Reference: Self-hosted gateway container configuration settings
Availability
Important
This feature is available in the Premium and Developer tiers of API Management.
This article provides a reference for required and optional settings that are used to configure the API Management self-hosted gateway container.
To learn more about our (Kubernetes) production guidance, we recommend reading this article.
Important
This reference applies only to the self-hosted gateway v2. Minimum versions for availability of settings are provided.
Configuration API integration
The Configuration API is used by the self-hosted gateway to connect to Azure API Management to get the latest configuration and send metrics, when enabled.
Here is an overview of all configuration options:
Name | Description | Required | Default | Availability |
---|---|---|---|---|
gateway.name | ID of the self-hosted gateway resource. | Yes, when using Microsoft Entra authentication | N/A | v2.3+ |
config.service.endpoint | Configuration endpoint in Azure API Management for the self-hosted gateway. Find this value in the Azure portal under Gateways > Deployment. | Yes | N/A | v2.0+ |
config.service.auth | Defines how the self-hosted gateway should authenticate to the Configuration API. Currently gateway token and Microsoft Entra authentication are supported. | Yes | N/A | v2.0+ |
config.service.auth.azureAd.tenantId | ID of the Microsoft Entra tenant. | Yes, when using Microsoft Entra authentication | N/A | v2.3+ |
config.service.auth.azureAd.clientId | Client ID of the Microsoft Entra app to authenticate with (also known as application ID). | Yes, when using Microsoft Entra authentication | N/A | v2.3+ |
config.service.auth.azureAd.clientSecret | Secret of the Microsoft Entra app to authenticate with. | Yes, when using Microsoft Entra authentication (unless certificate is specified) | N/A | v2.3+ |
config.service.auth.azureAd.certificatePath | Path to certificate to authenticate with for the Microsoft Entra app. | Yes, when using Microsoft Entra authentication (unless secret is specified) | N/A | v2.3+ |
config.service.endpoint.disableCertificateValidation | Defines if the self-hosted gateway should validate the server-side certificate of the Configuration API. It is recommended to use certificate validation, only disable for testing purposes and with caution as it can introduce security risk. | No | false |
v2.0+ |
The self-hosted gateway provides support for a few authentication options to integrate with the Configuration API which can be defined by using config.service.auth
.
This guidance helps you provide the required information to define how to authenticate:
- For gateway token-based authentication, specify an access token (authentication key) of the self-hosted gateway in the Azure portal under Gateways > Deployment.
- For Microsoft Entra ID-based authentication, specify
azureAdApp
and provide the additionalconfig.service.auth.azureAd
authentication settings.
Cross-instance discovery & synchronization
Name | Description | Required | Default | Availability |
---|---|---|---|---|
neighborhood.host | DNS name used to resolve all instances of a self-hosted gateway deployment for cross-instance synchronization. In Kubernetes, it can be achieved by using a headless Service. | No | N/A | v2.0+ |
neighborhood.heartbeat.port | UDP port used for instances of a self-hosted gateway deployment to send heartbeats to other instances. | No | 4291 | v2.0+ |
policy.rate-limit.sync.port | UDP port used for self-hosted gateway instances to synchronize rate limiting across multiple instances. | No | 4290 | v2.0+ |
HTTP
Name | Description | Required | Default | Availability |
---|---|---|---|---|
net.server.http.forwarded.proto.enabled | Capability to honor X-Forwarded-Proto header to identify scheme to resolve called API route (http/https only). |
No | false | v2.5+ |
Kubernetes Integration
Kubernetes Ingress
Important
Support for Kubernetes Ingress is currently experimental and not covered through Azure Support. Learn more on GitHub.
Name | Description | Required | Default | Availability |
---|---|---|---|---|
k8s.ingress.enabled | Enable Kubernetes Ingress integration. | No | false |
v1.2+ |
k8s.ingress.namespace | Kubernetes namespace to watch Kubernetes Ingress resources in. | No | default |
v1.2+ |
k8s.ingress.dns.suffix | DNS suffix to build DNS hostname for services to send requests to. | No | svc.cluster.local |
v2.4+ |
k8s.ingress.config.path | Path to Kubernetes configuration (Kubeconfig). | No | N/A | v2.4+ |
Metrics
Name | Description | Required | Default | Availability |
---|---|---|---|---|
telemetry.metrics.local | Enable local metrics collection through StatsD. Value is one of the following options: none , statsd . |
No | none |
v2.0+ |
telemetry.metrics.local.statsd.endpoint | StatsD endpoint. | Yes, if telemetry.metrics.local is set to statsd ; otherwise no. |
N/A | v2.0+ |
telemetry.metrics.local.statsd.sampling | StatsD metrics sampling rate. Value must be between 0 and 1, for example, 0.5. | No | N/A | v2.0+ |
telemetry.metrics.local.statsd.tag-format | StatsD exporter tagging format. Value is one of the following options: ibrato , dogStatsD , influxDB . |
No | N/A | v2.0+ |
telemetry.metrics.cloud | Indication whether or not to enable emitting metrics to Azure Monitor. | No | true |
v2.0+ |
observability.opentelemetry.enabled | Indication whether or not to enable emitting metrics to an OpenTelemetry collector on Kubernetes. | No | false |
v2.0+ |
observability.opentelemetry.collector.uri | URI of the OpenTelemetry collector to send metrics to. | Yes, if observability.opentelemetry.enabled is set to true ; otherwise no. |
N/A | v2.0+ |
observability.opentelemetry.system-metrics.enabled | Enable sending system metrics to the OpenTelemetry collector such as CPU, memory, garbage collection, etc. | No | false |
v2.3+ |
observability.opentelemetry.histogram.buckets | Histogram buckets in which OpenTelemetry metrics should be reported. Format: "x,y,z,...". | No | "5,10,25,50,100,250,500,1000,2500,5000,10000" | v2.0+ |
Logs
Name | Description | Required | Default | Availability |
---|---|---|---|---|
telemetry.logs.std | Enable logging to a standard stream. Value is one of the following options: none , text , json . |
No | text |
v2.0+ |
telemetry.logs.std.level | Defines the log level of logs sent to standard stream. Value is one of the following options: all , debug , info , warn , error or fatal . |
No | info |
v2.0+ |
telemetry.logs.std.color | Indication whether or not colored logs should be used in standard stream. | No | true |
v2.0+ |
telemetry.logs.local | Enable local logging. Value is one of the following options: none , auto , localsyslog , rfc5424 , journal , json |
No | auto |
v2.0+ |
telemetry.logs.local.localsyslog.endpoint | localsyslog endpoint. | Yes if telemetry.logs.local is set to localsyslog ; otherwise no. See local syslog documentation for more details on configuration. |
N/A | v2.0+ |
telemetry.logs.local.localsyslog.facility | Specifies localsyslog facility code, for example, 7 . |
No | N/A | v2.0+ |
telemetry.logs.local.rfc5424.endpoint | rfc5424 endpoint. | Yes if telemetry.logs.local is set to rfc5424 ; otherwise no. |
N/A | v2.0+ |
telemetry.logs.local.rfc5424.facility | Facility code per rfc5424, for example, 7 |
No | N/A | v2.0+ |
telemetry.logs.local.journal.endpoint | Journal endpoint. | Yes if telemetry.logs.local is set to journal ; otherwise no. |
N/A | v2.0+ |
telemetry.logs.local.json.endpoint | UDP endpoint that accepts JSON data, specified as file path, IP:port, or hostname:port. | Yes if telemetry.logs.local is set to json ; otherwise no. |
127.0.0.1:8888 | v2.0+ |
Security
Certificates and Ciphers
Name | Description | Required | Default | Availability |
---|---|---|---|---|
certificates.local.ca.enabled | Indication whether or not the self-hosted gateway should use local CA certificates that are mounted. It's required to run the self-hosted gateway as root or with user ID 1001. | No | false |
v2.0+ |
net.server.tls.ciphers.allowed-suites | Comma-separated list of ciphers to use for TLS connection between API client and the self-hosted gateway. | No | TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA |
v2.0+ |
net.client.tls.ciphers.allowed-suites | Comma-separated list of ciphers to use for TLS connection between the self-hosted gateway and the backend. | No | TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA |
v2.0+ |
security.certificate-revocation.validation.enabled | Provides capability to turn certificate revocation list validation on/off | No | false |
v2.3.6+ |
TLS
Name | Description | Required | Default | Availability |
---|---|---|---|---|
Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls13 | Indication whether or not TLS 1.3 is allowed towards the backend. Similar to managing protocol ciphers in managed gateway. | No | true |
v2.0+ |
Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls12 | Indication whether or not TLS 1.2 is allowed towards the backend. Similar to managing protocol ciphers in managed gateway. | No | true |
v2.0+ |
Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11 | Indication whether or not TLS 1.1 is allowed towards the backend. Similar to managing protocol ciphers in managed gateway. | No | false |
v2.0+ |
Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10 | Indication whether or not TLS 1.0 is allowed towards the backend. Similar to managing protocol ciphers in managed gateway. | No | false |
v2.0+ |
Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30 | Indication whether or not SSL 3.0 is allowed towards the backend. Similar to managing protocol ciphers in managed gateway. | No | false |
v2.0+ |
Sovereign clouds
Here is an overview of settings that need to be configured to be able to work with sovereign clouds:
Name | Azure operated by 21Vianet |
---|---|
config.service.auth.tokenAudience | https://azure-api.cn/configuration |
logs.applicationinsights.endpoint | https://dc.applicationinsights.azure.cn/v2/track |
How to configure settings
Kubernetes YAML file
When deploying the self-hosted gateway to Kubernetes using a YAML file, configure settings as name-value pairs in the data
element of the gateway's ConfigMap. For example:
apiVersion: v1
kind: ConfigMap
metadata:
name: contoso-gateway-environment
data:
config.service.endpoint: "contoso.configuration.azure-api.cn"
telemetry.logs.std: "text"
telemetry.logs.local.localsyslog.endpoint: "/dev/log"
telemetry.logs.local.localsyslog.facility: "7"
[...]
Helm chart
When using Helm to deploy the self-hosted gateway to Kubernetes, pass chart configuration settings as parameters to the helm install
command. For example:
helm install azure-api-management-gateway \
--set gateway.configuration.uri='contoso.configuration.azure-api.cn' \
--set gateway.auth.key='GatewayKey contosogw&xxxxxxxxxxxxxx...' \
--set secret.createSecret=false \
--set secret.existingSecretName=`mysecret` \
azure-apim-gateway/azure-api-management-gateway