
It took me some time to figure it out. Here is a howto to proxy from an Azure API Management to Cosmos DB.
Note down some point from your Cosmos Environment.

In my case we have the
URL https://fellowtest.documents.azure.com
Collections Id Items
Database ToDoList
We need this point later in the script. Go the Key section and write down the Primary Key:
Now open your API Management.

Enter here the Values
Now click on API and add a black API

Do not forget Products here.
Create a new operation


Select your new policy and click on to open the editor

@{
bool idBased = true;
var date = context.Variables.GetValueOrDefault("requestDateString");
var databaseId = "ToDoList";
var collectionId = "Items";
var verb = "GET";
var resourceType = "docs";
//var resourceLink = string.Format("dbs/{0}/colls/{1}/docs", databaseId, collectionId);
var resourceId = string.Format("dbs/{0}/colls/{1}", databaseId, collectionId);
var key = context.Variables.GetValueOrDefault("cosmoskey");
var keyType="master";
var tokenVersion="1.0";
var hmacSha256 = new System.Security.Cryptography.HMACSHA256 { Key = Convert.FromBase64String(key) };
verb = verb ?? "";
resourceType = resourceType ?? "";
resourceId = resourceId ?? "";
string payLoad = string.Format("{0}\n{1}\n{2}\n{3}\n{4}\n",
verb.ToLowerInvariant(),
resourceType.ToLowerInvariant(),
resourceId,
date.ToLowerInvariant(),
""
);
byte[] hashPayLoad = hmacSha256.ComputeHash(System.Text.Encoding.UTF8.GetBytes(payLoad));
string signature = Convert.ToBase64String(hashPayLoad);
return System.Uri.EscapeDataString(String.Format("type={0}&ver={1}&sig={2}",
keyType,
tokenVersion,
signature));
}
application/query+json
True
@(context.Variables.GetValueOrDefault("requestDateString"))
2017-02-22
true
@(context.LastError.Source)
@(context.LastError.Reason)
@(context.LastError.Message)
@(context.LastError.Scope)
@(context.LastError.Section)
@(context.LastError.Path)
@(context.LastError.PolicyId)
@(context.Response.StatusCode.ToString())
Now the point you need to change are:
var databaseId = "ToDoList"; var collectionId = "Items";
Click now on Test

Now write down the Public IP from your API Managment

Go back to Cosmos DB and click on Firewall

Your Cosmos is now protected