Implementing API policies

Azure API Management

Fiodar Sazanavets

Senior Software Engineer at Microsoft

Introduction to API policies

API Management policies

  • Like a bouncer: check who gets in
  • Like speed-limit signs: control traffic flow
  • Protect APIs by blocking troublemakers
  • Throttle requests so no one overwhelms the system
  • Everything in/out of API Gateway is controlled by policies
Azure API Management

API Management policies overview

APIM policies

  • Policies are a set of powerful rules written in simple XML
  • Think of them as a request-and-response pipeline
  • You can insert rules at different stages to shape traffic
  • The best part: no need to touch your backend code
Azure API Management

Example: backward compatibility

Backward compatibility through APIM

Azure API Management

Policy scopes

  • Policies can be global and organization-wide
    • These rules control all APIs
  • Can be applied to individual APIs
    • Allow us to manage a specific product
  • Can be applied to individual endpoints
    • Used for fine-grained control

Policy scopes

Azure API Management

Inbound policies

  • When a request arrives, APIM evaluates inbound policies first
  • Example: Make old app versions compatible with new APIs by augmenting payload data
  • Inbound policies can guard against malicious attempts
  • They detect malformed requests or missing data
  • This early guardrail prevents bad data from reaching services

Inbound data augmentation

Request validation

Azure API Management

Security and throttling

Inbound policy for security

Enforcing request quotas

  • These throttle excessive clients, ensuring fair usage and backend protection
  • Inbound policies are also responsible for security
  • A common policy: validate a JWT (JSON Web Token)
  • Think of a JWT as a digital ID card sent by the client
  • The validate-jwt policy checks if it's legitimate, unexpired, and from a trusted issuer (e.g., Entra ID)
  • For stronger control: rate-limiting and quota policies
Azure API Management

Outbound policies

  • After backend processing, outbound policies adjust responses before returning
  • Think of it like a restaurant order: request -> kitchen (backend) -> plating station (outbound policies)
  • Outbound policies can:
    • Remove unwanted parts (e.g., sensitive headers)
    • Add instructions (e.g., caching directives)
    • Change format (e.g., convert XML to JSON)

Response data augmentation

Response transformation

  • Responses meet client expectations, regardless of backend preparation
Azure API Management

Let's practice!

Azure API Management

Preparing Video For Download...