Microsoft.ApiManagement service 2019-12-01-preview

The service resource type can be deployed to: Resource groups.

To learn about resource group deployments, see Bicep or ARM template.

Template format

To create a Microsoft.ApiManagement/service resource, add the following Bicep or JSON to your template.

resource symbolicname 'Microsoft.ApiManagement/service@2019-12-01-preview' = {
  name: 'string'
  location: 'string'
  tags: {
    tagName1: 'tagValue1'
    tagName2: 'tagValue2'
  }
  sku: {
    capacity: int
    name: 'string'
  }
  identity: {
    type: 'string'
    userAssignedIdentities: {}
  }
  properties: {
    additionalLocations: [
      {
        disableGateway: bool
        location: 'string'
        sku: {
          capacity: int
          name: 'string'
        }
        virtualNetworkConfiguration: {
          subnetResourceId: 'string'
        }
      }
    ]
    apiVersionConstraint: {
      minApiVersion: 'string'
    }
    certificates: [
      {
        certificate: {
          expiry: 'string'
          subject: 'string'
          thumbprint: 'string'
        }
        certificatePassword: 'string'
        encodedCertificate: 'string'
        storeName: 'string'
      }
    ]
    customProperties: {}
    disableGateway: bool
    enableClientCertificate: bool
    hostnameConfigurations: [
      {
        certificate: {
          expiry: 'string'
          subject: 'string'
          thumbprint: 'string'
        }
        certificatePassword: 'string'
        defaultSslBinding: bool
        encodedCertificate: 'string'
        hostName: 'string'
        keyVaultId: 'string'
        negotiateClientCertificate: bool
        type: 'string'
      }
    ]
    notificationSenderEmail: 'string'
    publisherEmail: 'string'
    publisherName: 'string'
    virtualNetworkConfiguration: {
      subnetResourceId: 'string'
    }
    virtualNetworkType: 'string'
  }
}

Property values

service

Name Description Value
type The resource type

For Bicep, set this value in the resource declaration.
'Microsoft.ApiManagement/service'
apiVersion The resource api version

For Bicep, set this value in the resource declaration.
'2019-12-01-preview'
name The resource name string (required)
location Resource location. string (required)
tags Resource tags. Dictionary of tag names and values. See Tags in templates
sku API Management service resource SKU properties. ApiManagementServiceSkuProperties (required)
identity Identity properties of the Api Management service resource. ApiManagementServiceIdentity
properties Properties of an API Management service resource description. ApiManagementServiceProperties (required)

ApiManagementServiceIdentity

Name Description Value
type The type of identity used for the resource. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the service. 'None'
'SystemAssigned'
'SystemAssigned, UserAssigned'
'UserAssigned'
userAssignedIdentities The list of user identities associated with the resource. The user identity
dictionary key references will be ARM resource ids in the form:
'/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/
providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.
object

ApiManagementServiceProperties

Name Description Value
additionalLocations Additional datacenter locations of the API Management service. AdditionalLocation[]
apiVersionConstraint Control Plane Apis version constraint for the API Management service. ApiVersionConstraint
certificates List of Certificates that need to be installed in the API Management service. Max supported certificates that can be installed is 10. CertificateConfiguration[]
customProperties Custom properties of the API Management service.
Setting Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168 will disable the cipher TLS_RSA_WITH_3DES_EDE_CBC_SHA for all TLS(1.0, 1.1 and 1.2).
Setting Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11 can be used to disable just TLS 1.1.
Setting Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10 can be used to disable TLS 1.0 on an API Management service.
Setting Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11 can be used to disable just TLS 1.1 for communications with backends.
Setting Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10 can be used to disable TLS 1.0 for communications with backends.
Setting Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2 can be used to enable HTTP2 protocol on an API Management service.
Not specifying any of these properties on PATCH operation will reset omitted properties' values to their defaults. For all the settings except Http2 the default value is True if the service was created on or before April 1st 2018 and False otherwise. Http2 setting's default value is False.

You can disable any of next ciphers by using settings Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.[cipher_name]: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA. For example, Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256:false. The default value is true for them. Note: next ciphers can't be disabled since they are required by Azure CloudService internal components: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384
object
disableGateway Property only valid for an Api Management service deployed in multiple locations. This can be used to disable the gateway in master region. bool
enableClientCertificate Property only meant to be used for Consumption SKU Service. This enforces a client certificate to be presented on each request to the gateway. This also enables the ability to authenticate the certificate in the policy on the gateway. bool
hostnameConfigurations Custom hostname configuration of the API Management service. HostnameConfiguration[]
notificationSenderEmail Email address from which the notification will be sent. string
publisherEmail Publisher email. string (required)
publisherName Publisher name. string (required)
virtualNetworkConfiguration Configuration of a virtual network to which API Management service is deployed. VirtualNetworkConfiguration
virtualNetworkType The type of VPN in which API Management service needs to be configured in. None (Default Value) means the API Management service is not part of any Virtual Network, External means the API Management deployment is set up inside a Virtual Network having an Internet Facing Endpoint, and Internal means that API Management deployment is setup inside a Virtual Network having an Intranet Facing Endpoint only. 'External'
'Internal'
'None'

AdditionalLocation

Name Description Value
disableGateway Property only valid for an Api Management service deployed in multiple locations. This can be used to disable the gateway in this additional location. bool
location The location name of the additional region among Azure Data center regions. string (required)
sku API Management service resource SKU properties. ApiManagementServiceSkuProperties (required)
virtualNetworkConfiguration Configuration of a virtual network to which API Management service is deployed. VirtualNetworkConfiguration

ApiManagementServiceSkuProperties

Name Description Value
capacity Capacity of the SKU (number of deployed units of the SKU). For Consumption SKU capacity must be specified as 0. int (required)
name Name of the Sku. 'Basic'
'Consumption'
'Developer'
'Premium'
'Standard'

VirtualNetworkConfiguration

Name Description Value
subnetResourceId The full resource ID of a subnet in a virtual network to deploy the API Management service in. string

ApiVersionConstraint

Name Description Value
minApiVersion Limit control plane API calls to API Management service with version equal to or newer than this value. string

CertificateConfiguration

Name Description Value
certificate SSL certificate information. CertificateInformation
certificatePassword Certificate Password. string
encodedCertificate Base64 Encoded certificate. string
storeName The System.Security.Cryptography.x509certificates.StoreName certificate store location. Only Root and CertificateAuthority are valid locations. 'CertificateAuthority'
'Root'

CertificateInformation

Name Description Value
expiry Expiration date of the certificate. The date conforms to the following format: yyyy-MM-ddTHH:mm:ssZ as specified by the ISO 8601 standard. string (required)
subject Subject of the certificate. string (required)
thumbprint Thumbprint of the certificate. string (required)

HostnameConfiguration

Name Description Value
certificate SSL certificate information. CertificateInformation
certificatePassword Certificate Password. string
defaultSslBinding Specify true to setup the certificate associated with this Hostname as the Default SSL Certificate. If a client does not send the SNI header, then this will be the certificate that will be challenged. The property is useful if a service has multiple custom hostname enabled and it needs to decide on the default ssl certificate. The setting only applied to Proxy Hostname Type. bool
encodedCertificate Base64 Encoded certificate. string
hostName Hostname to configure on the Api Management service. string (required)
keyVaultId Url to the KeyVault Secret containing the Ssl Certificate. If absolute Url containing version is provided, auto-update of ssl certificate will not work. This requires Api Management service to be configured with MSI. The secret should be of type application/x-pkcs12 string
negotiateClientCertificate Specify true to always negotiate client certificate on the hostname. Default Value is false. bool
type Hostname type. 'DeveloperPortal'
'Management'
'Portal'
'Proxy'
'Scm'

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
Create an API Management instance and all sub resources using template

Deploy to Azure
This template demonstrates how to create a API Management service and configure sub-entities
Create an API Management service in External Virtual Network

Deploy to Azure
This template demonstrates how to create a instance of Azure API Management within your virtual network's subnet in External mode and configure NSG on the subnet as per recommendation.
Deploy API Management in Virtual Network with Public IP

Deploy to Azure
This template demonstrates how to create a instance of Azure API Management within your virtual network's subnet in External mode and configure NSG on the subnet as per recommendation. The template also expects Public IP address from your subscription.
Create an API Management instance in Premium tier with custom hostnames for proxy and portal

Deploy to Azure
This template demonstrates how to create a instance of Azure API Management with custom hostname for portal and multiple custom hostnames for proxy
Create an API Management service in Internal Virtual network

Deploy to Azure
This template demonstrates how to create a instance of Azure API Management within your virtual network's subnet in Internal Virtual Network mode and configure NSG on the subnet as per recommendation.
Create API Management in Internal VNet with App Gateway

Deploy to Azure
This template demonstrates how to Create a instance of Azure API Management on a private network protected by Azure Application Gateway.
Deploy API Management in Internal VNET with Public IP

Deploy to Azure
This template demonstrates how to create a instance of Azure API Management within your virtual network's subnet in Internal mode and configure NSG on the subnet as per recommendation. The template also expects Public IP address from your subscription.
Create an API Management instance having MSI Identity

Deploy to Azure
This template creates a developer instance of Azure API Management having an MSI Identity
Create a multi-region Premium tier API Management service

Deploy to Azure
This template demonstrates how to create API Management service with additional locations. The primary location is the same as location of the resource group. For Additional locations, the template shows NorthCentralUs and East US2. The primary location should be different from additional locations
Create API Management with custom proxy ssl using KeyVault.

Deploy to Azure
This template demonstrates how to Create a instance of Azure API Management and configure custom hostname for proxy with ssl certificate from keyvault.
Create an API Management service with SSL from KeyVault

Deploy to Azure
This template deploys an API Management service configured with User Assigned Identity. It uses this identity to fetch SSL certificate from KeyVault and keeps it updated by checking every 4 hours.
Create and monitor API Management instance with Operations Management Suite (OMS) - Log Analytics

Deploy to Azure
This template creates an instance of Azure API Management service and OMS workspace and sets up monitoring for your API Management service with Operations Management Suite - Log Analytics
Deploy API Management into Availability Zones

Deploy to Azure
This template creates a premium instance of Azure API Management and deploys into an Availability Zone
Create an API Management instance using a template

Deploy to Azure
This template creates a developer instance of Azure API Management
Create Azure Front Door in front of Azure API Management

Deploy to Azure
This sample demonstrates how to use Azure Front Door as a global load balancer in front of Azure API Management.
Front Door Standard/Premium with API Management origin

Deploy to Azure
This template creates a Front Door Premium (Preview) and an API Management instance, and uses an NSG and global API Management policy to validate that traffic has come through the Front Door origin.