Policy Overview



2 minute read

Policies are hooks to an API which you can punch at differnt levels of execution. They are powerful capabilities to an API publisher that can impose some change in behavior of an API. Policies are collection of statements which are execued sequentially on the request or response of an API. They are applied either before execution of actual action (stated as InBound policies) or after the actual action has been executed (termed as Outbound Policies). Some policies can change the Http Pipeline of an API execution altogether.

Understanding Policies

To understand policy infrastructure of an API let us dig deep into how the Http Pipeline of an API looks like Api Policy Pipeline

In the above image, it is eminent that when a request is received to the API gateway, it goes through the pipeline first to authentication through user registry, then execute Inbound policies, next it executes the backend action to generate the response in XML format, executes the Outbound policies and finally returns the response back to the caller.

Note: Policies execute in sequential order, you can change the sequence anytime just to ensure the policies are configured correctly

The policies are of two types:

Inbound Policy

If the policies are applied before executing the actual action in the backend, the policy is termed as Inbound policy.

Outbound Policy

If a policy is applied after the execution of backend action and the response result set is already generated, the policy is termed as Outbound policy.

Policy References

Name Description Applied for Is Mandatory Scope
Throttling Policy Throttling applies to certain user such that after a fixed number of calls, the API will automatically throttle. Read More Inbound No Operation
IP Restrict Policy Allows the user to provide IP range which will automatically restrict callsRead More Inbound No Operation
ValidateHttpHeader Policy Validates a fixed header on a request ReadMore Inbound No Operation
Compression Policy Allows compressed response when browser accepts compression Read More Outbound No Operation
ResponseFormatConversion Policy Replies data in format requested Read More Outbound No Operation

Policy Scope

Policy scope is the area where the policies can be applied. The scope can be of different types :

Scope Description Overrides
Operation Applies to leaf level of an API, for example, when Customer is an API, Operation is GET of a Customer. Yes
API Applies to a particular API and automatically override all Operation of the API Yes
Organization Applies to all APIs of an organization Yes
Base Applies to all organization irrespective of any API No

Once Inboundspecifies the scope of the policy to be applied before execution of main data source and Outboundspecifies it after the execution of main data source.

NOTE: Do not validate a request in Outbound scope, as it will always consume your resources and response time will be increased.