Microsoft.ApiManagement service template reference

Template format

To create a Microsoft.ApiManagement/service resource, add the following JSON to the resources section of your template.

{
  "name": "string",
  "type": "Microsoft.ApiManagement/service",
  "apiVersion": "2019-01-01",
  "tags": {},
  "properties": {
    "notificationSenderEmail": "string",
    "hostnameConfigurations": [
      {
        "type": "string",
        "hostName": "string",
        "keyVaultId": "string",
        "encodedCertificate": "string",
        "certificatePassword": "string",
        "defaultSslBinding": "boolean",
        "negotiateClientCertificate": "boolean",
        "certificate": {
          "expiry": "string",
          "thumbprint": "string",
          "subject": "string"
        }
      }
    ],
    "virtualNetworkConfiguration": {
      "subnetResourceId": "string"
    },
    "additionalLocations": [
      {
        "location": "string",
        "sku": {
          "name": "string",
          "capacity": "integer"
        },
        "virtualNetworkConfiguration": {
          "subnetResourceId": "string"
        }
      }
    ],
    "customProperties": {},
    "certificates": [
      {
        "encodedCertificate": "string",
        "certificatePassword": "string",
        "storeName": "string",
        "certificate": {
          "expiry": "string",
          "thumbprint": "string",
          "subject": "string"
        }
      }
    ],
    "enableClientCertificate": "boolean",
    "virtualNetworkType": "string",
    "publisherEmail": "string",
    "publisherName": "string"
  },
  "sku": {
    "name": "string",
    "capacity": "integer"
  },
  "identity": {
    "type": "SystemAssigned"
  },
  "location": "string"
}

Property values

The following tables describe the values you need to set in the schema.

Microsoft.ApiManagement/service object

Name Type Required Value
name string Yes The name of the API Management service.
type enum Yes Microsoft.ApiManagement/service
apiVersion enum Yes 2019-01-01
tags object No Resource tags.
properties object Yes Properties of the API Management service. - ApiManagementServiceProperties object
sku object Yes SKU properties of the API Management service. - ApiManagementServiceSkuProperties object
identity object No Managed service identity of the Api Management service. - ApiManagementServiceIdentity object
location string Yes Resource location.

ApiManagementServiceProperties object

Name Type Required Value
notificationSenderEmail string No Email address from which the notification will be sent.
hostnameConfigurations array No Custom hostname configuration of the API Management service. - HostnameConfiguration object
virtualNetworkConfiguration object No Virtual network configuration of the API Management service. - VirtualNetworkConfiguration object
additionalLocations array No Additional datacenter locations of the API Management service. - AdditionalLocation object
customProperties object No Custom properties of the API Management service.
Setting Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168 will disable the cipher TLS_RSA_WITH_3DES_EDE_CBC_SHA for all TLS(1.0, 1.1 and 1.2).
Setting Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11 can be used to disable just TLS 1.1.
Setting Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10 can be used to disable TLS 1.0 on an API Management service.
Setting Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11 can be used to disable just TLS 1.1 for communications with backends.
Setting Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10 can be used to disable TLS 1.0 for communications with backends.
Setting Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2 can be used to enable HTTP2 protocol on an API Management service.
Not specifying any of these properties on PATCH operation will reset omitted properties' values to their defaults. For all the settings except Http2 the default value is True if the service was created on or before April 1st 2018 and False otherwise. Http2 setting's default value is False.

You can disable any of next ciphers by using settings Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.[cipher_name]: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA. For example, Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256:false. The default value is true for them.
certificates array No List of Certificates that need to be installed in the API Management service. Max supported certificates that can be installed is 10. - CertificateConfiguration object
enableClientCertificate boolean No Property only meant to be used for Consumption SKU Service. This enforces a client certificate to be presented on each request to the gateway. This also enables the ability to authenticate the certificate in the policy on the gateway.
virtualNetworkType enum No The type of VPN in which API Management service needs to be configured in. None (Default Value) means the API Management service is not part of any Virtual Network, External means the API Management deployment is set up inside a Virtual Network having an Internet Facing Endpoint, and Internal means that API Management deployment is setup inside a Virtual Network having an Intranet Facing Endpoint only. - None, External, Internal
publisherEmail string Yes Publisher email.
publisherName string Yes Publisher name.

ApiManagementServiceSkuProperties object

Name Type Required Value
name enum Yes Name of the Sku. - Developer, Standard, Premium, Basic, Consumption
capacity integer No Capacity of the SKU (number of deployed units of the SKU).

ApiManagementServiceIdentity object

Name Type Required Value
type enum Yes The identity type. Currently the only supported type is 'SystemAssigned'. - SystemAssigned

HostnameConfiguration object

Name Type Required Value
type enum Yes Hostname type. - Proxy, Portal, Management, Scm, DeveloperPortal
hostName string Yes Hostname to configure on the Api Management service.
keyVaultId string No Url to the KeyVault Secret containing the Ssl Certificate. If absolute Url containing version is provided, auto-update of ssl certificate will not work. This requires Api Management service to be configured with MSI. The secret should be of type application/x-pkcs12
encodedCertificate string No Base64 Encoded certificate.
certificatePassword string No Certificate Password.
defaultSslBinding boolean No Specify true to setup the certificate associated with this Hostname as the Default SSL Certificate. If a client does not send the SNI header, then this will be the certificate that will be challenged. The property is useful if a service has multiple custom hostname enabled and it needs to decide on the default ssl certificate. The setting only applied to Proxy Hostname Type.
negotiateClientCertificate boolean No Specify true to always negotiate client certificate on the hostname. Default Value is false.
certificate object No Certificate information. - CertificateInformation object

VirtualNetworkConfiguration object

Name Type Required Value
subnetResourceId string No The full resource ID of a subnet in a virtual network to deploy the API Management service in.

AdditionalLocation object

Name Type Required Value
location string Yes The location name of the additional region among Azure Data center regions.
sku object Yes SKU properties of the API Management service. - ApiManagementServiceSkuProperties object
virtualNetworkConfiguration object No Virtual network configuration for the location. - VirtualNetworkConfiguration object

CertificateConfiguration object

Name Type Required Value
encodedCertificate string No Base64 Encoded certificate.
certificatePassword string No Certificate Password.
storeName enum Yes The System.Security.Cryptography.x509certificates.StoreName certificate store location. Only Root and CertificateAuthority are valid locations. - CertificateAuthority or Root
certificate object No Certificate information. - CertificateInformation object

CertificateInformation object

Name Type Required Value
expiry string Yes Expiration date of the certificate. The date conforms to the following format: yyyy-MM-ddTHH:mm:ssZ as specified by the ISO 8601 standard.
thumbprint string Yes Thumbprint of the certificate.
subject string Yes Subject of the certificate.

Quickstart templates

The following quickstart templates deploy this resource type.