Governance Policies Azure Web API Management

API Management

Governance policies for Api Management

Domain: azure-web

Patterns

Name	Description
APIM with VNet integration and Key Vault	Internal APIM deployment with VNet injection, TLS enforcement, and Key Vault-backed secrets

Anti-Patterns

Description	Instead
Do not store secrets as plain-text named values	Use Key Vault-backed named values with managed identity access
Do not expose APIs without authentication policies	Configure subscription key validation or OAuth 2.0 validation in inbound policies
Do not deploy APIM without VNet integration	Use Internal or External virtualNetworkType with dedicated subnet

References

• API Management security baseline
• API Management VNet integration
• WAF: API Management service guide
• Defender for APIs
• API Management autoscaling

---

Checks (10)

Check	Severity	Description
AZ-APIM-001	Required	Deploy API Management with managed identity, VNet integration, and TLS 1.2+ enforcement
AZ-APIM-002	Required	Use subscription keys or OAuth 2.0 for API authentication — never expose APIs without auth
AZ-APIM-003	Recommended	Implement rate limiting and quota policies on all API products
AZ-APIM-004	Recommended	Use managed identity for backend service authentication
AZ-APIM-005	Recommended	Enable zone redundancy for Premium tier APIM instances
AZ-APIM-006	Recommended	Enable autoscaling or deploy multiple units to handle traffic spikes
AZ-APIM-007	Recommended	Use Defender for APIs for threat detection and API security insights
AZ-APIM-008	Recommended	Implement validate-jwt, validate-content, and validate-headers policies for API security
AZ-APIM-009	Recommended	Use built-in cache or external Redis-compatible cache for frequently accessed API responses
AZ-APIM-010	Recommended	Disable the direct management REST API

---

AZ-APIM-001

Deploy API Management with managed identity, VNet integration, and TLS 1.2+ enforcement

Severity: Required
Rationale: APIM is the gateway for all backend APIs; it must enforce transport security and use managed identity for backend auth
Agents: terraform-agent, bicep-agent, cloud-architect

Targets

• Microsoft.ApiManagement/service

Companion Resources

Resource	Name	Purpose
Microsoft.Network/privateEndpoints	pe-apim	Private endpoint for APIM management plane access
Microsoft.Network/privateDnsZones	privatelink.azure-api.net	Private DNS zone for APIM gateway private endpoint resolution
Microsoft.Insights/diagnosticSettings	diag-apim	Diagnostic settings for gateway logs, request/response logging to Log Analytics
Microsoft.ApiManagement/service/namedValues	Key Vault named values	Named values backed by Key Vault secrets — never store secrets as plain text named values

---

AZ-APIM-002

Use subscription keys or OAuth 2.0 for API authentication — never expose APIs without auth

Severity: Required
Rationale: Unauthenticated APIs allow unrestricted access and abuse
Agents: terraform-agent, bicep-agent, cloud-architect, app-developer, csharp-developer, python-developer

Targets

• Microsoft.ApiManagement/service

---

AZ-APIM-003

Implement rate limiting and quota policies on all API products

Severity: Recommended
Rationale: Rate limiting prevents abuse and ensures fair usage across consumers
Agents: terraform-agent, bicep-agent, cloud-architect

Targets

• Microsoft.ApiManagement/service

---

AZ-APIM-004

Use managed identity for backend service authentication

Severity: Recommended
Rationale: Eliminates credential management between APIM and backend services
Agents: terraform-agent, bicep-agent, cloud-architect, app-developer, csharp-developer, python-developer

Targets

• Microsoft.ApiManagement/service

---

AZ-APIM-005

Enable zone redundancy for Premium tier APIM instances

Severity: Recommended
Rationale: WAF Reliability: Zone redundancy ensures resiliency during a datacenter outage within a region; API traffic continues through remaining units in other zones
Agents: cloud-architect, terraform-agent, bicep-agent

Targets

• Microsoft.ApiManagement/service

---

AZ-APIM-006

Enable autoscaling or deploy multiple units to handle traffic spikes

Severity: Recommended
Rationale: WAF Reliability/Performance: Sufficient gateway units guarantee resources to meet demand from API clients, preventing failures from insufficient capacity
Agents: cloud-architect, terraform-agent, bicep-agent

Targets

• Microsoft.ApiManagement/service

---

AZ-APIM-007

Use Defender for APIs for threat detection and API security insights

Severity: Recommended
Rationale: WAF Security: Defender for APIs provides security insights, recommendations, and threat detection for APIs hosted in APIM
Agents: cloud-architect, security-reviewer

Targets

• Microsoft.ApiManagement/service

---

AZ-APIM-008

Implement validate-jwt, validate-content, and validate-headers policies for API security

Severity: Recommended
Rationale: WAF Security: Delegating security checks to API policies at the gateway reduces nonlegitimate traffic reaching backend services, protecting integrity and availability
Agents: cloud-architect, app-developer, csharp-developer, python-developer, terraform-agent, bicep-agent

Targets

• Microsoft.ApiManagement/service

---

AZ-APIM-009

Use built-in cache or external Redis-compatible cache for frequently accessed API responses

Severity: Recommended
Rationale: WAF Performance/Cost: Caching reduces backend load and response latency; built-in cache avoids the cost of maintaining an external cache
Agents: cloud-architect, app-developer, csharp-developer, python-developer

Targets

• Microsoft.ApiManagement/service

---

AZ-APIM-010

Disable the direct management REST API

Severity: Recommended
Rationale: WAF Security: The direct management API is a legacy control plane access point that increases the attack surface
Agents: cloud-architect, security-reviewer

Targets

• Microsoft.ApiManagement/service

---