hands-on lab

Azure API Management Policies and Security

Up to 1h 30m
Get guided in a real environmentPractice with a step-by-step scenario in a real, provisioned environment.
Learn and validateUse validations to check your solutions every step of the way.
See resultsTrack your knowledge and monitor your progress.
Lab description

API Management (APIM) is Azure's API gateway service allowing you to create consistent, modern APIs for a variety of backend services. APIM provides powerful capabilities, such as rate-limiting, quotas, and security. These capabilities can be applied to existing backend services without requiring any additional code.

This lab explores some of these capabilities using a backend service hosted on Azure App Service. You will learn about APIM policies and how they can modernize legacy APIs, and add a layer of security in front of backend services. You will also learn about API Management's built-in API key facilities called subscriptions.

Learning Objectives

Upon completion of this intermediate-level lab, you will be able to:

  • Create an Azure API Management service instance
  • Create APIs in API Management
  • Use API Management policies to transform responses and secure APIs
  • Secure APIs in API Management with Subscriptions
  • Secure APIs in API Management with Client Certificates

Intended Audience

  • Candidates for Microsoft Azure Developer Certifications
  • Developers


Familiarity with the following is beneficial but are not required:

  • Azure App Service
  • RESTful APIs
  • JSON
  • XML

The following content can be used to help fulfill the prerequisites:


March 1st, 2024 - Resolved Check function issue

December 19th, 2023 - Resolved container creation issue

February 1st, 2023 - Updated the instructions and screenshots to reflect the latest UI

September 22nd, 2022 - Migrated lab to use Cloud Academy Web Terminal

August 31st, 2021 - Added instructions to workaround Azure bug when modifying the OpenAPI JSON spec

Environment before

Environment after

About the author
Logan Rakai, opens in a new tab
Lead Content Developer - Labs
Learning paths

Logan has been involved in software development and research since 2007 and has been in the cloud since 2012. He is an AWS Certified DevOps Engineer - Professional, AWS Certified Solutions Architect - Professional, Microsoft Certified Azure Solutions Architect Expert, MCSE: Cloud Platform and Infrastructure, Google Cloud Certified Associate Cloud Engineer, Certified Kubernetes Security Specialist (CKS), Certified Kubernetes Administrator (CKA), Certified Kubernetes Application Developer (CKAD), and Certified OpenStack Administrator (COA). He earned his Ph.D. studying design automation and enjoys all things tech.

LinkedIn, Twitter, GitHub

Covered topics
Lab steps
Logging in to the Microsoft Azure Portal
Creating an Azure API Management Instance
Defining Your API in API Management
Using API Management Policies to Manipulate Responses
Authenticating Requests with API Management Subscriptions
Logging In to the Azure CLI in the Web Terminal
Securing API Management APIs with Client Certificates