Skip to article
Integration Application delivery and API edge

API Management self-hosted gateway

An API Management self-hosted gateway is a containerized copy of the API Management gateway that runs where your APIs live, such as on-premises, another cloud, or an Azure Kubernetes environment. Azure API Management remains the place where teams define APIs, products, policies, and observability..

Source: Microsoft Learn - Self-hosted gateway overview Reviewed 2026-05-10

Exam trap
Changing API Management self-hosted gateway in production before proving the exact scope, owner, and dependency chain that will be affected.
Production check
Can you identify the exact Azure resource, API, app, cluster, or tenant object that owns API Management self-hosted gateway?
Article details and learning context
Aliases
APIM self-hosted gateway, self-hosted API gateway
Difficulty
intermediate
CLI mappings
4
Last verified
2026-05-10

Understand the concept

In plain English

An API Management self-hosted gateway is a containerized copy of the API Management gateway that runs where your APIs live, such as on-premises, another cloud, or an Azure Kubernetes environment. Azure API Management remains the place where teams define APIs, products, policies, and observability. Runtime traffic can stay local to the backend environment. In plain terms, it gives you centralized API governance with distributed gateway placement for hybrid, regulated, or latency-sensitive workloads. Teams should document the owner, environment, and expected behavior.

Why it matters

Self-hosted gateways matter because not every API should hairpin through an Azure-managed gateway. Factories, hospitals, banks, and multicloud platforms often need API traffic to stay near local systems for latency, data residency, or network-control reasons. The self-hosted gateway lets the organization keep one API Management control plane while placing policy enforcement close to the backend. It also reduces duplicate gateway tooling across environments. The tradeoff is operational responsibility: teams must run, secure, patch, monitor, scale, and network the gateway containers correctly. Clear ownership, evidence, and rollback notes turn the concept into something teams can operate safely. That discipline matters when several application, platform, and security teams share responsibility.

Official wording and source

An API Management self-hosted gateway is a containerized gateway deployed outside the managed Azure gateway while still being configured and monitored from an API Management instance.

Open Microsoft Learn

Technical context

Technically, the self-hosted gateway is a Linux container associated with one API Management instance. It downloads configuration from the management plane over outbound connectivity, applies policies on local request traffic, reports health and telemetry, and can run with Kubernetes, Docker, Azure Arc-enabled Kubernetes, or other container platforms. It is available in supported API Management tiers and should be versioned deliberately. With configuration backup, it can continue using saved configuration during temporary connectivity loss to Azure.

Exam context

Compare with

Where it is used

Where you see it

  1. You see it as a gateway resource associated with an API Management instance, then deployed as a container image into Kubernetes, Docker, or Azure Arc environments.
  2. You see it in hybrid API architectures where traffic flows locally to on-premises or multicloud backends while configuration remains managed from Azure. before production rollout
  3. You see it in operations dashboards through gateway heartbeat, configuration sync, container restarts, backend latency, and telemetry flowing back to API Management or monitoring tools.

Common situations

  • Move events or messages between applications without direct synchronous dependencies.
  • Build workflows that coordinate systems, APIs, data, and human approvals.
  • Troubleshoot dead-letter, retry, ordering, throughput, or subscription behavior.
  • Document how producers and consumers interact in a production system.

Illustrative Azure scenarios

These examples show how the concept can affect design and operations. They are illustrative scenarios, not customer claims.

Scenario 01 Factory API traffic kept local Scenario, objectives, solution, measured impact, and takeaway.
Scenario

Woodgrove Automation, a manufacturing company, needed API governance from Azure while plant-controller traffic stayed inside factory networks.

Goals
  • keep controller API traffic local to each plant
  • enforce the same JWT and rate-limit policies everywhere
  • reduce API latency by at least 20 percent
  • centralize API documentation and product management
Approach using API Management self-hosted gateway

The platform team deployed API Management self-hosted gateways into Kubernetes clusters at two factories. The Azure API Management instance remained the control plane for APIs, products, named values, policies, and developer-portal documentation. Each local gateway pulled configuration from Azure over outbound connectivity, then handled runtime requests inside the plant network. Policies validated tokens, normalized headers, and enforced rate limits before reaching controller backends. Kubernetes monitoring tracked pod restarts, CPU, memory, and configuration sync, while API diagnostics captured request outcomes. The team pinned gateway image versions and enabled configuration backup for resilience during WAN interruptions. The runbook named API Management self-hosted gateway ownership, rollback evidence, expected monitoring signals, and the first support checks after rollout.

Potential outcomes
  • controller API latency dropped 34 percent in the first plant
  • security enforced one policy model across cloud and factory APIs
  • WAN outages no longer stopped running gateway traffic
  • developer onboarding used the central API Management portal
What to learn

A self-hosted gateway is valuable when API governance must be centralized but runtime traffic belongs close to local systems.

Scenario 02 Healthcare data-residency gateway Scenario, objectives, solution, measured impact, and takeaway.
Scenario

Blue Ridge Care, a healthcare provider, needed partner APIs for a regional lab network without routing protected traffic through another region.

Goals
  • keep lab API traffic inside the regional network
  • use central APIM policy governance
  • prove TLS, token, and logging controls for compliance
  • maintain service during temporary Azure connectivity loss
Approach using API Management self-hosted gateway

Architects associated a self-hosted gateway with the provider’s API Management instance and deployed it on a regional container platform near lab systems. API Management stored the API definitions, products, and validation policies, while runtime calls from partner systems terminated at the local gateway. The gateway used TLS, JWT validation, rate limits, and correlation headers. Configuration backup allowed stopped containers to restart with the last known good configuration during a short connectivity issue. Operators monitored heartbeat to Azure, local pod health, backend response time, and diagnostics retention. Security reviewed certificates, outbound firewall rules, and image version pinning before go-live. The runbook named API Management self-hosted gateway ownership, rollback evidence, expected monitoring signals, and the first support checks after rollout.

Potential outcomes
  • regional routing satisfied data-residency review requirements
  • partner API p95 latency improved 29 percent
  • configuration backup supported a successful connectivity-loss drill
  • audit evidence showed centralized policies and local traffic flow
What to learn

Self-hosted gateways help regulated teams balance central API management with local traffic and compliance boundaries.

Scenario 03 Multicloud claims integration Scenario, objectives, solution, measured impact, and takeaway.
Scenario

Proseware Insurance, a global insurer, needed one API catalog while several claims services ran in another cloud.

Goals
  • avoid duplicate gateway tooling in every cloud
  • keep claims traffic near non-Azure backends
  • standardize authentication and throttling policies
  • reduce cross-cloud data transfer by 25 percent
Approach using API Management self-hosted gateway

The architecture group deployed API Management self-hosted gateways in the cloud environment hosting the claims services. Azure API Management stayed the management plane, so API owners published products, operations, subscriptions, and policies once. Runtime requests from claims partners entered the local gateway and were routed to nearby backends without unnecessary Azure transit. The team configured diagnostics, heartbeat monitoring, gateway replica scaling, and backup storage for configuration. CLI and deployment scripts documented gateway resources, policy scope, and image tags before release. Security approved outbound-only connectivity to Azure configuration endpoints and limited administrative access to the container environment. The runbook named API Management self-hosted gateway ownership, rollback evidence, expected monitoring signals, and the first support checks after rollout.

Potential outcomes
  • cross-cloud transfer volume fell 31 percent for claims APIs
  • API owners managed one catalog instead of three gateway stacks
  • policy drift dropped because rules came from one APIM instance
  • gateway health checks found one undersized replica before launch
What to learn

Self-hosted gateways are practical for hybrid and multicloud estates that need one API control plane without forcing all traffic through Azure.

Azure CLI

Azure CLI is useful for API Management self-hosted gateway because it gives operators repeatable evidence instead of one-off portal screenshots. Teams can inspect configuration, compare environments, export review data, and automate safe changes before hybrid API traffic changes.

Useful for

  • Inventory API Management gateway and deployment configuration across resource groups and subscriptions before a release, migration, audit, or incident review.
  • Show the current API Management gateway and deployment configuration configuration and capture IDs, scopes, names, status fields, or route settings for change evidence.
  • Update nonproduction API Management gateway and deployment configuration settings through a scripted path, then compare the result with the approved production baseline.
  • Export command output as JSON so platform, security, and application teams can review the same facts during troubleshooting.

Before you run a command

  • Confirm tenant, subscription, resource group, service name, and environment because similarly named resources often exist in several stages.
  • Use an identity with the least privileges required to read or change the resource, and record whether the command is read-only.
  • Check whether the operation affects production traffic, security boundaries, authentication, routing, throttling, or customer-visible behavior.
  • Choose JSON output for evidence, and save the previous configuration before running commands that create, update, or delete settings.

What the output tells you

  • Resource IDs and names prove which Azure boundary was inspected, preventing mistakes caused by the wrong subscription or instance.
  • Status, version, route, identity, or policy fields show whether the live configuration matches the intended design or release record.
  • Missing values, empty arrays, or unexpected defaults often reveal incomplete deployment, portal-only drift, or permissions hiding part of the result.
  • Timestamps, provisioning states, and nested properties help separate a failed change from a working configuration that simply needs propagation time.

Mapped commands

Apim operations

direct
az apim list --resource-group <resource-group>
az apimdiscoverIntegration
az apim show --name <apim-name> --resource-group <resource-group>
az apimdiscoverIntegration
az apim api list --service-name <apim-name> --resource-group <resource-group>
az apim apidiscoverIntegration
az apim api import --service-name <apim-name> --resource-group <resource-group> --path <path> --specification-url <url> --specification-format OpenApi
az apim apiprovisionIntegration

Architecture context

Security: Security requires treating the self-hosted gateway as production infrastructure, not just an API Management setting. The container needs outbound connectivity to its API Management configuration endpoint, secure authentication to the service, TLS settings, protected secrets, and controlled network placement near backends. Custom domains, certificates, image versions, and configuration backup need review. Because traffic may stay outside Azure, local firewall rules, Kubernetes access, logging, and certificate handling become critical. Operators should avoid rolling tags in production unless they deliberately accept automatic gateway image changes. Security reviewers should confirm the approved scope, identity path, and logging behavior before production release. Temporary exceptions should have owners, expiration dates, and evidence of removal. Reliability: Reliability depends on gateway replicas, container health, local network stability, configuration backup, and connectivity back to the API Management management plane. If Azure connectivity is interrupted, running gateways can continue with in-memory configuration, and backup can help stopped gateways restart with saved configuration. Teams should monitor heartbeat, configuration-sync status, pod restarts, CPU, memory, and backend latency. High availability requires more than enabling the feature; it needs replica placement, persistent backup storage where used, version-pinning, and tested recovery from node, network, and configuration failures. Reliable teams test the setting in nonproduction, document rollback values, and monitor the first production signals after change. Operations: Operations teams manage self-hosted gateways like both API infrastructure and container workloads. They deploy images, pin versions, configure environment variables, rotate secrets or tokens, monitor heartbeat, review policy synchronization, and coordinate APIM configuration changes with platform releases. Kubernetes operators should watch pod health, ingress rules, persistent volumes for backup, and network policies. API owners still use API Management for products, operations, and policies, while platform teams own runtime placement. Clear ownership is essential because gateway failures can look like backend failures to consumers. Runbooks should include owners, commands, expected outputs, review cadence, and the first checks to perform during incidents. Cost: Self-hosted gateways can reduce data-transfer or latency-related costs when APIs and clients are near local backends, but they add infrastructure costs where the gateway runs. Kubernetes nodes, container runtime, logging, persistent storage, monitoring, and support effort all count. API Management tier requirements also matter. Cost reviews should compare managed-gateway traffic through Azure with local gateway hosting, especially for high-volume internal APIs. Overprovisioned replicas, excessive telemetry, and unnecessary gateways in every environment can erase expected savings, so capacity should match measured request volume and resilience needs. Cost owners should review usage, diagnostics, and duplicated environments whenever the setting changes or traffic grows. Performance: Performance improves when the gateway is placed close to backend APIs or clients that would otherwise route through a distant Azure region. Local placement can reduce latency and data transfer, but container sizing, policy complexity, TLS termination, DNS, and backend proximity still determine real throughput. Operators should benchmark native backend calls, managed-gateway calls, and self-hosted-gateway calls under realistic load. Scaling replicas, pinning versions, reducing heavy policies, and monitoring local network constraints help. A self-hosted gateway should be measured as a runtime component, not assumed faster by design. Performance reviews should compare before-and-after telemetry and separate gateway, identity, network, and backend effects.

Security
Security requires treating the self-hosted gateway as production infrastructure, not just an API Management setting. The container needs outbound connectivity to its API Management configuration endpoint, secure authentication to the service, TLS settings, protected secrets, and controlled network placement near backends. Custom domains, certificates, image versions, and configuration backup need review. Because traffic may stay outside Azure, local firewall rules, Kubernetes access, logging, and certificate handling become critical. Operators should avoid rolling tags in production unless they deliberately accept automatic gateway image changes. Security reviewers should confirm the approved scope, identity path, and logging behavior before production release. Temporary exceptions should have owners, expiration dates, and evidence of removal.
Cost
Self-hosted gateways can reduce data-transfer or latency-related costs when APIs and clients are near local backends, but they add infrastructure costs where the gateway runs. Kubernetes nodes, container runtime, logging, persistent storage, monitoring, and support effort all count. API Management tier requirements also matter. Cost reviews should compare managed-gateway traffic through Azure with local gateway hosting, especially for high-volume internal APIs. Overprovisioned replicas, excessive telemetry, and unnecessary gateways in every environment can erase expected savings, so capacity should match measured request volume and resilience needs. Cost owners should review usage, diagnostics, and duplicated environments whenever the setting changes or traffic grows.
Reliability
Reliability depends on gateway replicas, container health, local network stability, configuration backup, and connectivity back to the API Management management plane. If Azure connectivity is interrupted, running gateways can continue with in-memory configuration, and backup can help stopped gateways restart with saved configuration. Teams should monitor heartbeat, configuration-sync status, pod restarts, CPU, memory, and backend latency. High availability requires more than enabling the feature; it needs replica placement, persistent backup storage where used, version-pinning, and tested recovery from node, network, and configuration failures. Reliable teams test the setting in nonproduction, document rollback values, and monitor the first production signals after change.
Performance
Performance improves when the gateway is placed close to backend APIs or clients that would otherwise route through a distant Azure region. Local placement can reduce latency and data transfer, but container sizing, policy complexity, TLS termination, DNS, and backend proximity still determine real throughput. Operators should benchmark native backend calls, managed-gateway calls, and self-hosted-gateway calls under realistic load. Scaling replicas, pinning versions, reducing heavy policies, and monitoring local network constraints help. A self-hosted gateway should be measured as a runtime component, not assumed faster by design. Performance reviews should compare before-and-after telemetry and separate gateway, identity, network, and backend effects.
Operations
Operations teams manage self-hosted gateways like both API infrastructure and container workloads. They deploy images, pin versions, configure environment variables, rotate secrets or tokens, monitor heartbeat, review policy synchronization, and coordinate APIM configuration changes with platform releases. Kubernetes operators should watch pod health, ingress rules, persistent volumes for backup, and network policies. API owners still use API Management for products, operations, and policies, while platform teams own runtime placement. Clear ownership is essential because gateway failures can look like backend failures to consumers. Runbooks should include owners, commands, expected outputs, review cadence, and the first checks to perform during incidents.

Common mistakes

  • Changing API Management self-hosted gateway in production before proving the exact scope, owner, and dependency chain that will be affected.
  • Trusting a portal label without exporting the underlying JSON, especially when workspaces, revisions, identities, or environments are involved.
  • Assuming a successful command means the application path works; many Azure settings still require client, network, or policy validation.
  • Ignoring rollback evidence, which turns a small configuration error into a long outage or audit dispute.