Merge pull request #299211 from dlepow/dpevents

JillGrant615 · web-flow · commit aeb09033be29 · 2025-05-07T20:32:27.000-06:00
[APIM] Data plane events
diff --git a/articles/api-management/backends.md b/articles/api-management/backends.md
@@ -334,3 +334,4 @@ Include a JSON snippet similar to the following in your ARM template for a load-
 * Blog: [Using Azure API Management circuit breaker and load balancing with Azure OpenAI Service](https://techcommunity.microsoft.com/t5/fasttrack-for-azure/using-azure-api-management-circuit-breaker-and-load-balancing/ba-p/4041003)
 * Set up a [Service Fabric backend](how-to-configure-service-fabric-backend.yml) using the Azure portal.
 * Quickstart [Create a Backend Pool in Azure API Management using Bicep for load balance OpenAI requests](https://github.com/Azure-Samples/apim-lbpool-openai-quickstart)
+* See [Azure API Management as an Event Grid source](/azure/event-grid/event-schema-api-management) for information about Event Grid events that are generated by the gateway when a circuit breaker is tripped or reset. Use these events to take action before backend issues escalate. 
diff --git a/articles/api-management/how-to-event-grid.md b/articles/api-management/how-to-event-grid.md
@@ -5,7 +5,7 @@ author: dlepow
 ms.topic: how-to
 ms.service: azure-api-management
 ms.author: danlep
-ms.date: 11/2/2021
+ms.date: 05/07/2025
 ms.custom: devx-track-azurecli
 ---
 
@@ -15,12 +15,19 @@ ms.custom: devx-track-azurecli
 
 API Management integrates with [Azure Event Grid](../event-grid/overview.md) so that you can send event notifications to other services and trigger downstream processes. Event Grid is a fully managed event routing service that uses a publish-subscribe model. Event Grid has built-in support for Azure services like [Azure Functions](../azure-functions/functions-overview.md) and [Azure Logic Apps](../logic-apps/logic-apps-overview.md), and can deliver event alerts to non-Azure services using webhooks.
 
+You can subscribe to the following types of API Management events:
+
+* **Control plane events**: These events are generated when you create, update, or delete certain API Management resources. For example, you can receive an event when a new user or new product is created in your API Management instance.
+* **Data plane events** (preview): These events are generated  during operation of the API Management gateway. Currently, API Management can generate events for [backend circuit breakers](backends.md#circuit-breaker) and for the lifecycle of self-hosted gateway [access tokens](self-hosted-gateway-overview.md#authentication-options).
+
+For a complete list of available events, see the [Event Grid schema for API Management](../event-grid/event-schema-api-management.md).
+
+:::image type="content" source="media/how-to-event-grid/event-grid-intro.png" alt-text="Diagram of API Management integration with Event Grid.":::
+
 For example, using integration with Event Grid, you can build an application that updates a database, creates a billing account, and sends an email notification each time a user is added to your API Management instance.
 
 In this article, you subscribe to Event Grid events in your API Management instance, trigger events, and send the events to an endpoint that processes the data. To keep it simple, you send events to a sample web app that collects and displays the messages:
 
-:::image type="content" source="media/how-to-event-grid/event-grid-viewer-intro.png" alt-text="API Management events in Event Grid viewer":::
-
 [!INCLUDE [azure-cli-prepare-your-environment.md](~/reusable-content/azure-cli/azure-cli-prepare-your-environment.md)]
 - If you don't already have an API Management service, complete the following quickstart: [Create an Azure API Management instance](get-started-create-service-instance.md)
 - Enable a [system-assigned managed identity](api-management-howto-use-managed-service-identity.md#create-a-system-assigned-managed-identity) in your API Management instance.
diff --git a/articles/api-management/media/how-to-event-grid/event-grid-intro.png b/articles/api-management/media/how-to-event-grid/event-grid-intro.png
diff --git a/articles/api-management/media/how-to-event-grid/event-grid-viewer-intro.png b/articles/api-management/media/how-to-event-grid/event-grid-viewer-intro.png
diff --git a/articles/api-management/self-hosted-gateway-overview.md b/articles/api-management/self-hosted-gateway-overview.md
@@ -134,6 +134,10 @@ To authenticate the connection between the self-hosted gateway and the cloud-bas
 | [Microsoft Entra authentication](self-hosted-gateway-enable-azure-ad.md)   | Configure one or more Microsoft Entra apps for access to gateway<br/><br/>Manage access separately per app<br/><br/>Configure longer expiry times for secrets in accordance with your organization's policies<br/><br/>Use standard Microsoft Entra procedures to assign or revoke user or group permissions to app and to rotate secrets<br/><br/>        |
 | Gateway access token (also called authentication key)    |  Token expires every 30 days at maximum and must be renewed in the containers<br/><br/>Backed by a gateway key that can be rotated independently (for example, to revoke access) <br/><br/>Regenerating gateway key invalidates all access tokens created with it        |
 
+> [!TIP]
+> See [Azure API Management as an Event Grid source](/azure/event-grid/event-schema-api-management) for information about Event Grid events that are generated by a self-hosted gateway when a gateway access token is near expiry or has expired. Use these events to ensure that deployed gateways are always able to authenticate with their associated API Management instance. 
+
+
 ### Connectivity failures
 
 When connectivity to Azure is lost, the self-hosted gateway is unable to receive configuration updates, report its status, or upload telemetry.
diff --git a/articles/event-grid/event-schema-api-management.md b/articles/event-grid/event-schema-api-management.md
@@ -4,7 +4,7 @@ description: This article describes how to use Azure API Management as an Event
 ms.topic: conceptual
 author: spelluru
 ms.author: spelluru
-ms.date: 06/15/2022
+ms.date: 05/01/2025
 ---
 
 # Azure API Management as an Event Grid source
@@ -26,23 +26,27 @@ API Management emits the following event types:
 | Microsoft.ApiManagement.ProductCreated | Raised when a product is created. |
 | Microsoft.ApiManagement.ProductUpdated | Raised when a product is updated. |
 | Microsoft.ApiManagement.ProductDeleted | Raised when a product is deleted. |
-| Microsoft.ApiManagement.ReleaseCreated | Raised when an API release is created. |
-| Microsoft.ApiManagement.ReleaseUpdated | Raised when an API release is updated. |
-| Microsoft.ApiManagement.ReleaseDeleted | Raised when an API release is deleted. |
+| Microsoft.ApiManagement.APIReleaseCreated | Raised when an API release is created. |
+| Microsoft.ApiManagement.APIReleaseUpdated | Raised when an API release is updated. |
+| Microsoft.ApiManagement.APIReleaseDeleted | Raised when an API release is deleted. |
 | Microsoft.ApiManagement.SubscriptionCreated | Raised when a subscription is created. |
 | Microsoft.ApiManagement.SubscriptionUpdated | Raised when a subscription is updated. |
 | Microsoft.ApiManagement.SubscriptionDeleted | Raised when a subscription is deleted. |
 | Microsoft.ApiManagement.GatewayCreated | Raised when a self-hosted gateway is created. |
 | Microsoft.ApiManagement.GatewayDeleted | Raised when a self-hosted gateway is updated. |
 | Microsoft.ApiManagement.GatewayUpdated | Raised when a self-hosted gateway is deleted. |
-| Microsoft.ApiManagement.GatewayAPIAdded | Raised when an API was removed from a self-hosted gateway. |
-| Microsoft.ApiManagement.GatewayAPIRemoved | Raised when an API was removed from a self-hosted gateway. |
-| Microsoft.ApiManagement.GatewayCertificateAuthorityCreated | Raised when a certificate authority was updated for a self-hosted. |
-| Microsoft.ApiManagement.GatewayCertificateAuthorityDeleted | Raised when a certificate authority was deleted for a self-hosted. |
-| Microsoft.ApiManagement.GatewayCertificateAuthorityUpdated | Raised when a certificate authority was updated for a self-hosted. |
-| Microsoft.ApiManagement.GatewayHostnameConfigurationCreated | Raised when a hostname configuration was created for a self-hosted. |
-| Microsoft.ApiManagement.GatewayHostnameConfigurationDeleted | Raised when a hostname configuration was deleted for a self-hosted. |
-| Microsoft.ApiManagement.GatewayHostnameConfigurationUpdated | Raised when a hostname configuration was updated for a self-hosted. |
+| Microsoft.ApiManagement.GatewayAPIAdded | Raised when an API is added to a self-hosted gateway. |
+| Microsoft.ApiManagement.GatewayAPIRemoved | Raised when an API is removed from a self-hosted gateway. |
+| Microsoft.ApiManagement.GatewayCertificateAuthorityCreated | Raised when a certificate authority is updated for a self-hosted gateway. |
+| Microsoft.ApiManagement.GatewayCertificateAuthorityDeleted | Raised when a certificate authority is deleted for a self-hosted gateway. |
+| Microsoft.ApiManagement.GatewayCertificateAuthorityUpdated | Raised when a certificate authority is updated for a self-hosted gateway. |
+| Microsoft.ApiManagement.GatewayHostnameConfigurationCreated | Raised when a hostname configuration is created for a self-hosted gateway. |
+| Microsoft.ApiManagement.GatewayHostnameConfigurationDeleted | Raised when a hostname configuration is deleted for a self-hosted gateway. |
+| Microsoft.ApiManagement.GatewayHostnameConfigurationUpdated | Raised when a hostname configuration is updated for a self-hosted gateway. |
+| Microsoft.ApiManagement.GatewayTokenNearExpiry (preview)| Raised when a self-hosted gateway access token is near expiry. |
+| Microsoft.ApiManagement.GatewayTokenExpired (preview) | Raised when a self-hosted gateway access token is expired. |
+| Microsoft.ApiManagement.CircuitBreaker.Opened (preview) | Raised when a backend circuit breaker is opened. |
+| Microsoft.ApiManagement.CircuitBreaker.Closed (preview)  | Raised when a backend circuit breaker is closed. |
 
 ## Example event
 
@@ -162,6 +166,113 @@ The following example shows the schema of an API updated event. The schema of ot
 
 ---
 
+# [Cloud event schema](#tab/cloud-event-schema)
+
+The following example shows the schema of a circuit breaker opened event. 
+
+```json
+{
+  "source": "/subscriptions/{subscription-id}/resourceGroups/{your-rg}/providers/Microsoft.ApiManagement/service/{your-APIM-instance}",
+  "subject": "/backends/{backend-name}/circuit-breaker/rules/{rule-name}",
+  "type": "Microsoft.ApiManagement.CircuitBreaker.Opened",
+  "time": "2025-04-02T00:47:47.8536532Z",
+  "id": "92c502f2-a966-42a7-a428-d3b319844544",
+  "data": {
+    "backendName": "{backend-name}",
+    "circuitBreaker": {
+      "rules": {
+        "{rule-name}": {
+          "tripDuration": "00:00:01"
+        }
+      }
+    }
+  },
+  "specVersion": "1.0"
+}
+```
+
+
+# [Event Grid event schema](#tab/event-grid-event-schema)
+
+The following example shows the schema of a circuit breaker opened event. The schema of a circuit breaker closed event is similar.
+  
+```json
+{
+  "id": "92c502f2-a966-42a7-a428-d3b319844544",
+  "topic": "/subscriptions/{subscription-id}/resourceGroups/{your-rg}/providers/Microsoft.ApiManagement/service/{your-APIM-instance}",
+  "subject": "/backends/{backend-name}/circuit-breaker/rules/{rule-name}",
+  "data": {
+    "backendName": "{backend-name}",
+    "circuitBreaker": {
+      "rules": {
+        "{rule-name}": {
+          "tripDuration": "00:00:01"
+        }
+      }
+    }
+  },
+  "eventType": "Microsoft.ApiManagement.CircuitBreaker.Opened",
+  "dataVersion": "1",
+  "metadataVersion": "1",
+  "eventTime": "2025-04-02T00:47:48.8269769Z"
+}
+```
+
+---
+
+# [Cloud event schema](#tab/cloud-event-schema)
+
+The following example shows the schema of a gateway token expired event. The schema of a gateway token near expiry event is similar, but substitutes an `expiresAtUtc` property for the `expiredAtUtc` property.
+
+```json
+{
+  "source": "/subscriptions/{subscription-id}/resourceGroups/{your-rg}/providers/Microsoft.ApiManagement/service/{your-APIM-instance}",
+  "subject": "/gateways/{gateway-name}/{instance-name}",
+  "type": "Microsoft.ApiManagement.GatewayTokenExpired",
+  "time": "2025-04-02T00:47:47.8536532Z",
+  "id": "92c502f2-a966-42a7-a428-d3b319844544",
+  "data": {
+    "gatewayInfo": {
+      "gatewayId": "{gateway-name}",
+      "instanceId": "{instance-name}"
+    },
+    "tokenInfo": {
+      "expiredAtUtc": "2025-02-25T08:56:00.0000000Z"
+    }
+  },
+  "specVersion": "1.0"
+}
+
+```
+
+
+# [Event Grid event schema](#tab/event-grid-event-schema)
+
+The following example shows the schema of a gateway token expired event. 
+
+```json
+{
+  "id": "92c502f2-a966-42a7-a428-d3b319844544",
+  "topic": "/subscriptions/{subscription-id}/resourceGroups/{your-rg}/providers/Microsoft.ApiManagement/service/{your-APIM-instance}",
+  "subject": "/gateways/{gateway-name}/{instance-name}",
+  "data": {
+    "gatewayInfo": {
+      "gatewayId": "{gateway-name}",
+      "instanceId": "{instance-name}"
+    },
+    "tokenInfo": {
+      "expiredAtUtc": "2025-02-25T08:56:00.0000000Z"
+    }
+  },
+  "eventType": "Microsoft.ApiManagement.GatewayTokenExpired",
+  "dataVersion": "1",
+  "metadataVersion": "1",
+  "eventTime": "2025-04-02T00:47:48.8269769Z"
+}
+```
+
+---
+
 ## Event properties
 
 
@@ -196,12 +307,38 @@ An event has the following top-level data:
 
 ---
 
-The data object has the following properties:
+
+### Data object properties
+
+
+#### Control plane events
+
+The `data` object has the following properties for control plane events such as creating, updating, and deleting API Management resources. 
 
 | Property | Type | Description |
 | -------- | ---- | ----------- |
 | `resourceUri` | string | The fully qualified ID of the resource that the compliance state change is for, including the resource name and resource type. Uses the format, `/subscriptions/<SubscriptionID>/resourceGroups/<ResourceGroup>/Microsoft.ApiManagement/service/<ServiceName>/<ResourceType>/<ResourceName>` |
 
+#### Circuit breaker events
+
+The `data` object has the following properties for circuit breaker events. 
+
+
+| Property | Type | Description |
+| -------- | ---- | ----------- |
+|`backendNme` | string | The name (ID) of the backend entity in which the circuit breaker is configured. |
+|`circuitBreaker` | object | The circuit breaker configured in the backend, consisting of a `rules` object specifying the rule that tripped the backed. The rule has a `tripDuration` property in hh:mm:ss format specifying the duration for which the circuit breaker is tripped.
+
+#### Self-hosted gateway authentication token events
+
+The `data` object has the following properties for self-hosted gateway authentication token events.
+
+| Property | Type | Description |
+| -------- | ---- | ----------- |
+| `gatewayInfo` | object | The self-hosted gateway information, consisting of the following string properties:<br/><br/>*  `gatewayId` - The fully qualified ID of the gateway resource<br/>* `instanceId` - Unique instance ID of the deployed gateway |
+| `tokenInfo` | object | The token information, consisting of one of the following properties in the provider's UTC time:<br/><br/>* `expiresAtUtc` - for `GatewayTokenNearExpiry` event, or<br/>* `expiredAtUtc` - for `GatewayTokenExpired` event |
+
+
 ## Tutorials and how-tos
 
 |Title  |Description  |
