Azure API Management landing zone architecture

APIs have become increasingly integral to how organizations and their customers access services, both within internal systems and through external channels. Internally, APIs facilitate access to line-of-business (LoB) applications, proprietary solutions, and partner integrations. Externally, a growing number of organizations are focused on enhancing productivity and generating revenue through API monetization. Given this trend, Azure API Management serves as a foundational element in the standardized governance, publication, and oversight of APIs for both internal and external stakeholders.

Azure Application Gateway serves as a security checkpoint for APIs. Instead of allowing users to connect directly over the internet, you route all traffic through an application gateway. This setup adds extra access controls to help protect your APIs. With this approach, you can use a single API Management instance to support both internal APIs within your organization and external APIs outside your organization, while keeping any publicly exposed APIs secured behind the gateway.

Architecture

Download a Visio file of this architecture.

This architecture assumes that the policies are in place from the Azure landing zone reference implementation and that the structure is driven downward from the management group.

Workflow

• Public IP addresses are assigned to an application gateway, which serves as the entry point for external traffic. That endpoint exposes APIs through a custom domain.

• The application gateway is deployed in its own subnet and protected by Web Application Firewall (WAF) policies to inspect and filter incoming requests.

• Traffic is routed from the application gateway to API Management (Premium), which resides in a separate API Management subnet. The API Management instance is configured in internal mode, which prevents direct public access.

• Private endpoints are used to securely connect API Management to back-end application servers that are exposed only to the virtual network. API Management also periodically connects dependencies, such as Azure key vaults. Typically, all of this private connectivity occurs with endpoints in a dedicated private endpoint subnet.

• Log Analytics workspaces and Application Insights are integrated for logging, monitoring, and telemetry.

Components

• API Management is a managed service that allows you to manage services across hybrid and multicloud environments. It provides control and security for API observability and consumption by both internal and external users. In this architecture, API Management serves as a facade to abstract the back-end architecture.

• Application Gateway is a managed service that serves as a layer-7 load balancer and WAF. Application Gateway protects the internal API Management instance, which enables the use of both internal and external modes. In this architecture, API Management secures APIs, and Application Gateway adds complementary capabilities such as WAF.

• Private Domain Name System (DNS) zones are a feature of Azure DNS that allows you to manage and resolve domain names within a virtual network without needing to implement a custom DNS solution. A private DNS zone can be aligned to one or more virtual networks through virtual network links. In this architecture, a private DNS zone is required to ensure proper name resolution within the virtual network.

• Application Insights is an extensible application performance management service that helps developers detect anomalies, diagnose problems, and understand usage patterns. Application Insights features extensible application performance management and monitoring for live web apps. Various platforms are supported, including .NET, Node.js, Java, and Python. It supports apps that are hosted in Azure, on-premises, in a hybrid environment, or in other public clouds. In this architecture, Application Insights monitors the behaviors of the deployed application.

• Log Analytics is a cloud-based data analysis tool that enables you to edit and run log queries against data in Azure Monitor Logs, optionally from within the Azure portal. Developers can run simple queries to retrieve records or use Log Analytics for advanced analysis, then visualize the results. In this architecture, Log Analytics aggregates all the platform resource logs for analysis and reporting.

• Azure Key Vault is a cloud service that securely stores and accesses secrets. These secrets range from API keys and passwords to certificates and cryptographic keys. In this architecture, Key Vault stores the Secure Sockets Layer (SSL) certificates that Application Gateway uses.

Alternatives

For the back-end services that the API Management instance connects to, several alternatives are available:

• Azure App Service is a fully managed HTTP-based service that builds, deploys, and scales web apps. It supports .NET, .NET Core, Java, Ruby, Node.js, PHP, and Python. Applications can run and scale in either Windows or Linux-based environments.

• Azure Kubernetes Service (AKS) is a managed Kubernetes offering that delivers fully managed clusters. It enables integrated continuous integration and continuous delivery (CI/CD), along with built-in governance and security.

• Azure Logic Apps is a cloud-based platform that creates and runs automated workflows. For more information, see an example reference architecture.

• Azure Container Apps is a fully managed serverless container service that enables you to run microservices and containerized applications on a serverless platform.

For multiregion deployments, consider using Azure Front Door to provide fast, reliable, and secure access between your users and your applications' static and dynamic web content.

To see additional examples of how Application Gateway can protect APIs, see Protect APIs with Application Gateway and API Management.

Considerations

These considerations implement the pillars of the Azure Well-Architected Framework, which is a set of guiding tenets that you can use to improve the quality of a workload. For more information, see Well-Architected Framework.

Reliability

Reliability helps ensure that your application can meet the commitments that you make to your customers. For more information, see Design review checklist for Reliability.

• Deploy at least three scale units of API Management that are spread over two availability zones for each region. This method maximizes your availability and performance.

• We recommend that you use the Premium tier because it supports availability zones and multiregion deployments. This capability means that your services can continue to run even if one region or zone goes down. These features help protect your application during outages or disasters.

• For disaster recovery, set up API Management with a user-assigned managed identity instead of a system-assigned identity. If you redeploy or delete the resource, the identity and its permissions remain in place, so you can restore access more easily. Use Azure Pipelines to automate backups. Decide if you need to deploy your services in more than one region for better reliability.

• Virtual network peering provides strong performance within a region, but it has a scalability limit of 500 networks. If you need to connect more workloads, use a hub-spoke design or Azure Virtual WAN.

Security

Security provides assurances against deliberate attacks and the misuse of your valuable data and systems. For more information, see Design review checklist for Security.

• API Management validation policies validate API requests and responses against an OpenAPI schema. These features aren't a replacement for a WAF, but they can provide extra protection against some threats. Adding validation policies can have performance implications, so we recommend that you use performance load tests to assess their impact on API throughput.

• Microsoft Defender for APIs provides full life cycle protection, detection, and response for APIs published in API Management. One key capability is detecting exploits of the Open Web Application Security Project (OWASP) API Top 10 vulnerabilities through runtime anomaly observations by using machine learning-based and rule-based detections.

• API Management workspaces help you organize and isolate your APIs. This approach makes it easier to control who can access and manage them. Each workspace can have its own set of permissions, so you can limit access to only the people or teams who need it. This separation reduces the risk of accidental changes or unauthorized access and supports a more secure API environment.

• Use Key Vault secrets as named values in API Management policies to protect sensitive information in API Management policies.

• Use Application Gateway for external access of an internal API Management instance to protect the API Management instance, defend against common web application exploits and vulnerabilities by using WAF, and enable hybrid connectivity.

• Deploy the API Management gateway in a virtual network to support hybrid connectivity and increased security.

• Virtual network peering improves performance in a region and enables private communication between virtual networks.

• When you use a WAF, you introduce a layer that inspects incoming traffic for malicious behavior. This protection helps block common threats such as SQL injection and cross-site scripting. Application Gateway and distributed denial-of-service (DDoS) protection help prevent excessive traffic or connection floods from overwhelming the API Management instance. For more information, see Protect APIs by using Application Gateway and API Management.

• Private endpoints for Azure Functions allow you to securely connect to your function apps over a private IP address within your virtual network. This setup prevents exposure of your functions to the public internet, which reduces the risk of unauthorized access. In this architecture, private endpoints ensure that only trusted resources within your network can access Azure Functions.

Cost Optimization

Cost Optimization focuses on ways to reduce unnecessary expenses and improve operational efficiencies. For more information, see Design review checklist for Cost Optimization.

• This deployment uses the Premium plan to support availability zone and virtual network capabilities. If you don't require dedicated instances, you can also use Flex Consumption, which supports both network access and availability zones. Review the pricing calculator for this deployment.

• For proof of concepts or prototypes, we recommend that you use other API Management tiers, such as Developer or Standard.

Operational Excellence

Operational Excellence covers the operations processes that deploy an application and keep it running in production. For more information, see Design review checklist for Operational Excellence.

• Represent API Management configurations as Azure Resource Manager templates, and adopt an infrastructure as code (IaC) approach.

• Use a CI/CD process to manage, version, and update API Management configurations.

• Create custom health probes to help validate the status of your API Management instance. Use the URL /status-0123456789abcdef to create a common health endpoint for the API Management service in the application gateway.

• Certificates updated in the key vault are automatically rotated in API Management, which reflects the changes within four hours.

• Deploy at least two scale units of API Management that are spread over two availability zones in each region. This method maximizes availability and performance.

• If you use a DevOps tool, such as Azure DevOps or GitHub, then cloud-hosted agents or runners operate over the public internet. Because API Management in this architecture is set to an internal network, you need to use a DevOps agent that has access to the virtual network. The DevOps agent helps you deploy policies and other changes to the APIs in your architecture. You can use these CI/CD templates to separate the process into parts so that your development teams can deploy changes for each API. DevOps runners initiate the templates to handle these individual deployments.

Deploy this scenario

This architecture is available on GitHub. It contains all the necessary IaC files and the deployment instructions.

Contributors

Microsoft maintains this article. The following contributors wrote this article.

Principal authors:

• Pete Messina | Senior Cloud Solution Architect
• Anthony Nevico | Senior Cloud Solution Architect

To see nonpublic LinkedIn profiles, sign in to LinkedIn.

Next steps

• API Management landing zone accelerator
• API Management terminology
• Application Gateway documentation

Related resources

• Use API gateways in microservices
• Hub-spoke network topology in Azure
• Basic enterprise integration on Azure
• Protect APIs by using Application Gateway and API Management