Managing a Distributed API Estate Efficiently with Azure API Management and Self-Hosted Gateways

Managing a Distributed API Estate Efficiently with Azure API Management and Self-Hosted Gateways

Azure API Management (APIM) is a cloud-based service that enables you to create, publish and manage your APIs behind a secure, consistent façade. You can create and manage policies that control access to your APIs, enforce usage quotas, and transform requests and responses.


Azure APIM gateways are the proxy for handling API requests. Self-hosted gateways (SHGW) are a capability of Azure APIM which allow you to deploy an instance of the API gateway component of APIM outside of Azure, such as on-premises or on a different cloud platform. Self-hosted gateways are unique to Azure APIM.


API Center is an Azure service that provides a central point of discovery, reuse and governance for APIs in Azure, on-premises, or in other clouds. New features coming include API synchronisation from APIM and Git repos, and API compliance monitoring.




Increasing demand for system integration and interoperability is a universal requirement that has driven a huge growth in API development and has led to a proliferation of APIs. APIs enable different systems to easily speak to one another and have become the building blocks of product ecosystems, monetising data assets and driving greater service agility and innovation. There is also a move to migrate legacy APIs into the cloud to reduce cost and provide additional resiliency to priority workloads.



However, this increase in API dependency has come with its own challenges. APIs built across teams and time lack consistency, are implemented in different technologies, and are deployed on a multitude of different hosting platforms, from on-premises to cloud. This makes the job of managing an API estate efficiently extremely difficult. Lack of a single view of capability for management increases the effort required to operate and protect your API inventory, and prevents effective discovery leading to low rates of reuse, driving duplication.


I was recently working with a customer that was looking to simplify management of their API estate. They had a large number of mission critical APIs scattered across cloud and on-premises. They didn’t know where they all lived, how many duplicates existed, and really needed to consolidate, standardise, and have a view of all their APIs via a single pane of glass.



The high-level requirements for the customer to address their challenges included:

  • Support for distributed APIs with minimal latency overhead.
  • A secure façade for APIs, which hides the underlying API differences from the end user.
  • And importantly, a single management plane for the entire estate



Azure APIM with SHGW provides a solution which meets all of these requirements. The following diagram is based on the Azure APIM landing zone accelerator, but adds SHGW elements.


APIM + SHGW HL ArchitectureAPIM + SHGW HL Architecture


  1. Azure APIM instance, comprising Developer Portal (a fully configurable website that provides a central location for API discovery, experimentation, testing, and reuse), Gateway, and Management Plane (an interface for managing your APIM instance, including how your APIs are exposed, protected, and versioned). The APIM is configured in Internal Mode to prevent the instance from being directly publicly accessible. The instance is only accessible via the configured App Gateway, or via a peered network.
  2. SHGW container* deployed on a third-party cloud platform (e.g. AWS, GCP).
  3. SHGW container* deployed on on-premises resources.
  4. Management connectivity between SHGW and APIM management plane, allowing transmission of SHGW heartbeat, configuration updates, log shipment. Connection is outbound from SHGW on port 443.
  5. ExpressRoute dedicated on-premises to Azure connection (optional).
  6. Network peering between APIM subnet and on-premises network, allowing direct connectivity between the APIM instance and on-premises services, including the SHGW.
  7. Public point of ingress for all APIM services.
  8. API consumer, accessing Azure, on-premises, and third-party cloud APIs via Azure GW and SHGW. For access to non-Azure APIs traffic goes direct to the closest gateway, not via Azure.


*SHGW is provided as a downloadable Linux container image which can be configured and hosted on your own [high availability] infrastructure. By hosting the gateway near to your APIs, users of the APIs go directly to them (via the SHGW instance) without the need to pass through Azure. This reduces latency and supports data sovereignty, while still being centrally managed via the Azure hosted APIM instance management plane. SHGW is only supported on APIM Premium and Developer tiers.


For Enterprise API inventory and discovery see API Center (not covered here) which is Generally Available.


Things to consider when designing your SHGW implementation.

  • Connectivity between the SHGW and the Azure. Outbound connectivity is required from a SHGW to APIM and certain Azure services such as Azure Storage and Application Insights in order to pull configuration changes, for log shipment, heartbeat, and other operational necessities. Will you go via the internet, or remain on a private network? Private networking between on-premises SHGW and Azure can be achieved via network peering and a dedicated circuit such as ExpressRoute. It is also possible to peer a third-party cloud platform and Azure via a dedicated connection from third-party to on-premises and back up to Azure.
  • Authentication. To authenticate with APIM, SHGW presents an authentication key which by default is stored in the SHGW container. However, this is a poor solution which risks exposing the key and increases administration effort - it needs to be rotated every 30 days, and if forgotten the SHGW will lose its connectivity. A better solution is to use Entra authentication, see https://learn.microsoft.com/en-us/azure/api-management/self-hosted-gateway-enable-azure-ad.
  • Scalability. If using SHGW you are responsible for scaling the gateway, consider using Kubernetes horizontal pod autoscaler to scale out the gateway.



Azure APIM and SHGWs provide a complete solution for managing a distributed, diverse API estate efficiently. SHGWs offer flexibility, control, and customization options for organisations managing APIs, particularly those with specific performance, compliance, or integration requirements.


Published on:

Learn more
Azure Architecture Blog articles
Azure Architecture Blog articles

Azure Architecture Blog articles

Share post:

Related posts

General Availability of SQL FCI and AG Features SQL Server Enabled by Azure Arc

We have good news. Two business continuity features for SQL Server enabled by Azure Arc are now generally available: View Failover Cluster In...

1 day ago

Azure VMware Solution using a public IP down to the NSX-T Edge; configure SNAT, No-SNAT & DNAT

Azure VMware Solution How To Series: Configuring NSX-T SNAT, No-SNAT & DNAT rules   Overview Requirements Lab Environment NAT Rules K...

1 day ago

App attach for Azure Virtual Desktop now generally available

App attach for Azure Virtual Desktop allows IT admins to dynamically attach applications from an application package to a user session in Azur...

2 days ago

A Closer Look at Azure WAF’s Data Masking Capabilities for Azure Front Door

The Azure Web Application Firewall (WAF) on Azure Front Door offers centralized protection for your web applications against vulnerabilities a...

2 days ago

Azure Virtual Network Manager (AVNM) Mesh and Direct Connectivity are Generally Available!

Azure Virtual Network Manager's (AVNM) mesh connectivity configuration and direct connectivity option in the hub and spoke connectivity config...

2 days ago

Azure pricing: How to calculate costs of Azure products and services

In our previous blogs we explained the Azure pricing structure and how customers can estimate their project costs when migrating to Azure or b...

2 days ago

Azure Pricing: How to estimate Azure project costs

In the previous blog we explained how you can learn about Azure pricing with free services and a pay-as-you-go model. Next, lets understand ho...

2 days ago

Azure Pricing: How to navigate Azure pricing options and resources

In this blog we discussed customer pricing needs and how they match different phases of the cloud journey, and we provided various tools and r...

2 days ago

Azure pricing: How to optimize costs for your Azure workloads

In our previous blogs we explained the Azure pricing structure, how customers can calculate their costs when migrating or building in Azure, a...

2 days ago
Stay up to date with latest Microsoft Dynamics 365 and Power Platform news!
* Yes, I agree to the privacy policy