Microsoft.ApiManagement service

Bicep resource definition

The service resource type can be deployed to:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.ApiManagement/service resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.ApiManagement/service@2021-12-01-preview' = {
  name: 'string'
  location: 'string'
  tags: {
    tagName1: 'tagValue1'
    tagName2: 'tagValue2'
  }
  sku: {
    capacity: int
    name: 'string'
  }
  identity: {
    type: 'string'
    userAssignedIdentities: {}
  }
  properties: {
    additionalLocations: [
      {
        disableGateway: bool
        location: 'string'
        publicIpAddressId: 'string'
        sku: {
          capacity: int
          name: 'string'
        }
        virtualNetworkConfiguration: {
          subnetResourceId: 'string'
        }
        zones: [
          'string'
        ]
      }
    ]
    apiVersionConstraint: {
      minApiVersion: 'string'
    }
    certificates: [
      {
        certificate: {
          expiry: 'string'
          subject: 'string'
          thumbprint: 'string'
        }
        certificatePassword: 'string'
        encodedCertificate: 'string'
        storeName: 'string'
      }
    ]
    customProperties: {}
    disableGateway: bool
    enableClientCertificate: bool
    hostnameConfigurations: [
      {
        certificate: {
          expiry: 'string'
          subject: 'string'
          thumbprint: 'string'
        }
        certificatePassword: 'string'
        certificateSource: 'string'
        certificateStatus: 'string'
        defaultSslBinding: bool
        encodedCertificate: 'string'
        hostName: 'string'
        identityClientId: 'string'
        keyVaultId: 'string'
        negotiateClientCertificate: bool
        type: 'string'
      }
    ]
    notificationSenderEmail: 'string'
    privateEndpointConnections: [
      {
        id: 'string'
        name: 'string'
        properties: {
          privateEndpoint: {}
          privateLinkServiceConnectionState: {
            actionsRequired: 'string'
            description: 'string'
            status: 'string'
          }
        }
        type: 'string'
      }
    ]
    publicIpAddressId: 'string'
    publicNetworkAccess: 'string'
    publisherEmail: 'string'
    publisherName: 'string'
    restore: bool
    virtualNetworkConfiguration: {
      subnetResourceId: 'string'
    }
    virtualNetworkType: 'string'
  }
  zones: [
    'string'
  ]
}

Property values

service

Name Description Value
name The resource name string (required)

Character limit: 1-50

Valid characters:
Alphanumerics and hyphens.

Start with letter and end with alphanumeric.

Resource name must be unique across Azure.
location Resource location. string (required)
tags Resource tags. Dictionary of tag names and values. See Tags in templates
sku SKU properties of the API Management service. ApiManagementServiceSkuProperties (required)
identity Managed service identity of the Api Management service. ApiManagementServiceIdentity
properties Properties of the API Management service. ApiManagementServiceProperties (required)
zones A list of availability zones denoting where the resource needs to come from. string[]

ApiManagementServiceIdentity

Name Description Value
type The type of identity used for the resource. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the service. 'None'
'SystemAssigned'
'SystemAssigned, UserAssigned'
'UserAssigned' (required)
userAssignedIdentities The list of user identities associated with the resource. The user identity
dictionary key references will be ARM resource ids in the form:
'/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/
providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.
object

ApiManagementServiceProperties

Name Description Value
additionalLocations Additional datacenter locations of the API Management service. AdditionalLocation[]
apiVersionConstraint Control Plane Apis version constraint for the API Management service. ApiVersionConstraint
certificates List of Certificates that need to be installed in the API Management service. Max supported certificates that can be installed is 10. CertificateConfiguration[]
customProperties Custom properties of the API Management service.
Setting Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168 will disable the cipher TLS_RSA_WITH_3DES_EDE_CBC_SHA for all TLS(1.0, 1.1 and 1.2).
Setting Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11 can be used to disable just TLS 1.1.
Setting Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10 can be used to disable TLS 1.0 on an API Management service.
Setting Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11 can be used to disable just TLS 1.1 for communications with backends.
Setting Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10 can be used to disable TLS 1.0 for communications with backends.
Setting Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2 can be used to enable HTTP2 protocol on an API Management service.
Not specifying any of these properties on PATCH operation will reset omitted properties' values to their defaults. For all the settings except Http2 the default value is True if the service was created on or before April 1st 2018 and False otherwise. Http2 setting's default value is False.

You can disable any of next ciphers by using settings Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.[cipher_name]: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA. For example, Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256:false. The default value is true for them. Note: next ciphers can't be disabled since they are required by Azure CloudService internal components: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384
object
disableGateway Property only valid for an Api Management service deployed in multiple locations. This can be used to disable the gateway in master region. bool
enableClientCertificate Property only meant to be used for Consumption SKU Service. This enforces a client certificate to be presented on each request to the gateway. This also enables the ability to authenticate the certificate in the policy on the gateway. bool
hostnameConfigurations Custom hostname configuration of the API Management service. HostnameConfiguration[]
notificationSenderEmail Email address from which the notification will be sent. string
privateEndpointConnections List of Private Endpoint Connections of this service. RemotePrivateEndpointConnectionWrapper[]
publicIpAddressId Public Standard SKU IP V4 based IP address to be associated with Virtual Network deployed service in the region. Supported only for Developer and Premium SKU being deployed in Virtual Network. string
publicNetworkAccess Whether or not public endpoint access is allowed for this API Management service. Value is optional but if passed in, must be 'Enabled' or 'Disabled'. If 'Disabled', private endpoints are the exclusive access method. Default value is 'Enabled' 'Disabled'
'Enabled'
publisherEmail Publisher email. string (required)
publisherName Publisher name. string (required)
restore Undelete Api Management Service if it was previously soft-deleted. If this flag is specified and set to True all other properties will be ignored. bool
virtualNetworkConfiguration Virtual network configuration of the API Management service. VirtualNetworkConfiguration
virtualNetworkType The type of VPN in which API Management service needs to be configured in. None (Default Value) means the API Management service is not part of any Virtual Network, External means the API Management deployment is set up inside a Virtual Network having an Internet Facing Endpoint, and Internal means that API Management deployment is setup inside a Virtual Network having an Intranet Facing Endpoint only. 'External'
'Internal'
'None'

AdditionalLocation

Name Description Value
disableGateway Property only valid for an Api Management service deployed in multiple locations. This can be used to disable the gateway in this additional location. bool
location The location name of the additional region among Azure Data center regions. string (required)
publicIpAddressId Public Standard SKU IP V4 based IP address to be associated with Virtual Network deployed service in the location. Supported only for Premium SKU being deployed in Virtual Network. string
sku SKU properties of the API Management service. ApiManagementServiceSkuProperties (required)
virtualNetworkConfiguration Virtual network configuration for the location. VirtualNetworkConfiguration
zones A list of availability zones denoting where the resource needs to come from. string[]

ApiManagementServiceSkuProperties

Name Description Value
capacity Capacity of the SKU (number of deployed units of the SKU). For Consumption SKU capacity must be specified as 0. int (required)
name Name of the Sku. 'Basic'
'Consumption'
'Developer'
'Isolated'
'Premium'
'Standard' (required)

VirtualNetworkConfiguration

Name Description Value
subnetResourceId The full resource ID of a subnet in a virtual network to deploy the API Management service in. string

ApiVersionConstraint

Name Description Value
minApiVersion Limit control plane API calls to API Management service with version equal to or newer than this value. string

CertificateConfiguration

Name Description Value
certificate Certificate information. CertificateInformation
certificatePassword Certificate Password. string
encodedCertificate Base64 Encoded certificate. string
storeName The System.Security.Cryptography.x509certificates.StoreName certificate store location. Only Root and CertificateAuthority are valid locations. 'CertificateAuthority'
'Root' (required)

CertificateInformation

Name Description Value
expiry Expiration date of the certificate. The date conforms to the following format: yyyy-MM-ddTHH:mm:ssZ as specified by the ISO 8601 standard. string (required)
subject Subject of the certificate. string (required)
thumbprint Thumbprint of the certificate. string (required)

HostnameConfiguration

Name Description Value
certificate Certificate information. CertificateInformation
certificatePassword Certificate Password. string
certificateSource Certificate Source. 'BuiltIn'
'Custom'
'KeyVault'
'Managed'
certificateStatus Certificate Status. 'Completed'
'Failed'
'InProgress'
defaultSslBinding Specify true to setup the certificate associated with this Hostname as the Default SSL Certificate. If a client does not send the SNI header, then this will be the certificate that will be challenged. The property is useful if a service has multiple custom hostname enabled and it needs to decide on the default ssl certificate. The setting only applied to Proxy Hostname Type. bool
encodedCertificate Base64 Encoded certificate. string
hostName Hostname to configure on the Api Management service. string (required)
identityClientId System or User Assigned Managed identity clientId as generated by Azure AD, which has GET access to the keyVault containing the SSL certificate. string
keyVaultId Url to the KeyVault Secret containing the Ssl Certificate. If absolute Url containing version is provided, auto-update of ssl certificate will not work. This requires Api Management service to be configured with aka.ms/apimmsi. The secret should be of type application/x-pkcs12 string
negotiateClientCertificate Specify true to always negotiate client certificate on the hostname. Default Value is false. bool
type Hostname type. 'DeveloperPortal'
'Management'
'Portal'
'Proxy'
'Scm' (required)

RemotePrivateEndpointConnectionWrapper

Name Description Value
id Private Endpoint connection resource id string
name Private Endpoint Connection Name string
properties Resource properties. PrivateEndpointConnectionWrapperProperties
type Private Endpoint Connection Resource Type string

PrivateEndpointConnectionWrapperProperties

Name Description Value
privateEndpoint The resource of private end point. ArmIdWrapper
privateLinkServiceConnectionState A collection of information about the state of the connection between service consumer and provider. PrivateLinkServiceConnectionState (required)

ArmIdWrapper

This object doesn't contain any properties to set during deployment. All properties are ReadOnly.

PrivateLinkServiceConnectionState

Name Description Value
actionsRequired A message indicating if changes on the service provider require any updates on the consumer. string
description The reason for approval/rejection of the connection. string
status Indicates whether the connection has been Approved/Rejected/Removed by the owner of the service. 'Approved'
'Pending'
'Rejected'

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
Create an API Management instance and all sub resources using template

Deploy to Azure
This template demonstrates how to create a API Management service and configure sub-entities
Create an API Management instance in an external VNet

Deploy to Azure
This template demonstrates how to create an instance of Azure API Management within your VNet's subnet in external mode. This template is deprecated.
Deploy API Management in external VNet with public IP

Deploy to Azure
This template demonstrates how to create an instance of Azure API Management in the Premium tier within your virtual network's subnet in external mode and configure recommended NSG rules on the subnet. The instance is deployed to two availability zones. The template also configures a public IP address from your subscription.
Create an API Management instance with custom hostnames

Deploy to Azure
This template demonstrates how to create a instance of Azure API Management with custom hostname for portal and multiple custom hostnames for proxy
Create an API Management instance in internal VNet

Deploy to Azure
This template demonstrates how to create an instance of Azure API Management within your VNet's subnet in internal mode and configure NSG on the subnet with recommended settings. This template is deprecated.
Create API Management in Internal VNet with App Gateway

Deploy to Azure
This template demonstrates how to Create a instance of Azure API Management on a private network protected by Azure Application Gateway.
Deploy API Management in internal VNet with public IP

Deploy to Azure
This template demonstrates how to create an instance of Azure API Management in the Premium tier within your virtual network's subnet in internal mode and configure recommended NSG rules on the subnet. The instance is deployed to two availability zones. The template also configures a public IP address from your subscription.
Create an API Management instance having MSI Identity

Deploy to Azure
This template creates a developer instance of Azure API Management having an MSI Identity
Create a multiregion Premium tier API Management instance

Deploy to Azure
This template demonstrates how to create an API Management instance with additional locations. The primary location is the same as location of the resource group. For additional locations, the template shows NorthCentralUs and East US2. The primary location should be different from additional locations.
Create API Management with custom proxy ssl using KeyVault

Deploy to Azure
This template demonstrates how to Create a instance of Azure API Management and configure custom hostname for proxy with ssl certificate from keyvault.
Create an API Management service with SSL from KeyVault

Deploy to Azure
This template deploys an API Management service configured with User Assigned Identity. It uses this identity to fetch SSL certificate from KeyVault and keeps it updated by checking every 4 hours.
Create and monitor API Management instance

Deploy to Azure
This template creates an instance of Azure API Management service and Log Analytics workspace and sets up monitoring for your API Management service with Log Analytics
Create an API Management service with a private endpoint

Deploy to Azure
This template will create an API Management service, a virtual network and a private endpoint exposing the API Management service to the virtual network.
Deploy API Management into Availability Zones

Deploy to Azure
This template creates a premium instance of Azure API Management and deploys into an Availability Zone
Create an API Management instance using a template

Deploy to Azure
This template creates a developer instance of Azure API Management
Front Door Standard/Premium with API Management origin

Deploy to Azure
This template creates a Front Door Premium and an API Management instance, and uses an NSG and global API Management policy to validate that traffic has come through the Front Door origin.
Create Azure Front Door in front of Azure API Management

Deploy to Azure
This sample demonstrates how to use Azure Front Door as a global load balancer in front of Azure API Management.
Application Gateway with internal API Management and Web App

Deploy to Azure
Application Gateway routing Internet traffic to a virtual network (internal mode) API Management instance which services a web API hosted in an Azure Web App.

ARM template resource definition

The service resource type can be deployed to:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.ApiManagement/service resource, add the following JSON to your template.

{
  "type": "Microsoft.ApiManagement/service",
  "apiVersion": "2021-12-01-preview",
  "name": "string",
  "location": "string",
  "tags": {
    "tagName1": "tagValue1",
    "tagName2": "tagValue2"
  },
  "sku": {
    "capacity": "int",
    "name": "string"
  },
  "identity": {
    "type": "string",
    "userAssignedIdentities": {}
  },
  "properties": {
    "additionalLocations": [
      {
        "disableGateway": "bool",
        "location": "string",
        "publicIpAddressId": "string",
        "sku": {
          "capacity": "int",
          "name": "string"
        },
        "virtualNetworkConfiguration": {
          "subnetResourceId": "string"
        },
        "zones": [ "string" ]
      }
    ],
    "apiVersionConstraint": {
      "minApiVersion": "string"
    },
    "certificates": [
      {
        "certificate": {
          "expiry": "string",
          "subject": "string",
          "thumbprint": "string"
        },
        "certificatePassword": "string",
        "encodedCertificate": "string",
        "storeName": "string"
      }
    ],
    "customProperties": {},
    "disableGateway": "bool",
    "enableClientCertificate": "bool",
    "hostnameConfigurations": [
      {
        "certificate": {
          "expiry": "string",
          "subject": "string",
          "thumbprint": "string"
        },
        "certificatePassword": "string",
        "certificateSource": "string",
        "certificateStatus": "string",
        "defaultSslBinding": "bool",
        "encodedCertificate": "string",
        "hostName": "string",
        "identityClientId": "string",
        "keyVaultId": "string",
        "negotiateClientCertificate": "bool",
        "type": "string"
      }
    ],
    "notificationSenderEmail": "string",
    "privateEndpointConnections": [
      {
        "id": "string",
        "name": "string",
        "properties": {
          "privateEndpoint": {},
          "privateLinkServiceConnectionState": {
            "actionsRequired": "string",
            "description": "string",
            "status": "string"
          }
        },
        "type": "string"
      }
    ],
    "publicIpAddressId": "string",
    "publicNetworkAccess": "string",
    "publisherEmail": "string",
    "publisherName": "string",
    "restore": "bool",
    "virtualNetworkConfiguration": {
      "subnetResourceId": "string"
    },
    "virtualNetworkType": "string"
  },
  "zones": [ "string" ]
}

Property values

service

Name Description Value
type The resource type 'Microsoft.ApiManagement/service'
apiVersion The resource api version '2021-12-01-preview'
name The resource name string (required)

Character limit: 1-50

Valid characters:
Alphanumerics and hyphens.

Start with letter and end with alphanumeric.

Resource name must be unique across Azure.
location Resource location. string (required)
tags Resource tags. Dictionary of tag names and values. See Tags in templates
sku SKU properties of the API Management service. ApiManagementServiceSkuProperties (required)
identity Managed service identity of the Api Management service. ApiManagementServiceIdentity
properties Properties of the API Management service. ApiManagementServiceProperties (required)
zones A list of availability zones denoting where the resource needs to come from. string[]

ApiManagementServiceIdentity

Name Description Value
type The type of identity used for the resource. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the service. 'None'
'SystemAssigned'
'SystemAssigned, UserAssigned'
'UserAssigned' (required)
userAssignedIdentities The list of user identities associated with the resource. The user identity
dictionary key references will be ARM resource ids in the form:
'/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/
providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.
object

ApiManagementServiceProperties

Name Description Value
additionalLocations Additional datacenter locations of the API Management service. AdditionalLocation[]
apiVersionConstraint Control Plane Apis version constraint for the API Management service. ApiVersionConstraint
certificates List of Certificates that need to be installed in the API Management service. Max supported certificates that can be installed is 10. CertificateConfiguration[]
customProperties Custom properties of the API Management service.
Setting Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168 will disable the cipher TLS_RSA_WITH_3DES_EDE_CBC_SHA for all TLS(1.0, 1.1 and 1.2).
Setting Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11 can be used to disable just TLS 1.1.
Setting Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10 can be used to disable TLS 1.0 on an API Management service.
Setting Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11 can be used to disable just TLS 1.1 for communications with backends.
Setting Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10 can be used to disable TLS 1.0 for communications with backends.
Setting Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2 can be used to enable HTTP2 protocol on an API Management service.
Not specifying any of these properties on PATCH operation will reset omitted properties' values to their defaults. For all the settings except Http2 the default value is True if the service was created on or before April 1st 2018 and False otherwise. Http2 setting's default value is False.

You can disable any of next ciphers by using settings Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.[cipher_name]: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA. For example, Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256:false. The default value is true for them. Note: next ciphers can't be disabled since they are required by Azure CloudService internal components: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384
object
disableGateway Property only valid for an Api Management service deployed in multiple locations. This can be used to disable the gateway in master region. bool
enableClientCertificate Property only meant to be used for Consumption SKU Service. This enforces a client certificate to be presented on each request to the gateway. This also enables the ability to authenticate the certificate in the policy on the gateway. bool
hostnameConfigurations Custom hostname configuration of the API Management service. HostnameConfiguration[]
notificationSenderEmail Email address from which the notification will be sent. string
privateEndpointConnections List of Private Endpoint Connections of this service. RemotePrivateEndpointConnectionWrapper[]
publicIpAddressId Public Standard SKU IP V4 based IP address to be associated with Virtual Network deployed service in the region. Supported only for Developer and Premium SKU being deployed in Virtual Network. string
publicNetworkAccess Whether or not public endpoint access is allowed for this API Management service. Value is optional but if passed in, must be 'Enabled' or 'Disabled'. If 'Disabled', private endpoints are the exclusive access method. Default value is 'Enabled' 'Disabled'
'Enabled'
publisherEmail Publisher email. string (required)
publisherName Publisher name. string (required)
restore Undelete Api Management Service if it was previously soft-deleted. If this flag is specified and set to True all other properties will be ignored. bool
virtualNetworkConfiguration Virtual network configuration of the API Management service. VirtualNetworkConfiguration
virtualNetworkType The type of VPN in which API Management service needs to be configured in. None (Default Value) means the API Management service is not part of any Virtual Network, External means the API Management deployment is set up inside a Virtual Network having an Internet Facing Endpoint, and Internal means that API Management deployment is setup inside a Virtual Network having an Intranet Facing Endpoint only. 'External'
'Internal'
'None'

AdditionalLocation

Name Description Value
disableGateway Property only valid for an Api Management service deployed in multiple locations. This can be used to disable the gateway in this additional location. bool
location The location name of the additional region among Azure Data center regions. string (required)
publicIpAddressId Public Standard SKU IP V4 based IP address to be associated with Virtual Network deployed service in the location. Supported only for Premium SKU being deployed in Virtual Network. string
sku SKU properties of the API Management service. ApiManagementServiceSkuProperties (required)
virtualNetworkConfiguration Virtual network configuration for the location. VirtualNetworkConfiguration
zones A list of availability zones denoting where the resource needs to come from. string[]

ApiManagementServiceSkuProperties

Name Description Value
capacity Capacity of the SKU (number of deployed units of the SKU). For Consumption SKU capacity must be specified as 0. int (required)
name Name of the Sku. 'Basic'
'Consumption'
'Developer'
'Isolated'
'Premium'
'Standard' (required)

VirtualNetworkConfiguration

Name Description Value
subnetResourceId The full resource ID of a subnet in a virtual network to deploy the API Management service in. string

ApiVersionConstraint

Name Description Value
minApiVersion Limit control plane API calls to API Management service with version equal to or newer than this value. string

CertificateConfiguration

Name Description Value
certificate Certificate information. CertificateInformation
certificatePassword Certificate Password. string
encodedCertificate Base64 Encoded certificate. string
storeName The System.Security.Cryptography.x509certificates.StoreName certificate store location. Only Root and CertificateAuthority are valid locations. 'CertificateAuthority'
'Root' (required)

CertificateInformation

Name Description Value
expiry Expiration date of the certificate. The date conforms to the following format: yyyy-MM-ddTHH:mm:ssZ as specified by the ISO 8601 standard. string (required)
subject Subject of the certificate. string (required)
thumbprint Thumbprint of the certificate. string (required)

HostnameConfiguration

Name Description Value
certificate Certificate information. CertificateInformation
certificatePassword Certificate Password. string
certificateSource Certificate Source. 'BuiltIn'
'Custom'
'KeyVault'
'Managed'
certificateStatus Certificate Status. 'Completed'
'Failed'
'InProgress'
defaultSslBinding Specify true to setup the certificate associated with this Hostname as the Default SSL Certificate. If a client does not send the SNI header, then this will be the certificate that will be challenged. The property is useful if a service has multiple custom hostname enabled and it needs to decide on the default ssl certificate. The setting only applied to Proxy Hostname Type. bool
encodedCertificate Base64 Encoded certificate. string
hostName Hostname to configure on the Api Management service. string (required)
identityClientId System or User Assigned Managed identity clientId as generated by Azure AD, which has GET access to the keyVault containing the SSL certificate. string
keyVaultId Url to the KeyVault Secret containing the Ssl Certificate. If absolute Url containing version is provided, auto-update of ssl certificate will not work. This requires Api Management service to be configured with aka.ms/apimmsi. The secret should be of type application/x-pkcs12 string
negotiateClientCertificate Specify true to always negotiate client certificate on the hostname. Default Value is false. bool
type Hostname type. 'DeveloperPortal'
'Management'
'Portal'
'Proxy'
'Scm' (required)

RemotePrivateEndpointConnectionWrapper

Name Description Value
id Private Endpoint connection resource id string
name Private Endpoint Connection Name string
properties Resource properties. PrivateEndpointConnectionWrapperProperties
type Private Endpoint Connection Resource Type string

PrivateEndpointConnectionWrapperProperties

Name Description Value
privateEndpoint The resource of private end point. ArmIdWrapper
privateLinkServiceConnectionState A collection of information about the state of the connection between service consumer and provider. PrivateLinkServiceConnectionState (required)

ArmIdWrapper

This object doesn't contain any properties to set during deployment. All properties are ReadOnly.

PrivateLinkServiceConnectionState

Name Description Value
actionsRequired A message indicating if changes on the service provider require any updates on the consumer. string
description The reason for approval/rejection of the connection. string
status Indicates whether the connection has been Approved/Rejected/Removed by the owner of the service. 'Approved'
'Pending'
'Rejected'

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
Create an API Management instance and all sub resources using template

Deploy to Azure
This template demonstrates how to create a API Management service and configure sub-entities
Create an API Management instance in an external VNet

Deploy to Azure
This template demonstrates how to create an instance of Azure API Management within your VNet's subnet in external mode. This template is deprecated.
Deploy API Management in external VNet with public IP

Deploy to Azure
This template demonstrates how to create an instance of Azure API Management in the Premium tier within your virtual network's subnet in external mode and configure recommended NSG rules on the subnet. The instance is deployed to two availability zones. The template also configures a public IP address from your subscription.
Create an API Management instance with custom hostnames

Deploy to Azure
This template demonstrates how to create a instance of Azure API Management with custom hostname for portal and multiple custom hostnames for proxy
Create an API Management instance in internal VNet

Deploy to Azure
This template demonstrates how to create an instance of Azure API Management within your VNet's subnet in internal mode and configure NSG on the subnet with recommended settings. This template is deprecated.
Create API Management in Internal VNet with App Gateway

Deploy to Azure
This template demonstrates how to Create a instance of Azure API Management on a private network protected by Azure Application Gateway.
Deploy API Management in internal VNet with public IP

Deploy to Azure
This template demonstrates how to create an instance of Azure API Management in the Premium tier within your virtual network's subnet in internal mode and configure recommended NSG rules on the subnet. The instance is deployed to two availability zones. The template also configures a public IP address from your subscription.
Create an API Management instance having MSI Identity

Deploy to Azure
This template creates a developer instance of Azure API Management having an MSI Identity
Create a multiregion Premium tier API Management instance

Deploy to Azure
This template demonstrates how to create an API Management instance with additional locations. The primary location is the same as location of the resource group. For additional locations, the template shows NorthCentralUs and East US2. The primary location should be different from additional locations.
Create API Management with custom proxy ssl using KeyVault

Deploy to Azure
This template demonstrates how to Create a instance of Azure API Management and configure custom hostname for proxy with ssl certificate from keyvault.
Create an API Management service with SSL from KeyVault

Deploy to Azure
This template deploys an API Management service configured with User Assigned Identity. It uses this identity to fetch SSL certificate from KeyVault and keeps it updated by checking every 4 hours.
Create and monitor API Management instance

Deploy to Azure
This template creates an instance of Azure API Management service and Log Analytics workspace and sets up monitoring for your API Management service with Log Analytics
Create an API Management service with a private endpoint

Deploy to Azure
This template will create an API Management service, a virtual network and a private endpoint exposing the API Management service to the virtual network.
Deploy API Management into Availability Zones

Deploy to Azure
This template creates a premium instance of Azure API Management and deploys into an Availability Zone
Create an API Management instance using a template

Deploy to Azure
This template creates a developer instance of Azure API Management
Front Door Standard/Premium with API Management origin

Deploy to Azure
This template creates a Front Door Premium and an API Management instance, and uses an NSG and global API Management policy to validate that traffic has come through the Front Door origin.
Create Azure Front Door in front of Azure API Management

Deploy to Azure
This sample demonstrates how to use Azure Front Door as a global load balancer in front of Azure API Management.
Application Gateway with internal API Management and Web App

Deploy to Azure
Application Gateway routing Internet traffic to a virtual network (internal mode) API Management instance which services a web API hosted in an Azure Web App.

Terraform (AzAPI provider) resource definition

The service resource type can be deployed to:

  • Resource groups

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.ApiManagement/service resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
  type = "Microsoft.ApiManagement/service@2021-12-01-preview"
  name = "string"
  location = "string"
  parent_id = "string"
  tags = {
    tagName1 = "tagValue1"
    tagName2 = "tagValue2"
  }
  identity {
    type = "string"
    identity_ids = []
  }
  body = jsonencode({
    properties = {
      additionalLocations = [
        {
          disableGateway = bool
          location = "string"
          publicIpAddressId = "string"
          sku = {
            capacity = int
            name = "string"
          }
          virtualNetworkConfiguration = {
            subnetResourceId = "string"
          }
          zones = [
            "string"
          ]
        }
      ]
      apiVersionConstraint = {
        minApiVersion = "string"
      }
      certificates = [
        {
          certificate = {
            expiry = "string"
            subject = "string"
            thumbprint = "string"
          }
          certificatePassword = "string"
          encodedCertificate = "string"
          storeName = "string"
        }
      ]
      customProperties = {}
      disableGateway = bool
      enableClientCertificate = bool
      hostnameConfigurations = [
        {
          certificate = {
            expiry = "string"
            subject = "string"
            thumbprint = "string"
          }
          certificatePassword = "string"
          certificateSource = "string"
          certificateStatus = "string"
          defaultSslBinding = bool
          encodedCertificate = "string"
          hostName = "string"
          identityClientId = "string"
          keyVaultId = "string"
          negotiateClientCertificate = bool
          type = "string"
        }
      ]
      notificationSenderEmail = "string"
      privateEndpointConnections = [
        {
          id = "string"
          name = "string"
          properties = {
            privateEndpoint = {}
            privateLinkServiceConnectionState = {
              actionsRequired = "string"
              description = "string"
              status = "string"
            }
          }
          type = "string"
        }
      ]
      publicIpAddressId = "string"
      publicNetworkAccess = "string"
      publisherEmail = "string"
      publisherName = "string"
      restore = bool
      virtualNetworkConfiguration = {
        subnetResourceId = "string"
      }
      virtualNetworkType = "string"
    }
    zones = [
      "string"
    ]
    sku = {
      capacity = int
      name = "string"
    }
  })
}

Property values

service

Name Description Value
type The resource type "Microsoft.ApiManagement/service@2021-12-01-preview"
name The resource name string (required)

Character limit: 1-50

Valid characters:
Alphanumerics and hyphens.

Start with letter and end with alphanumeric.

Resource name must be unique across Azure.
location Resource location. string (required)
parent_id To deploy to a resource group, use the ID of that resource group. string (required)
tags Resource tags. Dictionary of tag names and values.
sku SKU properties of the API Management service. ApiManagementServiceSkuProperties (required)
identity Managed service identity of the Api Management service. ApiManagementServiceIdentity
properties Properties of the API Management service. ApiManagementServiceProperties (required)
zones A list of availability zones denoting where the resource needs to come from. string[]

ApiManagementServiceIdentity

Name Description Value
type The type of identity used for the resource. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the service. "SystemAssigned"
"SystemAssigned, UserAssigned"
"UserAssigned" (required)
identity_ids The list of user identities associated with the resource. The user identity
dictionary key references will be ARM resource ids in the form:
'/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/
providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.
Array of user identity IDs.

ApiManagementServiceProperties

Name Description Value
additionalLocations Additional datacenter locations of the API Management service. AdditionalLocation[]
apiVersionConstraint Control Plane Apis version constraint for the API Management service. ApiVersionConstraint
certificates List of Certificates that need to be installed in the API Management service. Max supported certificates that can be installed is 10. CertificateConfiguration[]
customProperties Custom properties of the API Management service.
Setting Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168 will disable the cipher TLS_RSA_WITH_3DES_EDE_CBC_SHA for all TLS(1.0, 1.1 and 1.2).
Setting Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11 can be used to disable just TLS 1.1.
Setting Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10 can be used to disable TLS 1.0 on an API Management service.
Setting Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11 can be used to disable just TLS 1.1 for communications with backends.
Setting Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10 can be used to disable TLS 1.0 for communications with backends.
Setting Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2 can be used to enable HTTP2 protocol on an API Management service.
Not specifying any of these properties on PATCH operation will reset omitted properties' values to their defaults. For all the settings except Http2 the default value is True if the service was created on or before April 1st 2018 and False otherwise. Http2 setting's default value is False.

You can disable any of next ciphers by using settings Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.[cipher_name]: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA. For example, Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256:false. The default value is true for them. Note: next ciphers can't be disabled since they are required by Azure CloudService internal components: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384
object
disableGateway Property only valid for an Api Management service deployed in multiple locations. This can be used to disable the gateway in master region. bool
enableClientCertificate Property only meant to be used for Consumption SKU Service. This enforces a client certificate to be presented on each request to the gateway. This also enables the ability to authenticate the certificate in the policy on the gateway. bool
hostnameConfigurations Custom hostname configuration of the API Management service. HostnameConfiguration[]
notificationSenderEmail Email address from which the notification will be sent. string
privateEndpointConnections List of Private Endpoint Connections of this service. RemotePrivateEndpointConnectionWrapper[]
publicIpAddressId Public Standard SKU IP V4 based IP address to be associated with Virtual Network deployed service in the region. Supported only for Developer and Premium SKU being deployed in Virtual Network. string
publicNetworkAccess Whether or not public endpoint access is allowed for this API Management service. Value is optional but if passed in, must be 'Enabled' or 'Disabled'. If 'Disabled', private endpoints are the exclusive access method. Default value is 'Enabled' "Disabled"
"Enabled"
publisherEmail Publisher email. string (required)
publisherName Publisher name. string (required)
restore Undelete Api Management Service if it was previously soft-deleted. If this flag is specified and set to True all other properties will be ignored. bool
virtualNetworkConfiguration Virtual network configuration of the API Management service. VirtualNetworkConfiguration
virtualNetworkType The type of VPN in which API Management service needs to be configured in. None (Default Value) means the API Management service is not part of any Virtual Network, External means the API Management deployment is set up inside a Virtual Network having an Internet Facing Endpoint, and Internal means that API Management deployment is setup inside a Virtual Network having an Intranet Facing Endpoint only. "External"
"Internal"
"None"

AdditionalLocation

Name Description Value
disableGateway Property only valid for an Api Management service deployed in multiple locations. This can be used to disable the gateway in this additional location. bool
location The location name of the additional region among Azure Data center regions. string (required)
publicIpAddressId Public Standard SKU IP V4 based IP address to be associated with Virtual Network deployed service in the location. Supported only for Premium SKU being deployed in Virtual Network. string
sku SKU properties of the API Management service. ApiManagementServiceSkuProperties (required)
virtualNetworkConfiguration Virtual network configuration for the location. VirtualNetworkConfiguration
zones A list of availability zones denoting where the resource needs to come from. string[]

ApiManagementServiceSkuProperties

Name Description Value
capacity Capacity of the SKU (number of deployed units of the SKU). For Consumption SKU capacity must be specified as 0. int (required)
name Name of the Sku. "Basic"
"Consumption"
"Developer"
"Isolated"
"Premium"
"Standard" (required)

VirtualNetworkConfiguration

Name Description Value
subnetResourceId The full resource ID of a subnet in a virtual network to deploy the API Management service in. string

ApiVersionConstraint

Name Description Value
minApiVersion Limit control plane API calls to API Management service with version equal to or newer than this value. string

CertificateConfiguration

Name Description Value
certificate Certificate information. CertificateInformation
certificatePassword Certificate Password. string
encodedCertificate Base64 Encoded certificate. string
storeName The System.Security.Cryptography.x509certificates.StoreName certificate store location. Only Root and CertificateAuthority are valid locations. "CertificateAuthority"
"Root" (required)

CertificateInformation

Name Description Value
expiry Expiration date of the certificate. The date conforms to the following format: yyyy-MM-ddTHH:mm:ssZ as specified by the ISO 8601 standard. string (required)
subject Subject of the certificate. string (required)
thumbprint Thumbprint of the certificate. string (required)

HostnameConfiguration

Name Description Value
certificate Certificate information. CertificateInformation
certificatePassword Certificate Password. string
certificateSource Certificate Source. "BuiltIn"
"Custom"
"KeyVault"
"Managed"
certificateStatus Certificate Status. "Completed"
"Failed"
"InProgress"
defaultSslBinding Specify true to setup the certificate associated with this Hostname as the Default SSL Certificate. If a client does not send the SNI header, then this will be the certificate that will be challenged. The property is useful if a service has multiple custom hostname enabled and it needs to decide on the default ssl certificate. The setting only applied to Proxy Hostname Type. bool
encodedCertificate Base64 Encoded certificate. string
hostName Hostname to configure on the Api Management service. string (required)
identityClientId System or User Assigned Managed identity clientId as generated by Azure AD, which has GET access to the keyVault containing the SSL certificate. string
keyVaultId Url to the KeyVault Secret containing the Ssl Certificate. If absolute Url containing version is provided, auto-update of ssl certificate will not work. This requires Api Management service to be configured with aka.ms/apimmsi. The secret should be of type application/x-pkcs12 string
negotiateClientCertificate Specify true to always negotiate client certificate on the hostname. Default Value is false. bool
type Hostname type. "DeveloperPortal"
"Management"
"Portal"
"Proxy"
"Scm" (required)

RemotePrivateEndpointConnectionWrapper

Name Description Value
id Private Endpoint connection resource id string
name Private Endpoint Connection Name string
properties Resource properties. PrivateEndpointConnectionWrapperProperties
type Private Endpoint Connection Resource Type string

PrivateEndpointConnectionWrapperProperties

Name Description Value
privateEndpoint The resource of private end point. ArmIdWrapper
privateLinkServiceConnectionState A collection of information about the state of the connection between service consumer and provider. PrivateLinkServiceConnectionState (required)

ArmIdWrapper

This object doesn't contain any properties to set during deployment. All properties are ReadOnly.

PrivateLinkServiceConnectionState

Name Description Value
actionsRequired A message indicating if changes on the service provider require any updates on the consumer. string
description The reason for approval/rejection of the connection. string
status Indicates whether the connection has been Approved/Rejected/Removed by the owner of the service. "Approved"
"Pending"
"Rejected"