1 min read
Azure API Management: API Gateway Patterns
Three years ago a client asked me to “put a gateway in front of my APIs.” It turned into a six-month conversation about rate limiting, OAuth, partner onboarding, versioning, and analytics. APIM is the answer to all of those at once — not just a reverse proxy, but the layer where you put policies, transformations, products, and a developer portal. It’s also the layer that’s hard to retrofit later, which is why I push clients to set it up early, even when they think they only need URL routing.
Core Capabilities
- Request/Response Transformation
- Authentication & Authorization
- Rate Limiting & Throttling
- Caching
- Analytics & Monitoring
Policy Examples
Rate Limiting
<policies>
<inbound>
<rate-limit-by-key
calls="100"
renewal-period="60"
counter-key="@(context.Subscription.Id)"
increment-condition="@(context.Response.StatusCode >= 200 && context.Response.StatusCode < 300)" />
</inbound>
</policies>
JWT Validation
<validate-jwt header-name="Authorization" failed-validation-httpcode="401">
<openid-config url="https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration" />
<required-claims>
<claim name="aud" match="any">
<value>{app-id}</value>
</claim>
</required-claims>
</validate-jwt>
Response Caching
<cache-lookup vary-by-developer="false" vary-by-developer-groups="false">
<vary-by-header>Accept</vary-by-header>
<vary-by-query-parameter>version</vary-by-query-parameter>
</cache-lookup>
<!-- outbound -->
<cache-store duration="3600" />
Backend Circuit Breaker
<retry condition="@(context.Response.StatusCode == 503)" count="3" interval="10">
<forward-request />
</retry>
Developer Portal
APIM includes a customizable developer portal where consumers can:
- Browse API documentation
- Test APIs interactively
- Register for API keys
- View usage analytics
For organizations exposing APIs to partners or developers, APIM is essential infrastructure.\n\n## Takeaways\n\nAdd a concise, personal takeaway and recommended next steps here.\n