azure-samples/apim-bicep
.github/skills/apim-bicep/SKILL.md
Guide for building Bicep files for Azure API Management (APIM) and related Azure services. Use when users want to create, modify, or understand Bicep templates for APIM instances, APIs, backends, subscriptions, policies, products, loggers, diagnostics, and MCP servers. This skill provides Bicep syntax, patterns from Azure Verified Modules, and examples from this repository.
$ install --global
skillsauthnpx skillsauth add azure-samples/ai-gateway apim-bicepInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 5, 2026, 2:33 AM179.9s1 file scanned
SKILL.md
- name:
- apim-bicep
- description:
- Guide for building Bicep files for Azure API Management (APIM) and related Azure services. Use when users want to create, modify, or understand Bicep templates for APIM instances, APIs, backends, subscriptions, policies, products, loggers, diagnostics, and MCP servers. This skill provides Bicep syntax, patterns from Azure Verified Modules, and examples from this repository.
APIM Bicep
This skill provides guidance for creating Azure Bicep templates for API Management and related services.
Quick Start - Basic APIM Instance
@description('The name of the API Management service instance')
param apiManagementServiceName string = 'apim-${uniqueString(resourceGroup().id)}'
@description('The email address of the publisher')
param publisherEmail string
@description('The name of the publisher')
param publisherName string
@description('The pricing tier of this API Management service')
@allowed(['Consumption', 'Developer', 'Basic', 'Basicv2', 'Standard', 'Standardv2', 'Premium'])
param sku string = 'Basicv2'
@description('Location for all resources')
param location string = resourceGroup().location
resource apimService 'Microsoft.ApiManagement/service@2024-06-01-preview' = {
name: apiManagementServiceName
location: location
sku: {
name: sku
capacity: 1
}
identity: {
type: 'SystemAssigned'
}
properties: {
publisherEmail: publisherEmail
publisherName: publisherName
}
}
output apimId string = apimService.id
output apimName string = apimService.name
output gatewayUrl string = apimService.properties.gatewayUrl
output principalId string = apimService.identity.principalId
Resource Types Reference
| Resource Type | API Version | Purpose |
|---------------|-------------|---------|
| Microsoft.ApiManagement/service | 2024-06-01-preview | APIM service instance |
| Microsoft.ApiManagement/service/apis | 2024-06-01-preview | API definitions |
| Microsoft.ApiManagement/service/apis/operations | 2024-06-01-preview | API operations |
| Microsoft.ApiManagement/service/apis/policies | 2024-06-01-preview | API-level policies |
| Microsoft.ApiManagement/service/backends | 2024-06-01-preview | Backend services |
| Microsoft.ApiManagement/service/subscriptions | 2024-06-01-preview | API subscriptions |
| Microsoft.ApiManagement/service/products | 2024-06-01-preview | API products |
| Microsoft.ApiManagement/service/loggers | 2024-06-01-preview | Logging configuration |
| Microsoft.ApiManagement/service/apis/diagnostics | 2024-06-01-preview | API diagnostics |
Essential Patterns
Backend with Managed Identity
resource backend 'Microsoft.ApiManagement/service/backends@2024-06-01-preview' = {
name: 'my-backend'
parent: apimService
properties: {
description: 'Backend with managed identity auth'
url: 'https://my-service.azure.com'
protocol: 'http'
credentials: {
managedIdentity: {
resource: 'https://cognitiveservices.azure.com'
}
}
}
}
Backend Pool (Load Balancing)
resource backendPool 'Microsoft.ApiManagement/service/backends@2024-06-01-preview' = {
name: 'inference-backend-pool'
parent: apimService
properties: {
description: 'Load balancer for multiple backends'
type: 'Pool'
pool: {
services: [for (config, i) in backendsConfig: {
id: '/backends/${backends[i].name}'
priority: config.?priority ?? 1
weight: config.?weight ?? 1
}]
}
}
}
API with OpenAPI Spec
resource api 'Microsoft.ApiManagement/service/apis@2024-06-01-preview' = {
name: 'my-api'
parent: apimService
properties: {
displayName: 'My API'
description: 'API description'
path: 'api/v1'
protocols: ['https']
subscriptionRequired: true
subscriptionKeyParameterNames: {
header: 'api-key'
query: 'api-key'
}
format: 'openapi+json'
value: string(loadJsonContent('./openapi.json'))
}
}
API Policy from File
resource apiPolicy 'Microsoft.ApiManagement/service/apis/policies@2024-06-01-preview' = {
name: 'policy'
parent: api
properties: {
format: 'rawxml'
value: loadTextContent('policy.xml')
}
}
Subscription
@batchSize(1)
resource subscription 'Microsoft.ApiManagement/service/subscriptions@2024-06-01-preview' = [for sub in subscriptionsConfig: {
name: sub.name
parent: apimService
properties: {
displayName: sub.displayName
scope: '/apis' // or '/apis/{apiId}' or '/products/{productId}'
state: 'active'
allowTracing: true
}
}]
MCP Server Patterns
Native MCP API (type: 'mcp')
Create an MCP server API that wraps existing API operations:
resource mcp 'Microsoft.ApiManagement/service/apis@2024-06-01-preview' = {
parent: apim
name: 'weather-mcp'
properties: {
type: 'mcp'
displayName: 'Weather MCP'
description: 'MCP for weather data'
subscriptionRequired: false
path: 'weather-mcp'
protocols: ['https']
mcpTools: [
{
name: operation.name
operationId: operation.id
description: operation.properties.description
}
]
}
}
Streamable MCP with Backend
Create an MCP server with a backend service:
resource mcpBackend 'Microsoft.ApiManagement/service/backends@2024-06-01-preview' = {
parent: apim
name: 'weather-mcp-backend'
properties: {
protocol: 'http'
url: '${mcpServiceUrl}/mcp'
tls: {
validateCertificateChain: true
validateCertificateName: true
}
type: 'Single'
}
}
resource mcp 'Microsoft.ApiManagement/service/apis@2024-06-01-preview' = {
parent: apim
name: 'weather-mcp'
properties: {
type: 'mcp'
displayName: 'Weather MCP'
subscriptionRequired: false
backendId: mcpBackend.name
path: 'weather'
protocols: ['https']
mcpProperties: {
transportType: 'streamable'
}
}
}
MCP with Custom Operations
resource mcpApi 'Microsoft.ApiManagement/service/apis@2024-06-01-preview' = {
parent: apimService
name: 'agent-mcp'
properties: {
displayName: 'Agent MCP Server'
description: 'Model Context Protocol API endpoints'
subscriptionRequired: false
path: 'agent'
protocols: ['https']
serviceUrl: containerAppUrl
}
}
resource mcpSseOp 'Microsoft.ApiManagement/service/apis/operations@2024-06-01-preview' = {
parent: mcpApi
name: 'mcp-sse'
properties: {
displayName: 'MCP SSE Endpoint'
method: 'GET'
urlTemplate: '/sse'
description: 'Server-Sent Events endpoint'
}
}
resource mcpMessageOp 'Microsoft.ApiManagement/service/apis/operations@2024-06-01-preview' = {
parent: mcpApi
name: 'mcp-message'
properties: {
displayName: 'MCP Message Endpoint'
method: 'POST'
urlTemplate: '/message'
description: 'Message endpoint for MCP Server'
}
}
Diagnostics and Logging
Azure Monitor Logger
resource apimLogger 'Microsoft.ApiManagement/service/loggers@2024-06-01-preview' = {
parent: apimService
name: 'azuremonitor'
properties: {
loggerType: 'azureMonitor'
isBuffered: false
}
}
Application Insights Logger
resource appInsightsLogger 'Microsoft.ApiManagement/service/loggers@2024-06-01-preview' = {
name: 'appinsights-logger'
parent: apimService
properties: {
loggerType: 'applicationInsights'
credentials: {
instrumentationKey: appInsightsInstrumentationKey
}
description: 'APIM Logger for Application Insights'
isBuffered: false
resourceId: appInsightsId
}
}
API Diagnostics with LLM Logging
resource apiDiagnostics 'Microsoft.ApiManagement/service/apis/diagnostics@2024-06-01-preview' = {
parent: api
name: 'azuremonitor'
properties: {
alwaysLog: 'allErrors'
verbosity: 'verbose'
logClientIp: true
loggerId: apimLogger.id
sampling: {
samplingType: 'fixed'
percentage: 100
}
largeLanguageModel: {
logs: 'enabled'
requests: {
messages: 'all'
maxSizeInBytes: 262144
}
responses: {
messages: 'all'
maxSizeInBytes: 262144
}
}
}
}
Bicep Best Practices
Use Existing Resources
resource apim 'Microsoft.ApiManagement/service@2024-06-01-preview' existing = {
name: apimServiceName
}
Parameter Validation
@description('The pricing tier')
@allowed(['Consumption', 'Developer', 'Basic', 'Basicv2', 'Standard', 'Standardv2', 'Premium'])
param sku string = 'Basicv2'
@minLength(1)
@maxLength(50)
param apiManagementName string
Load External Content
// Load JSON for OpenAPI specs
value: string(loadJsonContent('./specs/openapi.json'))
// Load XML for policies
value: loadTextContent('policy.xml')
// Load and parameterize policy
var updatedPolicy = replace(loadTextContent('policy.xml'), '{backend-id}', backendName)
Output Secrets Safely
#disable-next-line outputs-should-not-contain-secrets
output subscriptionKey string = subscription.listSecrets().primaryKey
Reference Documentation
For detailed patterns and examples, see:
- APIM Resource Reference: Complete resource definitions
- MCP Server Patterns: MCP configuration examples
- Azure Verified Modules: Patterns from Azure Verified Modules
Official Documentation
- APIM Bicep Quickstart
- ARM Template Reference
- Azure Verified Modules - APIM
Related Skills
azure-samples/skill-creator
tools
VerifiedTrustedCommunity
Guide for creating effective skills. This skill should be used when users want to create a new skill (or update an existing skill) that extends Claude's capabilities with specialized knowledge, workflows, or tool integrations.
897SKILL.mdUpdated Apr 3, 2026
azure-samples/mcp-builder
tools
VerifiedTrustedCommunity
Guide for creating high-quality MCP (Model Context Protocol) servers that enable LLMs to interact with external services through well-designed tools. Use when building MCP servers to integrate external APIs or services, whether in Python (FastMCP) or Node/TypeScript (MCP SDK).
897SKILL.mdUpdated Apr 3, 2026
azure-samples/lab-creator
development
VerifiedTrustedCommunity
Guide for creating new AI Gateway labs. Use when users want to create a new lab in the labs/ folder. This skill provides the standard lab structure, templates, and patterns used across the AI Gateway repository including Jupyter notebooks, Bicep infrastructure templates, APIM policies, and README documentation.
897SKILL.mdUpdated Apr 3, 2026
azure-samples/apim-terraform
development
VerifiedTrustedCommunity
Guide for creating Terraform files for Azure API Management (APIM) and related Azure services. Use when users want to create, modify, or understand Terraform configurations for APIM instances, APIs, backends, subscriptions, policies, products, loggers, diagnostics, and supporting infrastructure using the azurerm provider. This skill provides HCL syntax, resource definitions, and patterns from the Terraform Registry and this repository.
897SKILL.mdUpdated Apr 3, 2026