Share via

Azure API Management external cache - how to choose to witch Redis I want to cache?

Mateusz Wygoda 66 Reputation points
2026-03-19T10:29:26.82+00:00

Hi,

We have faced situation that we want to use two different Redis to cache data for one system and dedicated for HR.

Plan is to separate cache data, because HR could contain sensitive data and we don't want to give access to all technical persons.

Is it possible to write policy to choose:

  • hr_redis - when API 1 is called
  • other_redis - when API 2 is called

Our APIM and Redis are both in same region and we have only one instance of APIM in our company.
Configuration is FD -> APIM -> Getaways/backends

Azure Policy
Azure Policy

An Azure service that is used to implement corporate governance and standards at scale for Azure resources.

0 comments
Answer accepted by question author
  1. Siva shunmugam Nadessin 7,735 Reputation points Microsoft External Staff Moderator
    2026-03-19T11:13:21.2666667+00:00

    Hello Mateusz Wygoda,

    Thank you for reaching out to the Microsoft Q&A forum.

    While investigating we that splitting your cache by API so HR traffic goes to one Redis and “other” traffic to another makes perfect sense from a security standpoint. Unfortunately, APIM’s built-in external‐cache feature only lets you configure one cache per location (or per gateway), and there isn’t a “cache instance” attribute you can switch on per‐operation in the standard cache-lookup/store policies.

    Here are a couple of workarounds you can consider:

    Use multiple gateways

    Spin up two self-hosted gateways (or two locations in a multi-region APIM): • Gateway HR – configure hr_redis as its External cache • Gateway Default – configure other_redis as its External cache

    Then map API 1 to the HR gateway and API 2 to the Default gateway. Pros: you keep using built-in cache policies (cache-lookup/store) with no custom code Cons: you need to deploy and manage an extra gateway

    Do custom caching inside your policies

    Store both Redis connection strings in Named Values (secret)

    In your inbound or backend policy for API 1 call a <send-request> or <send-request-policies> block to issue raw Redis commands (SET/GET) against the hr_redis endpoint

    Similarly, inside API 2’s policy target the other_redis endpoint Pros: no extra gateway needed, full control over which Redis instance you hit Cons: you’re rolling your own Redis protocol calls, more complex policy logic

    If neither approach is suitable, the only other option is to split the two APIs into separate APIM instances (each with its own External cache configured).

    Hope that gives you a clear path forward!

    Reference docs

    • Configure External Redis in APIM (External cache blade) https://learn.microsoft.com/azure/api-management/api-management-howto-cache-external

    • cache-lookup/store policies https://learn.microsoft.com/azure/api-management/cache-store-policy https://learn.microsoft.com/azure/api-management/cache-lookup-policy

    • send-request policy (for custom Redis calls) https://learn.microsoft.com/azure/api-management/send-request-policy

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-03-19T10:29:42.8366667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Yes. Configure both Redis instances as external caches in API Management and then select which one to use per API (or per gateway location) via the Use from setting and caching policies.

    High-level approach:

    1. Add both Redis instances as external caches
      • In the Azure portal, open the API Management instance.
      • Go to Deployment + infrastructure → External cache.
      • Select + Add and add:
        • hr_redis (Azure Managed Redis or custom Redis connection string)
        • other_redis (second Redis instance)
      • For each, choose an appropriate Use from value:
        • If both Redis instances are in the same region as APIM, you can:
          • Assign one cache to a specific region/location (for example, HR gateway location), and
          • Use Default or another region/location for the non-HR cache.
    2. Bind cache selection to gateway location (recommended)
      • The Use from setting determines which APIM gateway location uses which external cache:
        • A cache configured as Default is used by all locations unless overridden.
        • A cache configured for a specific region/location overrides Default for that region/location.
      • If HR APIs are exposed via a dedicated gateway location (for example, a self-hosted gateway or a specific region), configure:
        • hr_redis with Use from = that HR gateway location/region.
        • other_redis with Use from = Default (or other locations).
      • Then apply caching policies on the HR APIs; APIM will automatically use hr_redis for those calls and other_redis for APIs served from other locations.
    3. Apply caching policies per API/operation
      • After adding the external caches, enable caching only where needed:
        • On HR APIs (API 1), add caching policies (for example, cache-lookup-value, cache-store-value, or response caching policies). These calls will use the cache associated with the HR gateway/location.
        • On non-HR APIs (API 2), add caching policies on APIs served from locations that use other_redis.
      • APIM uses the external cache automatically once configured; the policy itself does not specify the Redis instance, the gateway/location mapping does.
    4. If using a self-hosted gateway for HR
      • For a self-hosted gateway, an external cache is required.
      • Add a Redis cache for that self-hosted gateway location via External cache → + Add → Custom and set Use from to that gateway location.
      • Deploy HR APIs only to that self-hosted gateway; their caching policies will use hr_redis.

    Key points:

    • Multiple external Redis-compatible caches can be configured on a single APIM instance.
    • Selection of which Redis is used is controlled by Use from (gateway region/location), not by a per-policy Redis connection string.
    • To separate HR cache data and access, isolate HR APIs to a dedicated gateway location (region or self-hosted gateway) and map that location to hr_redis, while mapping the rest to other_redis.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.