API Management started as a gateway. Route requests, apply policies, limit traffic. That was useful, but by 2020, Azure realized that enterprises needed more. They need to expose APIs to partners, manage API portfolios, control who gets access to what, and not break existing consumers when things change. That's where APIM has evolved. It's not just a gateway anymore, it's how you govern APIs at scale.
The gateway capabilities
Azure API Management's gateway layer handles: rate limiting (by subscription, IP, or header value), JWT validation and OAuth2 integration, response caching, request/response transformation, and backend load balancing. Policies (XML-based rules applied to API calls) implement these capabilities without modifying backend services. The policy engine can transform request format, add headers, validate schemas, and mock responses.
The developer portal
The built-in developer portal provides API documentation, interactive API testing, and subscription management for API consumers. The portal is generated from the API definitions in APIM and can be customised for branding. For organisations exposing APIs to external partners or building an API marketplace, the developer portal reduces the documentation and onboarding burden significantly.
Multi-region gateway deployment
Azure API Management supports multi-region gateway deployment: the management plane is in a primary region, but gateway nodes can be deployed to multiple regions for low-latency regional access. API consumers are routed to the nearest gateway node. This is the enterprise pattern for global API exposure with regional compliance requirements.
Named values and backends as the security model
Hardcoded secrets (backend API keys, certificate thumbprints) in APIM policies are a security risk. Named values provide a parameterised reference to Key Vault secrets that are resolved at runtime. Backend entities define the backend URL and authentication configuration (certificates, bearer tokens) separately from the API definition. The combination allows rotation of backend credentials without modifying API policies.