version should be set to 2019-12-01 or higher.||Audit, Deny, Disabled||1.0.1|
|API Management Named Values secrets should be stored in Azure KeyVault||Secrets referenced in Named Values should store the values in Azure KeyVault instead of within the Named Values store.||Audit, Disabled, Deny||1.0.1|
|API Management service should use a SKU that supports virtual networks||With supported SKUs of API Management, deploying service into a virtual network unlocks advanced API Management networking and security features which provides you greater control over your network security configuration. Learn more at: https://aka.ms/apimvnet.||Audit, Deny, Disabled||1.0.0|
|API Management services should disable public network access||To improve the security of API Management services, ensure that endpoints aren't exposed to the public internet. Some public endpoints are exposed by API Management services to support user scenarios, e.g. direct access to Management API, managing configuration using Git, self-hosted gateways configuration. If any of those features are not used, corresponding endpoints should be disabled.||AuditIfNotExists, Disabled||1.0.0|
|API Management services should use a virtual network||Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network.||Audit, Disabled||1.0.1|
|API Management subscriptions should not be scoped at the All API scope.||API Management subscriptions should be scoped at the product or individual API instead of all APIs, which could expose all APIs in the API Management instance.||Audit, Disabled, Deny||1.0.0|
|Configure API Management services to disable public network access||To improve the security of API Management services, disable public endpoints. Some public endpoints are exposed by API Management services to support user scenarios, e.g. direct access to Management API, managing configuration using Git, self-hosted gateways configuration. If any of those features are not used, corresponding endpoints should be disabled.||DeployIfNotExists, Disabled||1.0.0|