Azure Policy built-in policy definitions for Azure API Management

This page is an index of Azure Policy built-in policy definitions for Azure API Management. For additional Azure Policy built-ins for other services, see Azure Policy built-in definitions. For API Management policy samples, see API Management - Policy index.

The name of each built-in policy definition links to the policy definition in the Azure portal. Use the link in the Version column to view the source on the Azure Policy GitHub repo.

Azure API Management

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
API Management service should use a SKU that supports virtual networks With supported SKUs of API Management, deploying service into a virtual network unlocks advanced API Management networking and security features which provides you greater control over your network security configuration. Learn more at: https://aka.ms/apimvnet. Audit, Deny, Disabled 1.0.0
API Management services should disable public network access To improve the security of API Management services, ensure that endpoints aren't exposed to the public internet. Some public endpoints are exposed by API Management services to support user scenarios, e.g. direct access to Management API, managing configuration using Git, self-hosted gateways configuration. If any of those features are not used, corresponding endpoints should be disabled. AuditIfNotExists, Disabled 1.0.0
API Management services should use a virtual network Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. Audit, Disabled 1.0.1
Configure API Management services to disable public network access To improve the security of API Management services, disable public endpoints. Some public endpoints are exposed by API Management services to support user scenarios, e.g. direct access to Management API, managing configuration using Git, self-hosted gateways configuration. If any of those features are not used, corresponding endpoints should be disabled. DeployIfNotExists, Disabled 1.0.0

Next steps