Microsoft Solutions Partner — Azure · 11,000+ engagements

Azure API Management + Developer Portal Enterprise (2026)

The enterprise Azure API Management and Developer Portal reference — five APIM tiers, six production patterns, OAuth + Entra ID, the full policy library, versioning and revisions, the AI gateway for Azure OpenAI, and a fixed-fee accelerator delivered by a senior-architect-led 29-year Microsoft Solutions Partner.

Book an APIM briefing Call 888-381-9725

What is Azure API Management and how do enterprises deploy a managed API gateway in production? Azure API Management (APIM) is the Microsoft managed API gateway and Developer Portal platform — a single control plane for publishing, securing, transforming, observing, and monetizing APIs across REST, SOAP, GraphQL, and WebSocket protocols. Enterprises deploy it across five tiers (Consumption, Basic v2, Standard v2, Premium, and the self-hosted gateway), six enterprise patterns (API monetization, B2B partner integration, frontend BFF aggregation, hybrid multi-region, legacy SOAP-to-REST bridge, and AI gateway for Azure OpenAI rate limiting), and a Developer Portal with branded self-service onboarding for internal and external consumers. EPC Group activates this stack through a five-phase Assess, Architecture, Build, Secure, Operate accelerator that lands OAuth + Entra ID protection, Key Vault-backed named values, Defender for APIs runtime threat detection, and senior-architect-led managed operations.

Azure API Management is the Microsoft managed API gateway and Developer Portal — five tiers, six enterprise patterns, OAuth + Entra ID protection, full policy expression engine, versioning + revisions, AI gateway for Azure OpenAI. EPC Group activates production-grade APIM through a five-phase accelerator covering tier selection, policy library design, Developer Portal branding, Defender for APIs runtime protection, and managed operations.

Key Facts

Five APIM tiers: Consumption, Basic v2, Standard v2, Premium, self-hosted gateway (Premium feature)
Standard v2 is the modern enterprise default — VNet integration, full Developer Portal, full policy engine
Premium delivers multi-region active-active, self-hosted gateways, internal VNet mode, 99.99% SLA
Six enterprise patterns: monetization, B2B partner mTLS, BFF aggregation, hybrid multi-region, SOAP-to-REST, AI gateway
Policy library covers rate limit, transform, cache, JWT validate, OAuth + Entra ID, custom xml expressions
AI gateway pattern (2025+) — token-limit, emit-token-metric, load-balancer, semantic cache policies for Azure OpenAI
Versioning is consumer-visible (URL, header, query); revisions are internal iterations with safe rollback
29-year Microsoft Solutions Partner, 70+ Fortune 500 clients, fixed-fee APIM Accelerator from $150K to $500K

The five Azure API Management tiers — what each one is and where it fits

Picking the right APIM tier is the single highest-leverage decision an enterprise makes on this platform. The tier determines pricing model, scale ceiling, Developer Portal capabilities, VNet integration, multi-region topology, and self-hosted gateway eligibility. Standard v2 is the modern enterprise default, Premium remains the right answer for multi-region and federal workloads, and the self-hosted gateway is the Premium feature that closes the hybrid and edge gap.

Consumption tier — serverless API gateway

What it is: The Consumption tier is the serverless flavor of Azure API Management — instances spin up on demand, scale automatically, and bill per API call instead of per reserved gateway hour. There is no monthly compute floor and no capacity to size. The cold-start window is sub-second and predictable. The tradeoff is a narrower feature surface — no Developer Portal customization, no VNet integration, no built-in caching, and no self-hosted gateway support. Best for low-volume APIs, prototypes, internal hackathon work, and event-driven serverless APIs where the rest of the stack is also Consumption.

Pay-per-call billing with a generous monthly free grant — no idle compute charges
Auto-scaling without capacity planning — APIM manages instances on your behalf
No VNet integration, no Developer Portal customization, no built-in response caching
Sub-second cold start — significantly faster than legacy Consumption-tier behavior
Best paired with serverless backends — Azure Functions Consumption or Flex Consumption

Fit: Best for: serverless API tiers fronting Azure Functions, low-volume internal APIs, prototype and pilot APIs, dev and test environments where flat monthly cost is over-spend. Not for: regulated workloads needing private networking, branded partner Developer Portals, or any production API requiring the policy expression engine in full.

Basic v2 — fixed-cost SMB and team tier

What it is: The Basic v2 tier is the modern fixed-cost entry tier — predictable monthly compute, full Developer Portal, full policy expression engine, and a sensible API and operation ceiling for small-to-mid teams. Basic v2 ships the rebuilt v2 gateway runtime that addresses the historical Basic-tier latency complaints. It does not include VNet integration or self-hosted gateway support — Standard v2 and Premium remain the answer for those needs.

Fixed monthly cost — predictable budgeting without per-call billing variability
Full Developer Portal — customizable branding, signup flows, subscription self-service
Full policy expression engine — rate limit, transform, cache, validate, custom expressions
No VNet integration — public-only endpoints, suitable for internet-exposed APIs
Best for SMB workloads and team-sized API portfolios under one hundred APIs

Fit: Best for: SMB API portfolios, single-team API ownership models, public-facing APIs that do not need private networking, and customers transitioning from Developer-tier (non-SLA) into the first production tier with an SLA. Not for: VNet-required or regulated workloads — Standard v2 or Premium are the right answer.

Standard v2 — modern enterprise default

What it is: Standard v2 is the modern enterprise default. It runs on the rebuilt v2 gateway runtime, supports VNet integration (the historical Premium-only feature) with private endpoints inbound and outbound, ships full Developer Portal customization, full policy engine, and full Application Insights and Azure Monitor integration. Most net-new enterprise APIM deployments in 2026 start at Standard v2. Premium remains the answer for multi-region active-active topology and self-hosted gateways at scale.

VNet integration with private endpoints — the v2 capability that closed the historical Premium gap
Full Developer Portal customization, branding, custom domains, and partner self-service
Full policy expression engine, OAuth + Entra ID protection, JWT validation, custom xml
Application Insights + Azure Monitor + Log Analytics native integration
Best modern enterprise starting point — re-platforms most legacy Standard and Premium workloads

Fit: Best for: new enterprise APIM deployments in 2026, regulated workloads that need private endpoint inbound and outbound, partner-facing Developer Portals with branded experience, and any enterprise that does not strictly need multi-region active-active gateway topology.

Premium — multi-region active-active and self-hosted

What it is: The Premium tier is the enterprise top tier — multi-region active-active gateway topology with Azure Traffic Manager-coordinated failover, self-hosted gateway containers deployable to Kubernetes or any Docker host, full VNet integration with both internal and external mode, customer-managed keys, availability zone redundancy, and 99.99% multi-region SLA. Premium remains the right answer for any enterprise running APIs across more than one Azure region with active-active traffic, for federal and FedRAMP High deployments needing the strictest network isolation, and for hybrid topologies where the gateway needs to run inside the customer datacenter alongside legacy SOAP services.

Multi-region active-active gateway with Traffic Manager-coordinated failover
Self-hosted gateway containers — Kubernetes, Docker, Azure Arc enabled clusters
Internal VNet mode — gateway endpoints fully private with no public IP at all
Customer-managed keys, availability zone redundancy, 99.99% multi-region SLA
Required for FedRAMP High, CMMC Level 2 with private isolation, and any hybrid cloud topology

Fit: Best for: multi-region active-active APIs, FedRAMP High and CMMC Level 2 deployments, hybrid topologies with self-hosted gateways inside the customer datacenter, and any enterprise requiring 99.99% multi-region SLA. The default tier for regulated, mission-critical, or global APIs.

Self-hosted gateway — your datacenter, your Kubernetes

What it is: The self-hosted gateway is a Premium-tier feature that runs the APIM gateway runtime as a container inside any Docker, Kubernetes, OpenShift, or Azure Arc enabled cluster — including customer datacenters, edge sites, and other clouds. The control plane (Developer Portal, policies, analytics) stays in Azure; the data plane (the gateway processing requests) runs wherever you put the container. The configuration synchronization runs over an outbound-only HTTPS channel — no inbound ports on the customer firewall. Best for hybrid topologies where backend services live on-premises and the gateway needs network adjacency, for edge-deployed APIs in retail or manufacturing, and for compliance topologies where API traffic cannot leave the customer datacenter.

Premium tier feature — APIM control plane in Azure, data plane wherever you deploy it
Runs as a Docker container — Kubernetes, OpenShift, Azure Arc, plain Docker hosts
Outbound-only configuration sync — no inbound ports on the customer firewall
Best fit for hybrid topologies, edge sites, and regulated workloads with data-residency rules
Cross-references our /azure-arc-hybrid-multicloud-enterprise-2026 hub for the broader Arc story

Fit: Best for: hybrid topologies with on-premises legacy backends, edge-deployed APIs at retail or manufacturing sites, multi-cloud deployments where APIs route to AWS or GCP backends, and any data-residency or sovereign-cloud requirement where API traffic cannot leave a specified jurisdiction.

Six enterprise Azure API Management patterns

Every enterprise APIM deployment composes from six reusable patterns. EPC Group ships each pattern with the production-grade plumbing — policy fragment library, named values backed by Key Vault, Application Insights instrumentation, and Defender for APIs runtime protection — that the default templates do not include.

Pattern 1 — API monetization with the Developer Portal

API monetization is the canonical Developer Portal use case. Third-party developers discover the API catalog through a branded Developer Portal, self-register, agree to terms of service, select a subscription product (free tier, paid tier, partner tier), and receive subscription keys that gate access in the gateway. Usage metering feeds Application Insights and a billing system — Stripe, NetSuite, Dynamics 365 Finance — through Event Grid or Logic Apps. EPC Group ships this pattern with branded Developer Portal templates matching customer typography and color, OAuth + Entra ID External Identities for federated signup, subscription-product mapping to commercial SKUs, and usage-quota policies enforced at the gateway tier. Common applications — public APIs for fintech, payment processors, logistics aggregators, AI inference APIs, and any product where API access itself is the revenue stream.

Pattern 2 — B2B partner integration with mTLS and signed payloads

B2B partner integration is the enterprise pattern for trusted business-to-business APIs — supplier integrations, customer integrations, broker integrations, and any partner where the relationship is contractual rather than self-serve. EPC Group ships this pattern with mTLS (mutual TLS) for transport-level partner authentication, signed payload validation (HMAC or JWS) in policy, IP allow-listing layered on top of mTLS for defense in depth, and per-partner subscription keys with named-policy fragments scoping access to only the operations that partner is contracted for. Onboarding runs through a partner-onboarding workflow rather than the public Developer Portal — partners receive credentials through secured channel, not self-signup. The pattern most often replaces legacy EDI, SFTP-with-PGP, or VPN-tunneled SOAP integrations.

Pattern 3 — Frontend BFF and aggregation gateway

The Backend-for-Frontend (BFF) and aggregation pattern uses APIM as the API tier for single-page applications, mobile apps, and AI agent backends — composing responses from multiple downstream microservices into a single shaped response the client needs. EPC Group ships this pattern with the APIM policy engine doing the composition (send-request policies in parallel, choose-when branching on response codes, and a final transform shaping the aggregated response), OAuth + Entra ID protecting every endpoint, response caching for read-heavy operations, and managed identity authenticating outbound to downstream Azure SQL, Cosmos DB, Service Bus, and Azure Functions. The combination delivers a fully managed API tier at a fraction of the cost and operational overhead of running a custom BFF service on App Service or AKS.

Pattern 4 — Hybrid and multi-region API gateway topology

The hybrid and multi-region pattern uses Premium tier with multi-region active-active deployment plus self-hosted gateways. Public API consumers route through Azure Traffic Manager or Azure Front Door to the closest active Azure region. Internal consumers route through self-hosted gateways inside the customer datacenter to legacy backend services that cannot be lifted into Azure. Region failure triggers Traffic Manager-coordinated failover within seconds — partner consumers do not see the outage. EPC Group ships this pattern with health-probe configuration, region-aware policy fragments (regional Application Insights, regional Key Vault references), customer-managed key replication across the regional gateways, and the runbook the SRE team executes during a regional failover event. Required topology for any enterprise running global APIs with hard regional residency or active-active uptime SLAs.

Pattern 5 — Legacy SOAP-to-REST modernization bridge

The SOAP-to-REST bridge is the canonical legacy modernization pattern — legacy SOAP services running on-premises (or in legacy IIS, WCF, or Java application servers) need a modern REST-and-JSON surface for new mobile, single-page, and AI agent consumers without rewriting the underlying SOAP service. EPC Group ships this pattern with WSDL import into APIM (generating REST-style operations from the underlying SOAP contract), XML-to-JSON transform policies on inbound requests, JSON-to-XML transform policies on outbound responses, fault-translation policies converting SOAP faults to RFC 7807 problem-details JSON, and the SOAP envelope manipulation that masks the underlying transport from the consumer. The pattern extends the useful life of legacy SOAP investments by a decade while enabling modern consumer experiences immediately.

Pattern 6 — AI gateway for Azure OpenAI rate limiting and observability

The AI gateway pattern is the 2026 fastest-growing APIM use case — placing Azure API Management in front of Azure OpenAI Service deployments to enforce per-application token quotas, distribute load across multiple OpenAI deployments (different regions, different model versions, different SKUs), capture prompt-and-completion telemetry for cost attribution and policy compliance, and apply guardrail policies (PII redaction, prompt-injection detection patterns, output-content filtering) before responses return to the consumer. EPC Group ships this pattern with the token-limit policy (the APIM AI gateway feature released in 2025), the emit-token-metric policy feeding Application Insights with prompt+completion token counts, load-balancing policy across multiple Azure OpenAI deployments, semantic caching policy on common prompts, and the per-consumer subscription model mapping internal applications to AI usage budgets. Cross-references our hub for the underlying Azure OpenAI service. See our Azure OpenAI Service enterprise hub for the underlying service.

Developer Portal customization — branded API self-service

The Developer Portal is the consumer-facing surface of APIM — the branded site where partners and internal teams discover the API catalog, read documentation, try operations in a live console, register for subscriptions, and manage their keys. Standard v2 and Premium tiers ship full Developer Portal customization. EPC Group builds branded portal experiences that read as the customer’s own product rather than a generic Azure surface.

Visual branding and theming

Customer typography, color palette, header and footer, logo, and favicon applied across every Developer Portal page through the managed portal editor or self-hosted Jekyll-style portal codebase committed to source control.

API catalog information architecture

Categories, products, tags, and search faceting tuned for consumer findability — public APIs separated from partner APIs separated from internal APIs, each with its own gated registration and documentation experience.

Branded signup and OAuth flow

Self-service signup federated to Entra ID External Identities (the modern External ID for B2C), OAuth authorization code flow for testing operations from the live console, and per-product approval workflow for paid or sensitive APIs.

Code samples in every language

Auto-generated code samples in C#, JavaScript, Python, Java, PowerShell, and curl rendered alongside each operation — copy-paste-and-run ergonomics that materially reduce partner integration time.

Try-it console with OAuth

Live request console pre-authenticated via the developer’s OAuth session — operations execute against the real gateway with the developer’s real subscription key in scope, returning real responses. Materially better than documentation-only portals.

Custom domain and SSL

Custom domain (developers.yourbrand.com or api.yourbrand.com), customer-managed SSL certificate, and the portal indistinguishable from a first-party product experience — no .developer.azure-api.net subdomain in the consumer experience.

Identity and access

OAuth 2.0 and Entra ID — protecting every API consistently

Every enterprise API needs identity, and the right answer in 2026 is OAuth 2.0 + Entra ID for internal APIs, OAuth 2.0 + Entra External Identities for external consumers, and mTLS for partner B2B integration. APIM ships the validation primitives — the validate-jwt policy for OAuth bearer tokens, the validate-client-certificate policy for mTLS, and the subscription-key check for the gateway-managed key model. EPC Group standardizes the auth strategy across the API portfolio so consumers see one consistent experience instead of a different auth model per API.

Internal APIs — Entra ID OAuth

Internal application-to-API and user-to-API traffic protected by Entra ID OAuth bearer tokens, validated at the gateway through the validate-jwt policy with tenant + audience + scope checks.

External — Entra External Identities

Public consumers and external developers authenticate against Entra External Identities (the modern B2C surface), federated to social and enterprise IDPs as needed, then receive OAuth tokens validated identically at the gateway.

Partner B2B — mTLS

Partner integrations use mutual TLS for transport-level auth — client certificates pinned, certificate revocation policy enforced, and named partner subscription keys layered on top for per-partner authorization scope.

The APIM policy library — rate limit, transform, cache, validate, custom xml

Policies are the core of APIM. Each policy is an XML expression evaluated in inbound, backend, outbound, and on-error stages — and policies compose. EPC Group builds a reusable policy fragment library at Phase 2 so every API in the portfolio inherits the same auth, rate-limit, transform, observability, and error-handling behavior without copy-pasting policy XML across APIs.

Rate limit and quota policies

rate-limit-by-key, quota-by-key, rate-limit (per-subscription), and quota (per-subscription monthly) — enforcing fair use, monetization tier ceilings, and downstream backend protection at the gateway before requests reach origin.

Transform policies

set-header, set-body, rewrite-uri, xml-to-json, json-to-xml, set-status — reshape requests and responses without modifying backend services. The lever that enables SOAP-to-REST bridging and aggregation patterns.

Cache policies

cache-lookup, cache-store, cache-remove-value — built-in response caching at the gateway for read-heavy operations. Standard v2 and Premium tiers ship internal cache; external Azure Cache for Redis is supported for higher-capacity needs.

Validation policies

validate-jwt, validate-client-certificate, validate-content (JSON schema), validate-parameters, validate-headers, validate-status-code — request and response conformance enforced at the gateway with reject-on-fail behavior.

Custom xml expressions

C#-like expression syntax inside policy XML — context.Request, context.Response, context.Subscription, and the full set of helper methods enabling custom logic that does not require a Lambda authorizer or sidecar function call.

Policy fragments

Named policy fragments — reusable XML snippets included by reference across many APIs. The library every enterprise should maintain so security and observability behavior is consistent and centrally versioned.

Versioning and revisions — the difference and why it matters

APIM cleanly separates two related concepts that most legacy gateway tooling conflates. A version is a consumer-visible variant — /v1/, /v2/, or a header value — and is the right tool for breaking changes that consumers must opt into. A revision is an internal iteration of a specific version — multiple revisions can exist per version and you swap which one is current without consumer-visible change. Revisions are the right tool for non-breaking implementation changes with safe rollback.

Versions — for breaking changes

Public, consumer-visible variants. Semantic versioning recommended (v1, v2, v3). Versioning scheme can be URL path, header, or query parameter. Consumers explicitly choose which version they call. Deprecation requires documented sunset window.

Revisions — for safe iteration

Internal, non-consumer-visible iterations of a version. Lifecycle states — draft, smoke-tested, current, archived. Make a revision current to swap behavior instantly; revert by making a prior revision current again. The cleanest rollback model most gateways have.

The EPC Group Azure API Management Accelerator — five phases, fixed fee

The accelerator anchors on The EPC Group Lifecycle — Assess, Architecture, Build, Secure, Operate. Fixed-scope between $150,000 and $500,000 depending on portfolio size, regulatory scope, Developer Portal branding requirements, and managed-service tail. Senior-architect led, no offshore handoff.

Phase 1 — Assess

API portfolio inventory in three weeks

Phase one inventories every API surface currently published across the tenant — legacy SOAP, sidecar REST services, Function-app HTTP triggers, App Service web APIs, AKS-hosted microservices, and any partner-facing integration endpoint. EPC Group documents the consumer landscape (internal apps, partners, public consumers, AI agent clients), the auth model in use for each (Entra ID, OAuth, API key, mTLS, no-auth), the current rate-limiting and quota story, and the cost-attribution gap. The deliverable is a costed activation roadmap, a tier-selection recommendation, and a fixed-fee accelerator anchored on the Assess stage of the EPC Group Lifecycle.

API portfolio census across all subscriptions — REST, SOAP, GraphQL, WebSocket, AsyncAPI
Consumer landscape — internal apps, partners, public, AI agents — auth model per consumer
Tier economics — Basic v2 / Standard v2 / Premium cost comparison against actual traffic
Developer Portal scoping — branding requirements, signup flows, subscription products
Activation backlog with effort, sequence, dependency annotations, and Year-1 cost model

Phase 2 — Architecture

Target-state APIM topology and policy library

Phase two designs the target APIM topology — single-region or multi-region, public-only or VNet-integrated, single tenant or shared platform serving multiple business units, with or without self-hosted gateways at edge or on-premises. EPC Group documents the named-value and Key Vault reference architecture, the policy fragment library every API will compose from (auth, rate limiting, caching, transformation, observability), the versioning and revision strategy, and the Developer Portal branding and signup-flow design. This is the architectural artifact a CTO and platform leader sign before any production cutover.

APIM tier and topology — Standard v2 single region, Premium multi-region active-active, or hybrid
Policy fragment library — reusable auth, rate-limit, transform, validate, observability fragments
Versioning and revision strategy — semantic versioning, revision lifecycle, deprecation policy
Developer Portal information architecture — categories, products, branded signup flow design
Named values and Key Vault reference design — secret management without app-settings sprawl

Phase 3 — Build and migrate

Stand up Standard v2 or Premium, onboard the first 20 APIs

Phase three is the build phase — provision the target APIM instance, configure VNet integration and private endpoints, deploy the policy fragment library through Bicep or Terraform IaC, onboard the first 20 production APIs (prioritized by traffic and revenue exposure), and cut traffic from legacy gateways. EPC Group migrates SOAP services through the WSDL import pipeline, REST services through OpenAPI import, and legacy custom gateways through manual policy translation when no contract artifact exists. Cutover is side-by-side per API — old gateway and new gateway run in parallel for a configurable burn-in period before DNS shift retires the legacy endpoint.

APIM instance provisioned via Bicep or Terraform — VNet, private endpoints, named values
Policy fragment library deployed and version-controlled in the same repo as the IaC
First 20 APIs onboarded — OpenAPI or WSDL import, policy composition, smoke tests
Developer Portal branded, content authored, signup workflow live, partner pilot launched
Cutover via Traffic Manager or DNS shift — zero-downtime traffic migration per API

Phase 4 — Secure and govern

Entra ID OAuth, Key Vault, Defender, audit-ready evidence

Phase four hardens the deployment — replace any inline API keys or secrets in policies with Key Vault references, enforce OAuth + Entra ID validation on every internal API, layer mTLS for partner APIs, configure Defender for APIs (the APIM-native cloud-native API protection module) for runtime threat detection, and ship the audit evidence package the customer compliance team owns. EPC Group documents Conditional Access export, named-value Key Vault reference inventory, private-endpoint topology, Defender for APIs alert configuration, and Application Insights retention configuration as Phase-4 deliverables.

All inline secrets migrated to Key Vault references — zero hard-coded API keys in policies
OAuth + Entra ID JWT validation on every internal API — managed identity downstream
mTLS partner-API onboarding workflow — client cert pinning, certificate revocation policy
Defender for APIs enabled — runtime threat detection, OWASP API top-10 alert ruleset
Audit evidence package — CA export, MI inventory, PE topology, Defender alerts, AI retention

Phase 5 — Operate

Managed APIM with senior-architect escalation

Phase five is steady-state operation. EPC Group provides managed Azure API Management services — Developer Portal content stewardship, partner onboarding workflow execution, policy-library evolution, quarterly cost optimization, runtime threat-response triage on Defender for APIs alerts, and quarterly API governance steering committee output. Senior-architect on-call escalation for incident-tier gateway events. The APIM platform is operationally cheap on the platform side and expensive on the human side when there is no governance — Phase 5 closes that gap.

Monthly Application Insights health report — error rate, latency, quota breaches, scaling events
Quarterly cost optimization — tier sizing, capacity unit right-sizing, self-hosted gateway scaling
Continuous Defender for APIs threat triage — OWASP API top-10 alerts, false-positive tuning
Senior-architect on-call escalation for gateway incidents — outages, latency, policy regressions
Quarterly API governance steering committee — roadmap, partner backlog, deprecation schedule

Governance and compliance — APIM controls mapped to your regulatory reality

Azure API Management is in scope for HIPAA, FedRAMP, CMMC, FINRA, SOC 2, GxP, and ISO 27001 when deployed with the right tier, identity model, and private-networking baseline. EPC Group ships every regulated-industry APIM deployment with the evidence package — named-value Key Vault reference inventory, private-endpoint topology, Defender for APIs alert configuration, OAuth + Entra ID validation policy export, and Application Insights retention configuration — as the Phase 5 deliverable.

HIPAA

SOC 2

FedRAMP

FINRA

CMMC

GxP

Cost optimization

Cost optimization — tier right-sizing and capacity unit tuning

APIM cost optimization runs on three levers — right-tier, right-size capacity units, and consolidate fragmented gateway deployments. EPC Group customers see 20 to 35 percent first-year API gateway spend reduction across the portfolio when all three are applied as part of the Phase 5 Operate program.

Lever 1 — Right-tier

Most legacy v1 APIM deployments run on Premium because v1 Standard did not support VNet integration. v2 Standard now does. Re-tiering from v1 Premium to v2 Standard for single-region workloads typically delivers 50 to 70 percent monthly compute reduction.

Lever 2 — Right-size capacity

Capacity unit sizing is usually a guess at provisioning time and never revisited. Quarterly review against actual traffic metrics tunes capacity down to what Application Insights data justifies — typically a 30 to 50 percent reduction in pre-provisioned capacity cost.

Lever 3 — Consolidate gateways

Enterprises often run 3 to 5 fragmented API gateways (legacy IBM, Kong, AWS API Gateway, custom Nginx) accumulating cost and operational overhead. Consolidating onto a single APIM instance with workspace isolation reduces tooling cost and the operational tax on platform engineering.

Why EPC Group leads enterprise Azure API Management deployments

Years Microsoft consulting

70+

Fortune 500 clients

11,000+

Total engagements

216+

M&A tenant consolidations

Microsoft Solutions Partner — Azure Infrastructure + Digital & App Innovation

Microsoft Solutions Partner with Infrastructure (Azure), Data & AI (Azure), Digital & App Innovation (Azure), and Security designations. Senior architects average two decades of Microsoft platform delivery experience across API gateway, identity, and integration platforms.

Four-time Microsoft Press author

Founder Errin O’Connor has nearly three decades of Microsoft consulting leadership and is a four-time Microsoft Press author across Power BI, SharePoint, Azure, and large-scale migrations.

Fixed-fee accelerators

Every APIM engagement is fixed-fee with a costed roadmap and a named senior architect on-record from kickoff through go-live. No T&M overruns, no offshore handoff, no junior-analyst-led production cutover.

Compliance-native

EPC Group is FedRAMP-aligned and compliance-native across HIPAA, SOC 2, FINRA, CMMC, and GxP. APIM deployments ship with audit-ready named-value Key Vault inventory, private endpoint topology diagrams, Defender for APIs alert configuration, and OAuth + Entra ID policy export — not generic screenshots.

Continue exploring the EPC Group enterprise Microsoft library

APIM is the API gateway plane under which the broader Microsoft cloud stack — Azure Functions, Microsoft Graph, Entra ID, Azure OpenAI — composes. These hubs and analyses cover adjacent and complementary territory.

Microsoft Cloud Orchestrator

The end-to-end Microsoft cloud orchestration model under which Azure API Management is the gateway plane for every consumer-facing API surface.

Azure consulting services

The full Azure consulting practice — landing zones, governance, FinOps, security, identity, integration, and serverless — delivered fixed-fee.

Microsoft Graph API enterprise guide

The Microsoft 365 API surface APIM often fronts for partner integrations and AI agent backends that consume Graph data through a governed gateway tier.

Azure Functions + serverless enterprise guide

The serverless compute plane most often paired with APIM as the API tier — sidecar HTTP APIs, BFF backends, webhook receivers, and event-driven processors.

Azure OpenAI Service enterprise guide

The GenAI plane APIM fronts as an AI gateway — token-limit, emit-token-metric, semantic cache, and load-balancer policies for governed multi-team OpenAI access.

Digital transformation with Microsoft enterprise guide

The platform transformation framework under which API management replaces fragmented gateway sprawl and Developer Portal-driven partner onboarding replaces email.

Frequently asked questions — Azure API Management and Developer Portal

Azure API Management vs Apigee — what are the differences enterprises care about?

Azure API Management and Google Apigee are both top-tier enterprise API gateway platforms and they cover overlapping ground, but the differences matter for any Microsoft-centric enterprise. APIM has tighter native integration with the rest of the Microsoft cloud — Entra ID identity (OAuth, managed identity, Workload ID Conditional Access), Microsoft Defender for APIs runtime protection, Application Insights observability, Key Vault references for named-value secrets, and Azure Functions / Logic Apps / App Service / AKS backend integration all work without integration plumbing. Apigee has a longer history in API monetization, broader analytics tooling, and a more mature multi-cloud deployment story for organizations already on GCP. The pragmatic decision in 2026 — enterprises already deep in Microsoft (Microsoft 365, Entra ID, Power Platform, Fabric, Azure) build their API gateway tier on APIM; enterprises deep in Google Cloud keep Apigee. Dual-gateway architectures are rare and almost always transitional rather than steady-state.

Azure API Management vs Kong — should I pick the open-source gateway?

Kong is the leading open-source API gateway and Kong Enterprise / Kong Konnect compete with APIM on commercial features. Kong wins on raw gateway performance per CPU core at very high request rates, on Kubernetes-native deployment ergonomics, and on the open-source extensibility model where teams build custom plugins in Lua or Go. APIM wins on managed-service operational overhead (you do not run the control plane), on Developer Portal time-to-value (the APIM portal ships ready out of the box, Kong Konnect portal requires more configuration), on Entra ID and Microsoft cloud integration depth, and on the audit-evidence package regulated enterprises need. The decision depends on team profile — engineering-heavy organizations with platform teams that want full control and have the headcount choose Kong; teams that need the managed-service operational model and Microsoft integration depth choose APIM.

Azure API Management vs AWS API Gateway — what is the comparison?

AWS API Gateway and Azure API Management are the two market-leading hyperscale-cloud API gateways and they cover the same baseline territory — request routing, throttling, auth integration, observability, and consumer self-service through a Developer Portal. The differentiators in 2026 — APIM ships a richer policy expression engine (named policy fragments, XML-based composition, custom expressions in C#-like syntax) where AWS API Gateway leans more on Lambda authorizers for custom behavior; APIM ships a far more capable Developer Portal out of the box; AWS API Gateway has tighter native Lambda integration where APIM has tighter Functions + Logic Apps + AKS integration. The enterprise decision is again platform alignment — Microsoft-centric organizations choose APIM, AWS-centric organizations choose API Gateway, and dual-gateway environments are transitional artifacts of multi-cloud strategy.

Azure API Management vs Tyk and other emerging open-source gateways?

Tyk is the second most-deployed open-source API gateway after Kong and is particularly strong in the Kubernetes-native and edge-deployment use cases. Tyk wins on lighter operational footprint than Kong, simpler dashboard, and a strong GraphQL federation story. APIM wins on managed-service overhead (no control plane to run), on Entra ID and Microsoft Defender for APIs integration, on the rich policy expression engine, and on enterprise procurement and compliance posture. EPC Group sees Tyk most often in Kubernetes-first organizations with platform engineering teams that want the open-source model, and APIM in enterprises that want managed-service operational overhead and tighter Microsoft cloud integration. Both can coexist in larger enterprises where different teams own different API portfolios.

How do APIM tiers compare on cost and what should I pick in 2026?

For new enterprise APIM deployments in 2026, the default recommendation is Standard v2. It delivers VNet integration with private endpoints (the historical Premium-only feature that drove most v1 enterprises onto Premium tier unnecessarily), the rebuilt v2 gateway runtime with better cold-start and scale behavior, full Developer Portal customization, and the full policy expression engine — at a price point well below Premium. The Premium tier remains the right answer for three specific cases — multi-region active-active deployments needing Traffic Manager-coordinated failover, self-hosted gateways at scale running inside customer datacenters or other clouds, and federal or FedRAMP High deployments requiring internal VNet mode with zero public IP. The Basic v2 tier is the right answer for SMB and single-team API portfolios that do not need VNet integration. The Consumption tier is the right answer for serverless API tiers fronting Functions backends where the rest of the stack is also serverless. EPC Group runs tier modeling during Phase 1 of the accelerator using actual traffic data — the answer depends on real consumer volume, not theoretical claims.

When does the self-hosted gateway make sense and how is it operated?

The self-hosted gateway is a Premium-tier feature and the right answer in three specific topologies. Topology one — hybrid backends. When the API backend services live on-premises (legacy SOAP, mainframe, legacy SQL) the gateway has to be network-adjacent to the backend for latency and security reasons; the self-hosted gateway runs inside the customer datacenter on Kubernetes or Docker. Topology two — edge deployment. Retail point-of-sale, manufacturing-floor IoT, and similar edge sites need a local API gateway terminating local APIs without the round-trip to Azure region. Topology three — multi-cloud and sovereign cloud. When APIs route to AWS or GCP backends, or when data-residency rules forbid traffic transiting Azure regions outside a specified jurisdiction, the self-hosted gateway runs in the target cloud or region. Operations follow the Kubernetes-native model — the gateway container deploys via Helm chart, configuration syncs through an outbound HTTPS channel from the APIM control plane in Azure, and observability ships back to Application Insights via the standard telemetry connector. EPC Group includes self-hosted gateway design and the first cluster deployment as part of the Phase 3 build phase for any topology requiring it.

How do versioning and revisions work in Azure API Management?

APIM separates versioning from revisions and the distinction matters. A version is a public, consumer-visible variant of an API — typically expressed as a URL path segment (/v1/, /v2/), a header value, or a query parameter — and consumers explicitly choose which version they call. Versions are how you ship breaking changes without breaking existing consumers. A revision is an internal, non-consumer-visible iteration on a specific version — you can have ten revisions of v1 under the hood, each one a candidate deploy, and you swap which revision is current for that version without consumers seeing the change. Revisions are how you ship non-breaking implementation changes (policy tweaks, backend swaps, header additions) with safe rollback if anything regresses. EPC Group standardizes on semantic versioning for public versions, a revision lifecycle (draft → smoke-tested → current → archived) for revisions, and a deprecation policy that gives consumers a documented sunset window before a version is removed. The combination is the cleanest version-and-revision discipline most enterprise API portfolios will ever see.

How does the AI gateway pattern work for Azure OpenAI rate limiting and cost attribution?

The AI gateway pattern places APIM in front of Azure OpenAI Service deployments and uses the token-limit, emit-token-metric, and load-balancer policies released in 2025 specifically for this use case. The token-limit policy enforces per-subscription-key prompt-plus-completion token quotas at the gateway tier — a finance department subscription can be capped at 1 million tokens per month, an engineering subscription at 10 million, and the cap is enforced before the request reaches Azure OpenAI. The emit-token-metric policy ships prompt-and-completion token counts to Application Insights with consumer subscription, operation, and model dimensions — Power BI dashboards built on the Log Analytics workspace give finance the per-team and per-application cost attribution they need without parsing per-deployment OpenAI billing. The load-balancer policy distributes requests across multiple Azure OpenAI deployments (different regions, different model versions, different SKUs — Standard, Provisioned, Batch) with weight-based or fallback routing. Semantic caching policy uses embedding similarity to return cached responses for similar prompts. The combination delivers governance, cost attribution, and resilience as managed-service features rather than custom application code. EPC Group ships this pattern as part of any Azure OpenAI deployment that involves more than one consuming application.

Consolidate your API gateways — and cut 20 to 35 percent of first-year APIM spend

Book an Azure API Management briefing with an EPC Group senior architect. Two-hour working session — API portfolio inventory, tier economics review, Developer Portal branding scoping, AI gateway opportunity assessment, and accelerator scoping. Zero obligation, board-ready output.

Book the briefing 888-381-9725

‌
‌
‌

‌
‌