Provision, configure, and operationalize Azure API Management (APIM) following Azure Landing Zone (ALZ) design areas and enterprise guardrails.
azure.yaml # Azure Developer CLI (azd) project configuration
LICENSE # MIT license terms
README.md # This file - project overview and documentation
βββ infra/ # Infrastructure orchestration
β βββ main.bicep # Subscription-scoped entry point (resource groups + modules)
β βββ main.parameters.json # Optional parameters file for direct deployment
β βββ settings.yaml # Centralized configuration for all environments
β βββ azd-hooks/ # Azure Developer CLI lifecycle hooks
β βββ pre-provision.sh
βββ src/ # Bicep modules organized by functional area
β βββ shared/ # Shared infrastructure components
β β βββ main.bicep # Shared infrastructure orchestration
β β βββ common-types.bicep # Bicep type definitions and schemas
β β βββ constants.bicep # Utility functions and constants
β β βββ monitoring/ # Monitoring infrastructure
β β β βββ main.bicep # Monitoring orchestration
β β β βββ operational/
β β β β βββ main.bicep # Log Analytics workspace + Storage
β β β βββ insights/
β β β βββ main.bicep # Application Insights component
β β βββ networking/ # Network components (placeholder)
β β βββ main.bicep
β βββ core/ # Core API Management platform
β β βββ main.bicep # Core platform orchestration
β β βββ apim.bicep # API Management service with monitoring
β β βββ developer-portal.bicep # Developer portal + Azure AD config
β β βββ workspaces.bicep # APIM workspace management
β βββ inventory/ # API inventory and governance
β βββ main.bicep # API Center service integration
βββ docs/ # Current documentation
βββ getting-started/ # Prerequisites and setup guides
βββ architecture/ # Architecture overview and design
βββ reference/ # Technical reference materials
| Component | Purpose | Location | Dependencies |
|---|---|---|---|
| Orchestration | Creates single resource group and coordinates deployment | infra/main.bicep |
settings.yaml |
| Shared Infrastructure | Log Analytics, Application Insights, Storage Account | src/shared/ |
Resource group from orchestration |
| Core Platform | API Management service with monitoring integration | src/core/ |
Shared infrastructure outputs |
| API Inventory | API Center service for API catalog and governance | src/inventory/ |
Core APIM service integration |
| Configuration | Centralized settings for all deployment parameters | infra/settings.yaml |
None (root configuration) |
graph TD
A[infra/main.bicep] --> B[Single Resource Group]
A --> C[src/shared/main.bicep]
A --> D[src/core/main.bicep]
A --> E[src/inventory/main.bicep]
C --> F[monitoring/main.bicep]
F --> G[operational/main.bicep - Log Analytics + Storage]
F --> H[insights/main.bicep - Application Insights]
D --> I[apim.bicep - APIM with Monitoring]
D --> J[developer-portal.bicep - Azure AD Integration]
D --> K[workspaces.bicep - Multi-tenant Organization]
E --> L[API Center + Workspace + Source Integration]
C --> D
D --> E
- Azure Developer CLI (
azd) v1.10+ - Azure subscription with Contributor + User Access Administrator rights
- PowerShell 7+ or Bash shell
- Git for repository access
Optional but Recommended:
- Azure Developer CLI (
azd) v1.10+ for simplified deployment
-
Clone and Setup
git clone https://github.com/Evilazaro/APIM-Accelerator.git cd APIM-Accelerator # Login to Azure azd auth login
-
Configure Deployment
# Review and customize configuration code infra/settings.yaml # Update required settings: # - solutionName: your organization prefix # - core.apiManagement.publisherEmail: your email # - core.apiManagement.publisherName: your organization
-
Deploy Infrastructure
# Deploy using Azure Developer CLI azd up # Preview deployment before running azd provision --preview
-
Verify Deployment
# Monitor deployment status azd monitor # Show deployed resources azd show
Manual Verification:
- Azure Portal: Check all resources in the resource group
- API Management: Access developer portal and management interface
- Monitoring: Verify Log Analytics workspace and Application Insights data
All environment-specific settings are centralized in infra/settings.yaml:
| Section | Purpose | Key Settings |
|---|---|---|
solutionName |
Resource naming prefix | Base name for all resources |
shared.monitoring |
Observability stack | Log Analytics, Application Insights |
core.apiManagement |
APIM service config | SKU, identity, publisher details |
inventory.apiCenter |
API catalog integration | API Center service configuration |
tags |
Resource governance | Cost tracking, ownership, compliance |
solutionName: "apim-accelerator"
shared:
monitoring:
logAnalytics:
name: "" # Auto-generated: {solutionName}-{uniqueSuffix}-law
workSpaceResourceId: "" # Optional: use existing workspace
identity:
type: "SystemAssigned" # SystemAssigned | UserAssigned
userAssignedIdentities: []
applicationInsights:
name: "" # Auto-generated: {solutionName}-{uniqueSuffix}-ai
logAnalyticsWorkspaceResourceId: "" # Auto-linked to Log Analytics
tags:
lz-component-type: "shared"
component: "monitoring"
tags:
CostCenter: "CC-1234"
BusinessUnit: "IT"
Owner: "[email protected]"
ApplicationName: "APIM Platform"
ProjectName: "APIMForAll"
ServiceClass: "Critical"
RegulatoryCompliance: "GDPR"
SupportContact: "[email protected]"
ChargebackModel: "Dedicated"
BudgetCode: "FY25-Q1-InitiativeX"
core:
apiManagement:
name: "" # Auto-generated: {solutionName}-{uniqueSuffix}-apim
publisherEmail: "[email protected]" # REQUIRED: Update this
publisherName: "Contoso" # REQUIRED: Update this
sku:
name: "Premium" # Premium for production, Developer for testing
capacity: 1 # Scale units (1-3+ for Premium)
identity:
type: "SystemAssigned" # Managed identity for secure authentication
userAssignedIdentities: []
workspaces:
- name: "workspace1" # APIM workspaces for organization
tags:
lz-component-type: "core"
component: "apiManagement"
inventory:
apiCenter:
name: "" # Auto-generated: {solutionName}-apicenter-{uniqueSuffix}
identity:
type: "SystemAssigned" # System identity with Reader + Contributor roles
userAssignedIdentities: []
tags:
lz-component-type: "inventory"
component: "inventory"- Landing Zone Aligned: Implements Azure Landing Zone design principles with managed identities and comprehensive monitoring
- Single Resource Group: Simplified deployment model with logical component separation through tagging
- Managed Identity: System-assigned identities with automated RBAC assignments (no stored secrets)
- Comprehensive Monitoring: Log Analytics workspace with Application Insights integration and diagnostic settings
- API Governance: API Center integration for centralized API catalog and automated discovery
- Security by Default: HTTPS enforcement, managed identities, least-privilege access, comprehensive logging
- Modular Design: Well-structured Bicep modules with type safety and utility functions
This accelerator implements Azure Landing Zone design areas with a practical, deployable approach:
| Design Area | Current Implementation | Resources |
|---|---|---|
| Identity & Access | System-assigned managed identities with automated RBAC | Managed identities, role assignments |
| Network Topology | Public by default, VNet integration configurable | Optional VNet integration, public endpoints |
| Security | Managed identities, HTTPS by default, comprehensive logging | Diagnostic settings, managed identities |
| Management | Centralized monitoring with Log Analytics and Application Insights | Log Analytics, Application Insights, diagnostic settings |
| Governance | Consistent tagging strategy and centralized configuration | Resource tags, settings.yaml configuration |
docs/
βββ getting-started/ # Prerequisites and setup requirements
βββ architecture/ # Architecture overview and design principles
βββ reference/ # Technical specifications and reference materials
- docs/getting-started/prerequisites.md - Complete setup requirements
- docs/architecture/overview.md - Architecture design and implementation details
- docs/reference/settings-schema.md - Complete settings.yaml reference
- docs/reference/bicep-modules.md - All Bicep modules and parameters
- docs/reference/azure-resources.md - Complete resource inventory
- docs/reference/permissions.md - RBAC and security configuration
# Development environment
azd up --environment dev
# Production environment
azd up --environment prod# Override auto-generated names in settings.yaml
core:
apiManagement:
name: "contoso-prod-apim" # Custom APIM name
shared:
monitoring:
logAnalytics:
name: "contoso-prod-law" # Custom Log Analytics name
applicationInsights:
name: "contoso-prod-ai" # Custom App Insights name# Development - Cost-optimized
core:
apiManagement:
sku: { name: "Developer", capacity: 1 }
# Production - High-availability
core:
apiManagement:
sku: { name: "Premium", capacity: 3 }The accelerator includes comprehensive monitoring out-of-the-box:
- Diagnostic Settings: All resources configured with Log Analytics integration
- Application Insights Logger: APIM automatically sends telemetry to Application Insights
- Managed Identity Integration: Secure monitoring without stored credentials
- Storage Account: Long-term log retention and archival
- API Management: Request count, response time, error rates, gateway logs
- Log Analytics: Query performance, data ingestion, workspace utilization
- Application Insights: Performance counters, dependency tracking, exception analysis
- API Center: API discovery, catalog usage, governance metrics
// API request patterns (available immediately after deployment)
ApiManagementGatewayLogs
| where TimeGenerated > ago(1h)
| summarize RequestCount = count() by OperationName, bin(TimeGenerated, 5m)
// Error analysis with response codes
ApiManagementGatewayLogs
| where ResponseCode >= 400
| summarize ErrorCount = count() by ResponseCode, OperationName
| order by ErrorCount desc| Issue | Cause | Solution |
|---|---|---|
| "Insufficient privileges" error | Missing User Access Administrator role | Add User Access Administrator role to deployment user |
| APIM deployment timeout | Premium SKU provisioning time | Premium can take 45+ minutes; use Developer SKU for testing |
| API Center provider not found | API Center not registered | Providers registered automatically during azd deployment |
| Monitoring data missing | Deployment still in progress | Wait for all resources to complete; diagnostic data appears within 5-15 minutes |
# Pre-deployment validation
azd provision --preview
# Monitor deployment progress
azd monitor
# Show deployment status and resources
azd show
# View deployment logs
azd logsAzure resource providers are automatically registered during azd up deployment. No manual registration is required.
This project is licensed under the MIT License.
- Fork the repository
- Create a feature branch:
git checkout -b feature/your-feature - Commit changes:
git commit -am 'Add your feature' - Push to branch:
git push origin feature/your-feature - Submit a Pull Request
Please read our Contributing Guidelines and Code of Conduct before contributing.
- Issues: GitHub Issues
- Discussions: GitHub Discussions
- Security: Security Policy