Can Azure API Management (VNet mode) access Azure Cache for Redis using Managed Identity instead of a connection string?
We currently use Azure API Management (APIM) in internal VNet mode and are connecting directly to Azure Cache for Redis using a connection string (hostname + access key). According to Azure documentation, this is not recommended due to security concerns, and we'd like to transition to Managed Identity-based authentication.
Here’s our setup:
- APIM is VNet-injected (internal mode)
- Redis tier: Premium
- Redis is configured as an external cache, directly accessed from APIM policies
- We do not have an intermediate backend (e.g., Azure Function or App Service). APIM talks to Redis directly
- Redis Premium is Private Endpoint-enabled, and we're aware of Azure RBAC support and token-based access in this tier
🔍 My question:
Is it possible to have Azure API Management use its Managed Identity to authenticate directly to Azure Cache for Redis Premium, without relying on a connection string?
If yes:
What would the configuration look like in APIM?
Can APIM acquire and forward an Azure AD access token to Redis?
Is there any built-in policy or extension that enables this?
If no:
- Is the recommended secure architecture to introduce a backend (e.g., Azure Function with MSI) that handles Redis interactions, and let APIM proxy through it?
I’ve reviewed Microsoft Docs for Redis, APIM, and Managed Identity, but couldn’t find a definitive answer specific to APIM → Redis with MSI, without a backend in the middle.
Thanks in advance for any authoritative clarification or workaround.
My question: Is it possible to have Azure API Management use its Managed Identity to authenticate directly to Azure Cache for Redis Premium, without relying on a connection string?
If yes:
What would the configuration look like in APIM?
- Can APIM acquire and forward an Azure AD access token to Redis?
If no:
- What is the recommended secure architecture then?
I’ve reviewed Microsoft Docs for Redis, APIM, and Managed Identity, but couldn’t find a definitive answer specific to APIM → Redis with MSI.
Thanks in advance for any authoritative clarification or workaround.