Azure-Samples / Apim-Samples

Azure API Management Samples

Deploy high-fidelity Azure API Management infrastructures and experiment with real-world policies. Not too much, not too little. Just right.

Open in GitHub Codespaces Getting Started Guide

Infrastructures

Five pre-built Azure architectures, from a simple public APIM instance through to Front Door, Application Gateway, Private Link, and VNet-injected designs.

Samples

Real-world policy examples covering authentication, load balancing, cost allocation, OAuth credential management, and more.

À la carte

Most samples run on any infrastructure. Pick the architecture you care about, then layer the samples that matter to you.

Prefer slides?#

A browser-based slide deck walks you through the architectures and samples. Self-contained — save the page and present offline!

Open the slide deck

Infrastructures#

Each architecture is deployed with a single Jupyter notebook and torn down just as easily. These high-fidelity environments let you explore network patterns, private connectivity, and ingress design without building a full landing zone.

Architecture diagram: a single publicly accessible Azure API Management instance fronting backend APIs

Simple API Management

Just the basics with a publicly accessible APIM instance. The innermost way to experience and experiment with APIM policies. Deploys in about five minutes.

Fastest · Lowest Cost
Architecture diagram: Azure API Management routing to APIs hosted in Azure Container Apps

API Management & Container Apps

APIs implemented in containers running on Azure Container Apps. Contrast calls through APIM against direct container endpoints to feel the difference the gateway makes.

Architecture diagram: Azure Front Door connecting to API Management through a Private Link connection, with VNet-integrated Container Apps backends

Front Door & API Management

A secure implementation with Azure Front Door connecting to APIM via Private Link. Traffic rides entirely on Microsoft-owned networks once it passes Front Door.

Private Link
Architecture diagram: Azure Application Gateway connecting to API Management through a private endpoint in a virtual network subnet

Application Gateway (Private Link)

Application Gateway reaches APIM through a private endpoint in a VNet subnet. APIM Standard V2 accepts the connection, with VNet-integrated Container Apps behind.

Private Link
Architecture diagram: Azure Application Gateway with a fully VNet-injected API Management instance and Container Apps environment

Application Gateway (VNet)

Full VNet injection of APIM and Container Apps. APIM is shielded from any traffic unless it comes through Application Gateway. Maximum isolation.

VNet Injection
Browse all infrastructures on GitHub

Samples#

Each sample is a focused, runnable lab. Open the notebook, press Run All, then poke at the policies. If an infrastructure is not already deployed, the notebook will guide you through creating one.

AuthX

Authentication and role-based authorisation against a mock HR API using JWT validation.

All infrastructures

AuthX Pro

Advanced authentication across multiple APIs with reusable policy fragments and an APIM product.

All infrastructures

Azure Maps

Proxy and shape calls to Azure Maps through APIM to centralise keys, quotas, and telemetry.

All infrastructures

Costing

Track and allocate API costs per business unit using subscriptions, Entra ID application tracking, and AI Gateway token/PTU tracking across both Azure OpenAI Chat Completions and Responses APIs, including streaming (SSE) token usage which is not simple to capture correctly in APIM.

All infrastructures

Dynamic CORS

Dynamic per-API CORS origin validation using custom policy fragments and a maintainable origin mapping.

All infrastructures

Egress Control

Control APIM outbound internet traffic by routing it through an Azure Firewall NVA in a hub/spoke topology with user-defined routes.

appgw-apim · appgw-apim-pe

General

Basic demonstration of sample setup and policy usage. The best first stop.

All infrastructures

Load Balancing

Priority and weighted load balancing across backend pools for resilience and blue-green rollouts.

apim-aca · afd-apim-pe

OAuth 3rd-Party

APIM stores and manages third-party OAuth tokens on the caller's behalf using Credential Manager.

All infrastructures

Secure Blob Access

Valet key pattern: APIM mints short-lived SAS tokens so callers never see storage credentials.

All infrastructures
Browse all samples on GitHub

Quick Start#

From clone to a running APIM lab in under ten minutes. Codespaces is the fastest route because Python, Azure CLI, and Bicep are already installed.

  1. Choose your setup

    Click Open in GitHub Codespaces above, or follow the local setup guide in the repository README.

  2. Deploy an infrastructure

    Open infrastructure/simple-apim/create.ipynb and press Run All. Deployment takes about five minutes.

  3. Run a sample

    Open any samples/*/create.ipynb and press Run All. The notebook will find your infrastructure and deploy onto it.

  4. Experiment

    Modify the policy XML, re-run the deployment cell, fire requests at the gateway, and watch the behaviour change.