How to Troubleshoot Azure API Management (Complete Fix Guide)
Why This Is Happening
I've seen this exact situation play out across dozens of enterprise Azure environments , a developer deploys an API through Azure API Management, everything looks fine in the portal, and then the first real request comes in and returns a cryptic 502 Bad Gateway or a 401 Unauthorized with no useful message attached. The frustration is real. Azure API Management sits between your callers and your backend services, and when something goes wrong anywhere in that chain, the error surfaced to the client rarely tells you where the actual problem lives.
Azure API Management (APIM) is genuinely powerful , it handles authentication, rate limiting, request transformation, caching, and routing across dozens of backend APIs. But that power comes with complexity. There are policies executing at the inbound layer, backend layer, outbound layer, and on-error layer. There are subscriptions, products, scopes, and certificates. There's the gateway itself, the developer portal, and the management plane. Any one of these can silently misbehave while everything else looks healthy.
The most common Azure API Management troubleshooting scenarios I encounter fall into five buckets. First: gateway errors, 502, 503, and 504 responses caused by the gateway failing to reach or parse a response from the backend. Second: authentication and authorization failures, 401 and 403 errors from misconfigured subscription keys, OAuth 2.0 policies, or JWT validation rules. Third: policy execution errors, broken XML in a policy document, an incorrect expression in a set-variable or send-request policy, or a policy referencing a named value that doesn't exist. Fourth: throttling surprises, 429 Too Many Requests responses that catch teams off guard when rate limits were set too aggressively. Fifth: CORS failures, pre-flight OPTIONS requests being rejected, which breaks browser-based clients in ways that look completely different from what's actually wrong.
What makes Azure API Management troubleshooting genuinely difficult is that Microsoft's error messages at the gateway level are intentionally vague for security reasons. A 401 response body might just say "Access denied due to missing subscription key.", which tells you almost nothing about whether the key exists, is expired, is associated with the wrong product, or is being passed in the wrong header. You need to know where to look, and that's exactly what this guide covers.
The Quick Fix, Try This First
Before diving into logs and policies, run through this 90-second diagnostic in the Azure portal. It catches the majority of issues without needing to touch a single line of policy XML.
Open the Azure Portal and navigate to your API Management instance. In the left sidebar, click APIs, select the specific API that's failing, then click Test in the top tab bar. Use the built-in test console to send the exact request that's failing. This is critical, the portal test console sends the request directly through the gateway using an administrator-level subscription key, bypassing product and subscription scope restrictions entirely.
If the test console returns a 200 OK but your external caller gets a 401, you immediately know the issue is subscription key or authentication-related, not the backend or policy logic. If the test console also fails with a 502 or 503, the problem is between APIM and your backend service. That distinction alone cuts your troubleshooting time in half.
Next, scroll down in the test pane and look at the Trace output. If tracing isn't enabled, click the Enable Tracing toggle at the top of the test tab. The trace output breaks down every policy execution step, inbound, backend, outbound, and on-error, showing you exactly which step failed, the policy name, the execution time in milliseconds, and any error message generated internally. This is the single most powerful Azure API Management debugging tool that most teams don't know about until they've spent hours elsewhere.
Check the Ocp-Apim-Trace-Location header in the response. When tracing is active, this header contains a URL to a blob where the full trace JSON is stored. Open it, it contains the complete internal execution log, including the raw backend request and response that the gateway sent and received.
Ocp-Apim-Subscription-Key header with a built-in all-access key automatically. When testing subscription-scoped APIs externally, always confirm you're sending the key in the correct header name, many teams accidentally send it as Authorization: Bearer [subscription-key] instead, which triggers a 401 that looks exactly like an OAuth failure but isn't.
The single biggest mistake teams make with Azure API Management troubleshooting is trying to debug in the dark. The portal test console helps for one-off requests, but for intermittent failures or production traffic analysis, you need persistent logging connected to Azure Monitor and Application Insights.
Go to your APIM instance in the Azure portal. In the left sidebar, under Monitoring, click Diagnostic settings. Click Add diagnostic setting. Give it a name like apim-diagnostics-prod. Under Category groups, check both GatewayLogs and allMetrics. Send these to a Log Analytics workspace, if you don't have one, create one now in the same region as your APIM instance.
Now wire up Application Insights. In the left sidebar, under Deployment and infrastructure, click Application Insights. Toggle Enable Application Insights to on, and select your Application Insights resource. Set the Sampling percentage to 100% for troubleshooting (you can reduce it later for cost management). Enable Log errors and Log all requests.
Once connected, open Application Insights and navigate to Failures in the left menu. You'll see a breakdown of failed operations with full request and response details, dependency traces to your backend, and exception stacks when policies throw errors. In Log Analytics, run this KQL query to see all gateway errors from the last hour:
ApiManagementGatewayLogs
| where TimeGenerated > ago(1h)
| where IsRequestSuccess == false
| project TimeGenerated, OperationName, ResponseCode, BackendResponseCode, LastErrorMessage, ClientIp
| order by TimeGenerated descIf this query returns results, you now have the LastErrorMessage column, the internal error the gateway generated, which is never exposed to the calling client. This is where you'll find the real answer.
A 401 Unauthorized in Azure API Management can come from three completely different places, and the fix for each is entirely different. I know this is frustrating, the same HTTP status code masks very different root causes, and the error body often doesn't help.
Cause A: Missing or invalid subscription key. Navigate to APIs → select your API → Settings tab. Look at the Subscription section. If Subscription required is checked, every caller must include a valid key. Verify the key header name, by default it's Ocp-Apim-Subscription-Key, but it can be customized. Also confirm the subscription is Active (not Suspended) by going to Subscriptions in the left sidebar and checking the state column.
Cause B: JWT validation policy failure. Open the policy editor for the failing API (APIs → your API → Design tab → click the </> icon under Inbound processing). Look for a <validate-jwt> element. Common failures here include:
<validate-jwt header-name="Authorization" failed-validation-httpcode="401">
<openid-config url="https://login.microsoftonline.com/{tenant-id}/.well-known/openid-configuration"/>
<required-claims>
<claim name="aud">
<value>api://your-app-id</value>
</claim>
</required-claims>
</validate-jwt>Check that the aud claim value exactly matches your registered application's App ID URI. A trailing slash difference or a mismatched GUID will cause a 401 every time. Enable tracing (Step from the Quick Fix section) and look for the validate-jwt node in the trace, it will show you exactly which claim validation failed.
Cause C: IP filtering or rate limit policy generating a 403. Search the policy XML for <ip-filter> or <quota> elements. A 403 from an IP filter means the caller's IP isn't in the allow list. The client IP as seen by the gateway is logged in ClientIp in GatewayLogs, cross-reference this against your filter list.
A 502 from Azure API Management means the gateway reached your backend but couldn't get a valid response back. This is different from a 503, which means the gateway couldn't connect at all. Understanding that distinction saves you from looking in the wrong place.
First, verify the backend URL is correct. Go to Backends in the left sidebar (or APIs → your API → Settings → Backend section). Look at the Service URL. Common issues: HTTP vs HTTPS mismatch, missing trailing slash causing double-slash in constructed URLs, or a URL that points to a hostname that resolves differently from inside Azure's network than from your developer machine.
For backend services hosted in an Azure Virtual Network, this is where things get complicated fast. If your APIM instance is in External VNet or Internal VNet mode, the gateway needs network line-of-sight to your backend. Use the built-in Network Connectivity Check tool, in the left sidebar under Deployment and infrastructure, click Network connectivity. This tool probes the backend endpoint from the gateway's network context and tells you if connectivity or DNS resolution is failing.
If your backend uses a self-signed TLS certificate or a private CA, the gateway will reject it by default. To bypass certificate validation during troubleshooting (never leave this in production), add this to your backend policy:
<set-backend-service backend-id="your-backend"/>
<!-- In the backend entity, set -->
<tls>
<validate-certificate-chain>false</validate-certificate-chain>
<validate-certificate-name>false</validate-certificate-name>
</tls>Or configure this through the portal by going to Backends → select your backend → under TLS settings, uncheck Validate certificate chain and Validate certificate name for testing. If this fixes the 502, your real fix is uploading the correct CA certificate to Certificates in the APIM instance and referencing it properly.
Check the BackendResponseCode in your GatewayLogs query from Step 1. If it shows a 500 from the backend, the issue isn't APIM, the backend service itself is throwing an error, and you need to look at the backend application logs directly.
Policy errors are the trickiest category of Azure API Management issues because they can produce completely misleading HTTP responses. A broken set-header policy might silently swallow a request. A malformed send-request policy might cause a 500 that looks like a backend crash. The Azure portal has a dedicated policy debugger tool that most teams haven't found yet.
Navigate to APIs → select your API → click Debug in the top navigation (next to Test and Design). This opens the Policy Debugger, a step-through debugger that executes your policies in real time, showing you the exact state of the request context at each policy step. You can inspect context variables, header values, and body content at every point in the pipeline.
For finding broken policy XML without the debugger, open the policy editor and look for these common mistakes:
<!-- BROKEN: Named value referenced incorrectly -->
<set-header name="Authorization">
<value>Bearer {{backend-token}}</value> <!-- Wrong: use {{named-value}} syntax -->
</set-header>
<!-- CORRECT -->
<set-header name="Authorization">
<value>@("Bearer " + context.Variables["backend-token"])</value>
</set-header>Named value references use double curly braces {{my-named-value}} in static strings, but inside C# expressions (anything inside @()), you access named values through context.Variables["key"] or (string)context.Variables["key"]. Mixing these up is extremely common and generates policy compilation errors that are logged in GatewayLogs under LastErrorMessage as "Expression evaluation failed".
To validate all named values actually exist, go to Named values in the left sidebar and confirm every name referenced in your policies appears in that list. A named value that was deleted but is still referenced in a policy will cause every request through that API to fail with a 500-level error, not a configuration warning at deploy time.
After any policy change, force a cache refresh by going to APIs, clicking the ... menu on your API, and selecting Publish if available, or simply wait 30 seconds for policy changes to propagate to all gateway units.
A 429 Too Many Requests response from Azure API Management means a rate limiting or quota policy has been triggered. Unlike most other errors, this one is working as designed, but "working as designed" isn't helpful if the limit is too aggressive, wrongly scoped, or the counter reset interval is misconfigured.
Find the throttling policy causing the issue. In your policy XML, search for <rate-limit>, <rate-limit-by-key>, <quota>, or <quota-by-key>. These can appear at the global level, product level, API level, or operation level, check all four layers because a stricter policy at a higher scope overrides more permissive policies below it.
A common misconfiguration looks like this, a product-level rate limit that's actually lower than the operation-level limit intended for internal callers:
<!-- Product-level policy (applied first, overrides API-level) -->
<rate-limit calls="10" renewal-period="60" />
<!-- API-level policy (never actually effective for calls over 10/min) -->
<rate-limit-by-key calls="1000" renewal-period="60"
counter-key="@(context.Subscription.Id)" />To check current rate limit counters and understand which subscriptions are hitting limits, query Log Analytics:
ApiManagementGatewayLogs
| where TimeGenerated > ago(1h)
| where ResponseCode == 429
| summarize RequestCount = count() by ClientIp, tostring(SubscriptionId), bin(TimeGenerated, 5m)
| order by RequestCount descIf legitimate traffic is being throttled, you have two fixes. For subscription-scoped limits: go to Products → select the product → Policies and increase the calls value or extend the renewal-period. For key-based limits: update the <rate-limit-by-key> policy and consider using a more granular counter key like context.Request.IpAddress to limit by client IP rather than by subscription, which distributes the quota more fairly across multiple callers sharing one subscription.
The 429 response from APIM includes a Retry-After header indicating how many seconds until the counter resets. Make sure your client applications are reading and respecting this header rather than hammering the gateway and making the situation worse.
Advanced Troubleshooting
If the steps above haven't resolved your Azure API Management issue, you're likely dealing with an infrastructure-level problem, an enterprise network configuration, or a subtle interaction between multiple policy layers. Here's where to go deeper.
Analyzing Gateway Logs with Advanced KQL Queries
In your Log Analytics workspace, the ApiManagementGatewayLogs table contains a wealth of information that the portal surface doesn't expose. Run this query to get a breakdown of failure patterns over the last 24 hours, grouped by error type:
ApiManagementGatewayLogs
| where TimeGenerated > ago(24h)
| where IsRequestSuccess == false
| extend ErrorCategory = case(
ResponseCode == 401, "Auth Failure",
ResponseCode == 403, "Access Denied",
ResponseCode == 429, "Throttled",
ResponseCode between (500 .. 599) and BackendResponseCode == 0, "Gateway Error",
ResponseCode between (500 .. 599), "Backend Error",
"Other"
)
| summarize Count = count(), AvgLatencyMs = avg(TotalTime) by ErrorCategory, OperationName
| order by Count descVNet-Injected APIM: NSG and UDR Issues
If your APIM instance is deployed inside a Virtual Network (Premium or Developer tier required), incorrect Network Security Group rules are responsible for roughly 40% of the mysterious connectivity failures I see. Azure APIM requires specific inbound and outbound NSG rules to function. The most commonly missed required rule: inbound port 3443 from the ApiManagement service tag must be allowed. Without it, the management plane can't communicate with the gateway, and you'll see the APIM instance show as unhealthy in the portal even though it's running.
# Check APIM health status via PowerShell
Connect-AzAccount
$apim = Get-AzApiManagement -ResourceGroupName "your-rg" -Name "your-apim-name"
$apim.AdditionalLocations
$apim.VpnType # Should be "External" or "Internal" for VNet-injectedCustom Domain and Certificate Issues
If you've configured a custom domain for your APIM gateway, proxy, or developer portal, certificate expiry is a silent killer. APIM doesn't send expiry warnings by default. Run this PowerShell to check your current certificate expiry dates:
$context = New-AzApiManagementContext -ResourceGroupName "your-rg" -ServiceName "your-apim-name"
Get-AzApiManagementCustomHostnameConfiguration -Context $context | Select-Object HostName, CertificateExpiry, CertificateSubjectMulti-Region Deployments: Premium Tier Routing Issues
In Premium tier deployments with multiple gateway regions, a request failing in one region but succeeding in another usually points to inconsistent policy deployment or backend connectivity differences between regions. In the GatewayLogs, the Region column tells you which gateway region processed each request. Filter on it to isolate region-specific failures.
Self-Hosted Gateway Troubleshooting
If you're running a self-hosted gateway (deployed as a container on-premises or in another cloud), connectivity problems between the self-hosted gateway and the APIM management plane are common. Check the container logs:
# Docker self-hosted gateway logs
docker logs apim-gateway --tail 200 | grep -i "error\|warn\|failed"
# Kubernetes deployment logs
kubectl logs -n apim-gateway deployment/apim-gateway --tail=200Escalate to Microsoft Support when: your APIM instance shows as unhealthy in the portal but all infrastructure checks pass; you're seeing consistent 503s with no backend response code and no gateway log entries (suggesting the issue is above the gateway layer); your VNet-injected APIM stopped routing traffic after a platform maintenance event; or a policy that was working correctly starts failing after an Azure platform update with no changes on your side. Open a Severity B or A ticket and include your correlation IDs from GatewayLogs, the CorrelationId column, which Microsoft support can use to trace requests through their internal infrastructure.
Prevention & Best Practices
Most Azure API Management issues I encounter in production are entirely preventable. The teams that avoid them have a few things in common, they instrument before they deploy, they test policies in a lower environment, and they treat the APIM configuration as code.
Use APIOps / GitOps for policy management. Storing your APIM configuration, APIs, products, policies, named values, in a Git repository and deploying via pipeline prevents the most common class of production issues: manual changes to the wrong environment. Microsoft's APIOps toolkit (available on GitHub under the Azure org) lets you extract your APIM configuration to YAML and deploy it via Azure DevOps or GitHub Actions. A policy change that broke production at 3 AM is a lot easier to deal with when git revert is the recovery path.
Set up Azure Monitor alerts proactively. Don't wait for users to report failures. In Azure Monitor, create metric alerts on your APIM instance for: Requests filtered to ResponseCode = 5xx exceeding a threshold, Capacity units above 70% (signals you need to scale up), and Duration (backend latency) above your SLA threshold. Route these alerts to a Teams channel or PagerDuty webhook so you know before your users do.
Test policies with mocked backends first. The <mock-response> policy in APIM lets you return a static response from the gateway without ever hitting a backend. Use it during development to verify your inbound and outbound policy logic in isolation, before wiring up a real backend that introduces another variable.
Pin named values to Key Vault secrets. Named values that store plain-text secrets in APIM are a rotation and security risk. Link named values to Azure Key Vault secrets instead, APIM will automatically fetch the current version when the secret is rotated, and you get audit logging on who accessed what and when.
- Enable Application Insights integration before going to production, not after your first outage, retroactive logging doesn't help you debug what already happened
- Create a separate APIM product with no rate limits for internal monitoring and health-check callers, so your uptime probes don't consume quota that affects paying customers
- Tag all APIM resources (instance, backends, named values) with environment, team, and cost-center tags, this makes it obvious which resources belong to which team when shared instances are involved
- Run
az apim backupbefore any major policy change in production; the backup can be restored to a new instance in the same region within minutes if something goes catastrophically wrong
Frequently Asked Questions
Why am I getting a 401 Unauthorized even though I'm sending the correct subscription key?
The most likely cause is that you're sending the key in the wrong header. By default, Azure APIM expects the subscription key in a header named Ocp-Apim-Subscription-Key. However, this name can be customized per API, go to your API's Settings tab and look at the Subscription key header name field. Also confirm the subscription itself is in Active state (not Suspended) by checking the Subscriptions blade. A subscription that was auto-suspended due to quota exhaustion shows as Suspended and all its keys stop working immediately, with no notification to the developer by default.
My API works fine in the APIM test console but fails when called from my app, what's different?
The test console in the Azure portal uses an administrator-level subscription key that bypasses product and subscription scope restrictions, it essentially has all-access. If your app uses a subscription key scoped to a specific product, that product's policies (rate limits, IP filters, JWT validation) all apply to your app but not to the console test. Also, the test console runs from Azure's own network, so if you have IP filtering policies that whitelist specific IPs, requests from your app's network must be in the allow list. Enable request tracing on both the console test and a real app call and compare the trace outputs side by side.
How do I fix CORS errors when calling my API from a browser?
CORS in Azure APIM must be handled by a <cors> policy in the inbound processing section of your API or globally. The browser sends a pre-flight OPTIONS request first, if APIM doesn't have a <cors> policy that allows OPTIONS, it returns a 405 Method Not Allowed or simply doesn't include the required CORS response headers, and the browser blocks the actual request. Add this to your API's inbound policy: <cors allow-credentials="true"><allowed-origins><origin>https://your-app.com</origin></allowed-origins><allowed-methods><method>GET</method><method>POST</method><method>OPTIONS</method></allowed-methods><allowed-headers><header>*</header></allowed-headers></cors>. In the portal, you can also use the Enable CORS checkbox under each operation's settings, which auto-generates this policy for you.
Azure API Management is showing "Unhealthy" in the portal, what does that actually mean?
An Unhealthy status in the APIM portal usually means the management plane can't communicate with one or more gateway units. If you're using a VNet-injected deployment, check your NSG rules first, inbound TCP 3443 from the ApiManagement service tag must be allowed, and outbound to AzureCloud on port 443 must be allowed. If you're not using a VNet, an Unhealthy status typically indicates a platform-level issue and you should check the Azure Service Health dashboard for your region. Go to Monitor → Service Health and filter to your subscription and the API Management service. If there's an active incident, Microsoft is already working on it.
How do I see the actual request body that APIM is sending to my backend?
Enable request tracing through the test console (APIs → your API → Test → enable the Trace toggle), then look at the Ocp-Apim-Trace-Location response header. Open that URL, it's a JSON file stored in Azure Blob Storage containing the complete trace, including a body field in the backend section that shows the exact request APIM forwarded. For production traffic, you can temporarily add a <log-to-eventhub> or <send-request> policy that captures and logs the request body, but be extremely careful about logging sensitive data in production and remove it after debugging.
Can I roll back a policy change that broke production without restoring from backup?
Yes, if you're using Azure APIM's revision system. Before making policy changes, create a new revision (APIs → your API → click the revision number → Add revision). Make your changes in the new revision and test them there without affecting live traffic. When ready, make the new revision current. If something breaks, you can switch the current revision back to the previous one in seconds, no downtime, no backup restore needed. This is the built-in blue-green deployment mechanism for APIM policies, and it's underused by most teams I work with.