CAMPUX Cloud Bootcamp Phase Three Supplement · Class Thirty-Nine
Phase Three — DevOps Core · Supplement
Reading 36 min · Drills 6 · 1 Lab
AZ-400 alignment
Class Thirty-Nine

API Management

The moment a second consumer calls your API, every concern you solved inside one backend — who is this, how often, which version — needs solving again for each of them; this class is the front desk that solves it once, for everyone, forever.

§1

Why a front desk exists

Class Sixteen taught you that everything in Azure is an API; Class Thirty-Five put a gateway in front of one model and called it a valve. This class generalises the valve, because the problem it solved is universal. Any API with more than one consumer accumulates the same list of chores: authenticate the caller, limit the eager, count the usage, hide the backend's address, keep old clients working while the new version ships, and hand a stranger enough documentation to integrate without a meeting. Solve those inside the backend and you will solve them again in the next backend, differently, forever. Azure API Management is where the estate solves them once — a managed front desk between every consumer and every backend, where the chores become configuration.

Be precise about what kind of thing this is, because it looks like Class Thirteen's load balancer and is not. A load balancer spreads identical traffic across identical copies and reads nothing but health; a gateway reads the request itself — who sent it, with which credential, to which operation — and applies policy before the backend ever hears about it. The two stack rather than compete: the gateway decides whether and how; the load balancer decides which copy. And the Class Thirty-Five test travels with the pattern unchanged: a gateway a consumer can walk around is a suggestion, so the backend accepts calls from the gateway's identity and nobody else.

A gateway you can bypass is a suggestion.

§2

Anatomy — APIs, products, subscriptions, the portal

APIM's vocabulary is small and interlocking, and interviews check whether you can walk it without notes:

API & operations
The gateway's model of a backend: an API is a set of operations (GET /products, GET /stock/{id}), usually imported from an OpenAPI specification rather than typed by hand. The gateway exposes its URL; the backend's real address becomes an internal detail nobody outside ever learns.
Product
A published bundle of APIs with terms attached: which APIs, what limits, whether approval is required. "Partner — Catalog, read-only, 100 calls/minute" is a product. Products are what you offer; APIs are what you have.
Subscription
A consumer's enrolment in a product, carrying a pair of keys. The key identifies the consumer — which is what makes revoking one partner, throttling one team, and reading one column of the usage chart possible. Class 35's per-team keys were exactly this.
Developer portal
The self-service site APIM generates: documentation, an interactive console, and sign-up for products. It replaces the onboarding meeting — a stranger can discover, subscribe, and make a first successful call without anyone at Campux attending.

Tiers deserve one paragraph, because the first APIM decision is a billing decision. Consumption is serverless — per-call pricing, fast to create, no fixed monthly cost — right for labs, spiky workloads, and the class of estate that is not sure yet. The classic fixed tiers (Developer for non-production, then Basic, Standard, and Premium with VNet injection and multi-region) buy predictable capacity and the enterprise networking features, at a monthly price that makes APIM one of the line items Class Thirty-Two will always ask about.1

§3

Policies — the request pipeline you write

Everything the gateway does is expressed as policies: small XML documents attached at global, product, API, or operation scope, executed in a fixed pipeline around every request. Inbound policies run before the backend (authenticate, rate-limit, transform, reject); backend policies shape the forwarding itself; outbound policies edit the response on its way out (strip internal headers, cache); and on-error catches whatever went wrong anywhere and decides what the caller learns about it — which should be "little," because backend stack traces are reconnaissance gifts.

Figure 20: the API Management policy pipeline — a request passes through inbound, backend, and outbound policy stages, with an on-error path drawn in red pen catching failures from every stage. Caller Inbound Backend Outbound auth · limit · shape forward · retry cache · strip Response Backend service on-error Every stage can fail into the same red rail — and the rail decides what the caller learns.
Figure 20 The policy pipeline. A request earns its way left to right — authenticated, limited, and shaped before the backend spends a cycle on it; the response is edited on the way back out. The red rail underneath is the part beginners skip and auditors read first: every failure, from any stage, lands in on-error, and what that stage returns is the difference between "a tidy 429 with a retry-after header" and "a stack trace with your connection string's shape in it."

The working policies are fewer than the reference suggests: rate-limit-by-key and quota-by-key (the per-consumer arithmetic from Class Thirty-Five), validate-jwt (check the caller's Entra token at the door, so unauthenticated requests never reach the backend), cache-store/cache-lookup (answers that repeat stop costing backend calls), and the transform family (rewrite URLs, strip headers, version-shim old callers). Two disciplines keep policies from becoming the estate's next unreviewed liability. First, policies are code: XML in the repository, deployed by the Class Twenty-Two pipeline, reviewed like everything else — a rate limit is production behaviour, and portal-edited policy is the Class Twenty click-drift problem reborn. Second, policies stay traffic-shaped: authentication, limiting, caching, transformation — the moment business logic creeps into policy XML, you have hidden part of the application in a place no debugger visits.

§4

The back door — auth and network behind the gateway

The front of the gateway is only half the design; the review question that finds real holes is about the back: how does the gateway reach the backend, and who else can? The clean pattern is the one this bootcamp has drilled since Class Nine, applied twice. Forward: APIM holds a managed identity, and backends validate it — the gateway authenticates to the backend with a token, not a shared header secret someone will paste into a wiki. Backward: the backend accepts only that identity — via Entra auth on the app, or network placement per Class Fourteen — so the gateway is the sole road in, and every §2 promise (limits, counts, revocation) governs all traffic instead of the polite fraction that chose to comply.

Say the anti-pattern out loud so you recognise it in reviews: the backend stays publicly reachable "temporarily," the partner integration guide helpfully includes the backend's real URL "as a fallback," or the gateway forwards a static API key the backend never rotates. Each one is Class Thirty-Five's Drill 04 wearing a new shirt — a bypass with a euphemism attached. When APIM sits in front of internal services, the enterprise tiers can inject into your VNet or pair with private endpoints, which turns "the backend is unreachable except through the gateway" from a policy into a routing fact — the strongest form the promise comes in.2

§5

Versions and revisions — changing a thing strangers depend on

The day the first partner integrates, your API stops being yours alone: it becomes a contract, and the §5 skill is changing a contract without breaking the people who signed it. APIM gives you two instruments, and confusing them is the classic error this class's Drill 04 exists to vaccinate against. A revision is for non-breaking change: a new optional field, a bug fix, a description update. Revisions live inside the current version, can be tested at a private URL, and become current with a switch — callers notice nothing, which is the definition of non-breaking. A version is for breaking change: a removed field, a renamed operation, a different auth scheme. Versions are separate, parallel APIs — v1 keeps answering exactly as before while v2 onboards, and the gap between them is a deprecation campaign, not a flag day: announce, publish migration notes in the portal, watch v1's per-subscription traffic fall in the §2 usage data, chase the stragglers by name, and only then retire it.

Version vs revision
A revision changes an API without changing its promise; a version changes the promise. Callers never notice a revision; callers must choose a version — and the discipline is refusing to smuggle the second kind of change inside the first.

Notice this is Class Nineteen's lesson at a larger radius: a branch protected you from breaking your teammates; a version protects you from breaking strangers with contracts and invoices. The engineering habit transfers whole — the cheapest breaking change is the one you never ship; the second cheapest is the one you ship beside the old behaviour with a long, well-lit exit.3

Case File · Campux Retail

The wholesale door gets a front desk

partners at the catalog, each with their own key

It starts, as external integrations do, with a sales win: two outdoor-gear marketplaces and a regional chain want live access to Campux's catalog and stock levels. The first draft of the integration is an email thread offering the storefront backend's URL and a shared password — the kind of draft Class Thirty-One trained everyone to flinch at, and this time the flinch works. Instead: a Consumption-tier APIM in front, the catalog API imported from its OpenAPI spec, and a Partner product — read-only catalog and stock operations, 100 calls a minute, subscription approval required. Each partner subscribes through the developer portal and gets their own keys; the backend closes to everything but the gateway's managed identity the same afternoon. Onboarding the third partner takes eleven minutes and zero meetings, which the sales team notices loudly.

The machinery pays for itself twice in the first quarter. In week six, one marketplace's nightly sync goes feral — a bug on their side retries in a tight loop — and instead of a Class Thirty-Six incident, it is a 429: their key throttles at its limit, the other partners never feel it, and the §2 usage chart names the culprit before their own team finds the bug. And in month three, the catalog schema needs a breaking change — prices restructured for regional currency. It ships as v2 beside v1, the portal carries the migration guide, and the per-subscription traffic chart turns retiring v1 from an argument into a checklist: two partners migrate in a week; the third gets a named nudge when their v1 calls are the only ones left. The email thread that almost shipped a shared password is printed out and pinned above the team's whiteboard, annotated in red pen: this is what the front desk replaced.

Watch · Microsoft Learn

The official pages, and a CAMPUX overview

The concepts page before the lab; the policy reference open while you write any policy
Microsoft Learn · Docs

Azure API Management — key concepts
learn.microsoft.com/azure/api-management/api-management-key-concepts

API Management policies — overview and reference
learn.microsoft.com/azure/api-management/api-management-howto-policies

CAMPUX overview video

A mock API built in the portal, a rate limit added as four lines of policy XML, and the 429 arriving on the sixth call — plus a tour of the developer portal a partner would see — will live here. Video to be added.

Lab · The valve, generalised

A gateway, a mock API, a rate limit, and the 429 you earn

~20 minutes · portal + Cloud Shell · Consumption tier, costs cents

Create the smallest real APIM, put a mock API behind it, throttle it per key, and watch the gateway protect a backend that does not even exist yet.

  1. Create a Consumption-tier instance (names are global — adjust yours):

    az group create --name rg-apim-lab --location eastus
    az apim create --name campux-apim-<initials> \
      --resource-group rg-apim-lab --location eastus \
      --sku-name Consumption \
      --publisher-name Campux --publisher-email you@example.com
    What to notice: Consumption provisions in minutes and bills per call — the tier that lets you learn the product without the Class 32 conversation. The classic fixed tiers take much longer to create and charge by the month; choosing between them is the first real APIM decision.
  2. In the portal: your APIM → APIs → Add API → HTTP. Name it catalog, add a GET operation at /products, and in the operation's inbound policy add a mock-response policy returning 200.

    What to notice: the gateway is answering for a backend that does not exist — which is not a party trick, it is a development pattern: frontends and partners integrate against the mock while the real backend is still being built. The gateway owns the contract; the backend fulfils it later.
  3. On the API's inbound policy (All operations), add a per-key rate limit, then save:

    <rate-limit-by-key calls="5" renewal-period="60"
      counter-key="@(context.Subscription.Id)" />
    What to notice: four lines of XML are the entire Class 35 valve. The counter key is the subscription — each consumer gets their own bucket of five calls a minute, which is the difference between throttling a misbehaving partner and throttling everybody.
  4. Get a subscription key (Subscriptions blade → the built-in subscription → show keys), then call the API six times:

    for i in $(seq 1 6); do curl -s -o /dev/null -w "%{http_code}\n" \
      "https://campux-apim-<initials>.azure-api.net/catalog/products" \
      -H "Ocp-Apim-Subscription-Key: <key>"; done
    az group delete --name rg-apim-lab --yes --no-wait
    The lesson: five 200s, then a 429 — the gateway enforcing arithmetic you wrote, before any backend spent a cycle. That status code is the polite version of every runaway-consumer story in this bootcamp: the analyst script, the feral partner sync, the surprise bill. Delete the group when done.
Note · policy availability differs by tier — Consumption supports the by-key limiting policies used here but not every policy in the reference; check the policy page's tier table before designing. Portal blade names and the developer portal experience shift periodically; the anatomy — API, product, subscription, policy — is the stable part.
Think in systems

Zoom out: the gateway is a chokepoint and a single front door at once

You have put a gateway in front of your services. Now reason about what that does to the whole system, not just to one request. Systems thinking is the habit of looking past the box you just built to the loops, dependencies, and limits around it — because a control point this central changes the behaviour of everything behind it. Take a whiteboard and work these five prompts before the exam.

Feedback loops

The gateway throttles a noisy caller; the caller retries harder; the retries look like more load and trip the throttle wider — a reinforcing storm. What balancing controls (rate limits with backoff guidance, quotas, a circuit breaker to the backend) keep one misbehaving client from taking the gateway down for everyone?

Dependencies & coupling

Every consumer now depends on the gateway, and the gateway depends on every backend behind it — a single front door and a shared point of failure at once. Map what fails if the gateway is down versus if one backend is down. The answers, and the blast radius, are very different.

The constraint

All traffic funnels through the gateway by design, so its capacity is the ceiling for the whole API surface. When calls double, is the real limit the gateway's throughput units, the policy processing per request, or the slowest backend it fronts? Adding callers does not move the wall.

Second-order effects

You switch on response caching to spare the backends. Load drops — and now some callers get stale data, and a cache-invalidation bug becomes a correctness problem, not a performance one. What did buying speed cost you in freshness, and who notices first?

What breaks when it scales

At ten times the callers, what gives — gateway capacity, the backend sized for today, or the per-subscription quotas you set once and forgot? Which is a slider you move, and which means re-architecting how the API is partitioned?

The engineer who ships is asked "does it work?" The engineer who gets promoted is asked "and then what?" — and has already drawn the loop.

On the job

Fitting the lock on the front door

You · Cloud Engineer · a mess of APIs needs a front door

Five teams expose five APIs five different ways, and consumers are drowning. You put a gateway in front: one front door, consistent authentication, rate limits so one noisy caller cannot sink the rest, and a place to meter usage. The sprawl becomes a product with a door and a doorman — and you are the one who fitted the lock.

Class Thirty-Nine

Examination

Four drills, then two situations. The situations have no marking scheme — write your answer before you reveal the reasoning, or the exercise is worthless. Nothing is stored; this is between you and the page.

Drill 01Recall · anatomy
A partner's nightly sync starts misbehaving and must be cut off tonight — without touching the other partners. What makes that surgical revocation possible?
Marked

B — the subscription is the unit of consumer identity, and everything surgical flows from it. Because each partner enrolled in the product with their own keys, one subscription suspends tonight and reactivates after their fix, while the other partners never learn anything happened. Now price the alternatives, because each is a real thing tired teams do. A fights an identity problem with a network tool: IP ranges shift, CDNs and NATs share them, and the block either misses the partner or catches innocents — and the backend should not be reachable except via the gateway anyway. C is the nuclear option that converts one consumer's bug into every consumer's outage — the exact outcome the gateway exists to prevent. D confuses the brochure with the door; documentation access stops nobody's curl. The design habit underneath: any time you cannot act on one consumer, you discover it during an incident — which is why per-consumer credentials are issued on day one, not retrofitted on day ninety.

Drill 02Recall · lifecycle
The catalog API needs two changes: a new optional field on the response, and — separately — the removal of a legacy field partners still read. How do they ship?
Marked

C — sort changes by whether the promise changed, then use the instrument built for each. Adding an optional field breaks nobody who follows the most basic client discipline, so it rides a revision: tested at the private URL, switched live, invisible. Removing a field partners read changes the contract, so it becomes v2 while v1 keeps answering — and the retirement is a campaign run on the per-subscription traffic data, not a hope. A is the vaccine this drill administers: ship the removal as a revision and it goes live for every caller the moment it becomes current — v1's promise silently broken, three partners' integrations failing in the same hour, and the postmortem writing itself. B taxes everyone for nothing — version proliferation is real, and partners who must migrate for an additive change learn to dread your release notes. D is how integrations worked before gateways: synchronized cutovers fail asynchronously, one partner at a time, over a weekend. The sorting question to carry into every API review: could a well-behaved existing caller notice? No: revision. Yes: version.

Drill 03Select three
Which three belong in gateway policy — the traffic-shaped work APIM should be doing?
Marked

Limit, authenticate, cache-and-strip — traffic work, every one. The test all three pass: they concern how requests flow, not what the application means, and they apply uniformly to every operation behind the gateway. The rejects fail it from opposite directions. Discount rules in policy expressions is business logic hidden in XML — outside the debugger, outside the test suite, outside the repo review path most teams wire for application code — and six months later a pricing bug hunt ends in a place no developer thought to look; policy is a poor home for anything a product owner might ask about. And returning raw exception detail inverts on-error's whole purpose: stack traces, connection-string shapes, and library versions are a reconnaissance packet, and "easing partner debugging" is what correlation IDs and the developer portal are for — give callers a reference number, keep the forensics in the Class 28 workspace. The boundary sentence: the gateway decides whether and how a request travels; the backend decides what it means.

Drill 04Spot the error
This change plan is about to be approved. One line is a serious mistake. Which?
# change plan: catalog API, currency restructure
1.  The price fields change shape (breaking); ship as
    a revision of v1 — revisions deploy faster and
    avoid the overhead of running two versions.
2.  Policy XML for the change goes through the repo
    and the Class 22 pipeline, like all policy.
3.  Partners are notified via the developer portal
    changelog two weeks ahead.
4.  Per-subscription traffic will be monitored after
    release to catch integration failures early.
Marked

Line one — and notice how reasonable it sounds, because that is how this mistake actually ships. "Faster" and "less overhead" are true statements about revisions; they are just answers to the wrong question. A revision has no opt-in: the moment it becomes current, every existing caller gets the new behaviour on their next request — which for a breaking change means every partner's integration fails simultaneously, at the switch, regardless of the two weeks of notice on line three. The notice does not help, because a changelog cannot keep v1 answering; only v1 can do that. Run the tape: switch flipped Tuesday 9am, three partners' syncs fail by 9:05, support lights up, and the rollback is frantic precisely because revisions were also the team's hotfix path. The fix is Drill 02's sorting: breaking means version — v2 beside v1, the portal carrying the migration guide, retirement driven by the traffic data line four correctly plans to watch.

The distractors are the plan working: policy through the pipeline is §3's discipline (B — "configuration" that changes production behaviour is code, the oldest lesson in Phase Three); pre-announcement is exactly right and pairs with versioning rather than replacing it (C); and post-release monitoring is how the v1-retirement campaign gets its evidence (D — it is not too late, it is the feedback loop). The reviewer's reflex to build: whenever a plan justifies a mechanism by its convenience, check what question the mechanism was actually built to answer.

Situation 01Write before you reveal
The PM wants partner onboarding simplified: "Three partners, three sets of keys, three sets of paperwork. Let's just issue one shared partner key — they're all reading the same catalog anyway." How do you respond?
Walk one bad night forward under each design. Who gets throttled, who gets blamed, and what does revocation cost?
Reasoning

Concede the pain before defending the keys. The PM is reacting to something real — if onboarding feels like paperwork, that is a legitimate bug — so agree to fix the friction before explaining why the fix cannot be key-sharing. Then run the one bad night, because it converts the abstraction into a story: partner B ships a buggy sync that hammers the API at 2am. With per-partner keys, the Class 39 machinery handles it in its sleep — B throttles at B's limit, A and C never notice, the usage chart names B, and Monday's email goes to one inbox. With a shared key, the gateway sees one anonymous consumer: the limit throttles all three partners at once, the chart cannot say who did it, and the Monday conversation is three denials and an argument. Same bug, same night — one design produces a line item, the other produces an incident with diplomacy attached.

Then price the parts the night didn't show. Revocation: keys leak (Class 31's whole curriculum), and a shared key that leaks must be rotated for everyone simultaneously — three coordinated partner deployments for one partner's mistake, which in practice means the leaked key stays valid for weeks. Commercial flexibility: the moment sales wants tiers — the regional chain at 100 calls a minute, the big marketplace paying for 1,000 — per-partner subscriptions make it a product setting; a shared key makes it impossible. And accountability is Class 32's lesson wearing partner clothes: an unattributable call is an unattributable cost, and "which partner is worth what" becomes unanswerable at contract-renewal time.

Close by solving the actual complaint. The paperwork is not the keys' fault — it is the process's. The developer portal exists precisely so onboarding is self-service: partner signs up, requests the product, approval is one click, keys are theirs in minutes — the case file's third partner took eleven minutes and zero meetings. Offer the PM that: "same-day onboarding, and we keep the ability to throttle, bill, and revoke one partner at a time." The sentence that ends the meeting: the keys aren't the paperwork — they're the reason one partner's bad night stays one partner's problem.

Situation 02Write before you reveal
The backend team objects to the whole plan: "Our API already validates tokens and has rate limiting in middleware. APIM is an extra network hop, an extra monthly bill, and an extra thing to learn. Why are we adding it?" What is your honest answer — including the case where they're right?
They are right for some estates. Find the variable that flips the answer, and say it plainly.
Reasoning

Start by naming the case where they win, because it exists and they can smell evasion. One API, one internal consumer, one team owning both sides: the middleware is genuinely enough, and APIM would be ceremony — a hop, a bill, and a second place to look during incidents, purchased for no one. Class 3 taught the shape: every tool has a "when not to," and a gateway's is single consumer, single owner, no external contract. Saying this first is not a concession tactic; it is the credibility that makes the rest of the argument land.

Then name the variable that flips it: consumers you don't control. The middleware argument quietly assumes every caller is family. The moment partners, other teams, or paying customers integrate, the chores multiply per consumer — per-partner limits, revocable credentials, usage attribution, a portal, versioning with deprecation campaigns — and middleware answers none of them without the backend team building a small, bespoke, forever-maintained gateway of their own inside the app. That is the honest comparison: not "APIM versus nothing," but "APIM versus the gateway you will write by accident, one feature request at a time, with no developer portal and no Class 32 line item to warn you what it costs." The hop and the bill are real; so is the engineering payroll spent reinventing subscriptions in Express middleware.

Close with the boundary drawn where it belongs. The token validation and rate limiting in their middleware are not wasted — defence in depth wants the backend suspicious even of the gateway (Class 31's layers). What moves to APIM is the multi-consumer work: the front desk, not the locks on the individual doors. And give them the honest tier answer for the bill: Consumption while the partner count is small, a fixed tier when traffic justifies it, reviewed at the Class 32 monthly like everything else. The sentence that usually settles it: your middleware protects this API; the gateway is for the day this API has customers — and sales already made that day this quarter.

Examination record · first attempt
0/4
Class Thirty-Nine · Complete
Retain this much

Five things worth carrying out of this class

  1. A gateway solves the multi-consumer chores once — auth, limits, counting, hiding the backend, versioning, onboarding — and stacks with, rather than replaces, the load balancer. A gateway you can bypass is a suggestion.
  2. The anatomy interlocks: APIs are what you have, products are what you offer, subscriptions are who's enrolled — and the subscription key identifies the consumer, which is what makes throttling, billing, and revoking one partner at a time possible.
  3. Policies run inbound, backend, outbound, and on-error; they are code (repo, pipeline, review) and they stay traffic-shaped — business logic in policy XML is a bug hunt waiting in a place no debugger visits.
  4. The back door matters as much as the front: APIM reaches backends with its managed identity, and the backend accepts nothing else — "temporarily public" is a bypass with a euphemism.
  5. Revisions change an API without changing its promise; versions change the promise. Breaking changes ship as v2 beside v1, and retirement is a campaign run on per-subscription traffic data, not a flag day.
Notes
  1. APIM's tier lineup is mid-evolution: the classic Developer/Basic/Standard/Premium tiers now share the catalogue with v2 tiers whose capabilities and prices have shifted more than once, and policy availability differs by tier in ways the policy reference tables track. Check the current pricing and tier-comparison pages before writing APIM into a design document — the anatomy in §2 is stable; the SKU grid underneath it is not.
  2. Self-hosted gateways exist too — the APIM gateway component packaged as a container you run wherever the traffic is (on-premises, other clouds, Kubernetes), managed from the same control plane. Out of scope for this class, but worth knowing the name when a hybrid estate asks how the Class 15 world gets a front desk.
  3. This class teaches APIM because it is Azure's native gateway and the one AZ-400 expects, but the pattern outranks the product: consumers hold gateway credentials, policies shape traffic, contracts version beside each other. Meet Kong, Apigee, or a cloud rival's gateway and you will find the same nouns wearing different names — learn the pattern here once, and the products become configuration details.