API management services should use Availability zones in supported regions#
Reliability · API Management · Rule · 2021_12 · Important
API management services deployed with Premium SKU should use availability zones in supported regions for high availability.
Description#
API management services using availability zones improve reliability and ensure availability during failure scenarios affecting a data center within a region. With zone redundancy, the gateway and the control plane of your API Management instance (Management API, developer portal, Git configuration) are replicated across data centers in physically separated zones, making it resilient to a zone failure.
Recommendation#
Consider using availability zones for API management services deployed with Premium SKU.
Notes#
This rule applies when analyzing resources deployed to Azure using pre-flight and in-flight data.
This rule fails when "zones" is null, [] or less than two zones when API management service is deployed with Premium SKU and there are supported availability zones for the given region.
Configure AZURE_APIM_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST to set additional availability zones that need to be supported which are not in the existing providers for namespace Microsoft.ApiManagement and resource type services.
# YAML: The default AZURE_APIM_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST configuration option
configuration:
AZURE_APIM_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST: []
Examples#
Configure with Azure template#
To set availability zones for a API management service
- Set
zonesto a minimum of two zones from["1", "2", "3"], ensuring the number of zones matchsku.capacity. - Set
properties.additionalLocations[*].zonesto a minimum of two zones from["1", "2", "3"], ensuring the number of zones matchproperties.additionalLocations[*].sku.capacity. - Set
sku.nameand/orproperties.additionalLocations[*].sku.nametoPremium.
For example:
{
"type": "Microsoft.ApiManagement/service",
"apiVersion": "2021-01-01-preview",
"name": "[parameters('service_api_mgmt_test2_name')]",
"location": "Australia East",
"sku": {
"name": "Premium",
"capacity": 3
},
"zones": [
"1",
"2",
"3"
],
"properties": {
"publisherEmail": "john.doe@contoso.com",
"publisherName": "contoso",
"notificationSenderEmail": "apimgmt-noreply@mail.windowsazure.com",
"hostnameConfigurations": [
{
"type": "Proxy",
"hostName": "[concat(parameters('service_api_mgmt_test2_name'), '.azure-api.net')]",
"negotiateClientCertificate": false,
"defaultSslBinding": true,
"certificateSource": "BuiltIn"
}
],
"additionalLocations": [
{
"location": "East US",
"sku": {
"name": "Premium",
"capacity": 3
},
"zones": [
"1",
"2",
"3"
],
"disableGateway": false
}
],
"customProperties": {
"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168": "false",
"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11": "false",
"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10": "false",
"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30": "false",
"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11": "false",
"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10": "false",
"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30": "false",
"Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2": "false"
},
"virtualNetworkType": "None",
"disableGateway": false,
"apiVersionConstraint": {}
}
}
Configure with Bicep#
To set availability zones for a API management service
- Set
zonesto a minimum of two zones from["1", "2", "3"], ensuring the number of zones matchsku.capacity. - Set
properties.additionalLocations[*].zonesto a minimum of two zones from["1", "2", "3"], ensuring the number of zones matchproperties.additionalLocations[*].sku.capacity. - Set
sku.nameand/orproperties.additionalLocations[*].sku.nametoPremium.
For example:
resource service_api_mgmt_test2_name_resource 'Microsoft.ApiManagement/service@2021-01-01-preview' = {
name: service_api_mgmt_test2_name
location: 'Australia East'
sku: {
name: 'Premium'
capacity: 3
}
zones: [
'1',
'2',
'3'
]
properties: {
publisherEmail: 'john.doe@contoso.com'
publisherName: 'contoso'
notificationSenderEmail: 'apimgmt-noreply@mail.windowsazure.com'
hostnameConfigurations: [
{
type: 'Proxy'
hostName: '${service_api_mgmt_test2_name}.azure-api.net'
negotiateClientCertificate: false
defaultSslBinding: true
certificateSource: 'BuiltIn'
}
]
additionalLocations: [
{
location: 'East US'
sku: {
name: 'Premium'
capacity: 1
}
zones: [
'1'
]
disableGateway: false
}
]
customProperties: {
'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168': 'false'
'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11': 'false'
'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10': 'false'
'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30': 'false'
'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11': 'false'
'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10': 'false'
'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30': 'false'
'Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2': 'false'
}
virtualNetworkType: 'None'
disableGateway: false
apiVersionConstraint: {}
}
}
Links#
- Azure deployment reference
- Availability zone support for Azure API Management
- Use zone-aware services