API Management

Microsoft Azure API Management is a turnkey solution for publishing APIs to external and internal consumers. Quickly create consistent and modern API gateways for existing backend services hosted anywhere, secure and protect them from abuse and overuse, and gain insights into usage and health. Plus, automate and scale developer onboarding to help get your API program up and running in no time.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Self-hosted API Management gateway

    To expand support for hybrid use cases and enable more efficient on-premises-to-on-premises call patterns for internal-only and internal/external APIs, we will provide an option for customers to self-host a containerized version of the API Management gateway component (fully equivalent to the gateway in the cloud, not a “micro-gateway”) on-premises or other environment e.g. other public clouds. Self-hosted gateway will require and will be managed from a cloud-based Azure API Management instance.

    968 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    started  ·  33 comments  ·  Gateway  ·  Flag idea as inappropriate…  ·  Admin →
  2. Add Self-hosted API Management gateway to Basic and Standard pricing tiers

    Please consider adding the self hosted API Management gateways to the basic and standard tiers. At a minimum at least three instances for HA purposes.

    The argument for this is that you will drive up the adoption of Azure APIM and generate considerable Azure consumption through the take up.

    Alternatively please consider a per gateway pricing option to cover any additional overheads.

    84 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Gateway  ·  Flag idea as inappropriate…  ·  Admin →
  3. Export variables reporting throttling information from rate-limit policy

    There are ongoing RFC to give clients the capability to throttle calls rate to avoid hitting the capping imposed by rate-limit policies.

    A possible way to implement this is to return in the response header 4 variables containing:


    • The current limit set by the policy

    • Amount of remaining calls before hitting the limit

    • Number of seconds to wait before getting the limit reset to the maximum

    • Number of seconds to wait before retrying (only when calls are blocked)

    116 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    3 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  4. Allow developers to upload API Management code samples

    We have started using new developer portal and realized there is no way to add new language samples and edit existing templates. Could you please add a feature to add new language templates and update existing items.

    24 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Developer portal  ·  Flag idea as inappropriate…  ·  Admin →
  5. Ability to Secure New Developer Portal Pages

    In the new developer portal there is no way to secure pages from being viewed. If i want to add supplementary api documentation pages in the portal I cannot specify to only allow that page to show when the user is logged in. The only real security in the portal is that apis and products won't show based on whether the user is logged in.

    The only capability present is to hide them in the navigation menu. So if I add a page at /apis/project/order. I can place it in the menu and say whether it will show up there,…

    39 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Developer portal  ·  Flag idea as inappropriate…  ·  Admin →
  6. API Management more control with mail sending

    Currently there are very few options to set, when it comes to mailing about API Management events (new subscriptions, new developers, etc.).
    It would be great, if following could be included for e-mail configuration (some of these things help avoid e-mail being recognized as spam by some spam filters, as in our case):
    - optionally removing "on behalf of" when sending e-mail
    - including text/plain representation in sent e-mails (besides default text/html)
    - using SendGrid as a e-mail sender (as in other Azure services)
    - using custom reply address (instead of "on behalf of")

    Any maybe some other things that…

    59 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    6 comments  ·  Service management  ·  Flag idea as inappropriate…  ·  Admin →
  7. Support backendTlsVersion logging

    As multiple organizations and teams start enforcing TLS 1.2, it's always better to have this log to understand the TLS versions used by backend APIs. This will help teams strategize push for TLS 1.2 and make informed decisions.

    32 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Gateway  ·  Flag idea as inappropriate…  ·  Admin →
  8. Unique Business Model Benefits of Colocation AWS Direct Connect Available at Cloud Dedicated Interconnect Available at

    Unique Business Model
    Benefits of Colocation
    AWS Direct Connect Available at
    Cloud Dedicated Interconnect Available at
    Colocation
    Interconnection Services
    Telco Access
    Multi-Level Security
    Remote Technical SupportTIA-942 Rated 4 Fault Tolerance
    True Carrier Neutrality
    Uptime Institute Tier IV Fault Tolerance
    Extensive Business, Technical, & Operational ExperienceSECURITY & ACCESS
    Multi-level physical and electronic security
    24/7 security personnel patrols throughout the facility
    Multi-level physical identification checks before entry
    Controlled access to facility and colocation rooms through electronic access control system.
    Full digital IP camera coverage around the site with 24/7 continuous recording for 60 days.
    Controlled Access environment through strict access procedures
    CAI1-Specifications-SECURITY-min …

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    7 comments  ·  Flag idea as inappropriate…  ·  Admin →
  9. Logic App backends in ARM Templates able to be selected like in Portal

    When setting up an APIM API and a backend in the portal, we are able to select a Logic App using an experience to find the logic app and the sub-resource. Then a radio button for Azure Logic App resource is selected with the name of the logic app and sub-resource. However, in an ARM template, this is impossible. Setting up the backend to point to the resourceId of the logic and deploying defaults this backend policy to HTTP and does not work unless fixed manually in the portal. Here is the snippet of the ARM template:

        {
    
    "type": "Microsoft.ApiManagement/service/backends",
    10 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  API management experience  ·  Flag idea as inappropriate…  ·  Admin →
  10. Support gRPC in Azure API Manager

    Please add support for gRPC to Azure API Manager.
    I would like to expose gRPC services to clients.
    It would also be great if we can have REST services for clients that call backend gRPC services.

    206 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  11. Add Developer Portal to Consumption Tier

    Please add the developer portal to the consumption tier.

    It's currently very confusing in the management portal as to what is supported and what isn't when using the consumption tier. For instance, it is possible to publish products, or define definition's for responses, yet this seems to only be for publishing in the developer portal.

    This article: https://docs.microsoft.com/en-us/azure/azure-functions/functions-openapi-definition comes close to explaining how to set up at least an OpenAPI definition - but it dosen't appear possible to link multiple existing Azure functions to an existing API Management gateway.

    Is the developer portal feature (in all other tiers) going to…

    34 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Developer portal  ·  Flag idea as inappropriate…  ·  Admin →
  12. Distributed Tracing - W3C Trace Context Policy

    Add a policy that implements the W3C Trace Context specification. This means that if a request that arrives at APIM without a w3c trace context, APIM will create it and send it to the backend. If a request arrives with a w3c trace context already created, APIM will append its information to the context.

    13 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Integration  ·  Flag idea as inappropriate…  ·  Admin →
  13. Add policy to prevent brute force attacks in the API Management Consumption Tier

    Currently in Consumption Tier, there is no way to prevent abuse of unauthenticated endpoints. This allows attackers to be able to keep hitting these endpoints with random inputs until they succeed.

    Examples of such endpoints could be account activation, registration, password reset where an attacker can keep calling these endpoints with random values, since there is no throttling or check of any kind per API method to limit calls from the same IP in a given time frame.

    20 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  14. Remove or extend "Maximum number of CA certificates per service instance"

    Currently there is a hard limit of 10 Certificate Authorities for the API Management Service. We need at least 50 Certificate Authorities / Intermediates for our customer.

    24 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  15. Add support for ionic scheme in CORS policy

    Today CORS policy in APIM only allows http, https or file scheme in allowed-origins.
    https://docs.microsoft.com/en-us/azure/api-management/api-management-cross-domain-policies#CORS

    Ionic webview plugin serves application from ionic:// or custom scheme. None of http, https or file is valid in ionic webview.
    https://github.com/ionic-team/cordova-plugin-ionic-webview

    Please add support for inoic scheme. Thank you.

    109 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    5 comments  ·  Flag idea as inappropriate…  ·  Admin →
  16. Documentation - Fully-featured Application Gateway with API Management documentation

    The documentation at https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-integrate-internal-vnet-appgateway is hard to follow, as it demonstrates an approach using only PowerShell and lacks a detailed explaination of why configuration settings are made. It would be helpful to users if the documenation also showed screenshots of configuation using the Azure Portal. A video walkthrough would also be helpful (as there are many steps involved and a video may be easier to undertand).

    The blog post at https://medium.com/azure-architects/azure-api-management-and-application-gateway-integration-a31fde80f3db provides additional information to help clarify why and how configuration settings are made. The related GitHub sample is also clear as more descriptive variable names are used. It would…

    9 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  17. Disallow or show warning when filling in duplicate OperationId

    When adding a new operation in Azure Api Management, you can type in the "name". In the backend this is the operationId.
    However if you type in an already exisiting operationId it will overwrite that operation (and merge certain features, like tags).
    It would be nice to disallow this, or to show a warning that this will overwrite an existing operation.

    18 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Defining APIs  ·  Flag idea as inappropriate…  ·  Admin →
  18. Support for multi-tenant user login delegation

    In a multi-tenant scenario, there is no option to delegate user login to multiple urls, the delegation section allows only one url.

    It would be great if it would allow one delegation endpoint per custom developer portal domain.

    42 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Developer portal  ·  Flag idea as inappropriate…  ·  Admin →
  19. GatewayUrl in Azure Portal UI and REST Api differ

    We have decided to go all in when it comes to ARM Templating, and our goal is to depend on as few parameters as possible and instead retrieve as may information from the system settings as possible.

    While creating ARM Templates for Api Management I discovered that what i did see on my Azure Portal in Api Management Service in the Gateway Url property was not the value to be found when retrieving it using my ARM Template. Trying to figure out what happens i did a REST Api lookup and to my big surprise GatewayUrl via REST Api and…

    4 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  API management experience  ·  Flag idea as inappropriate…  ·  Admin →
  20. Use DDoS Protection Standard with VNET integrated API Management gateway

    We would like to use DDoS Protection Standard for our VNET integrated API Management Service. A possible solution could be to have self-signed public ip's for the public endpoint.

    P.S. We cannot put a Application Gateway v2 in front of API gateway because of the requirement of Client Certificate Authentication.

    52 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4 5 25 26
  • Don't see your idea?

Feedback and Knowledge Base