Policies are hooks to an API which you can punch at differnt levels of execution. They are powerful capabilities to an API publisher that can impose some change in behavior of an API. Policies are collection of statements which are execued sequentially on the request or response of an API. They are applied either before execution of actual action (stated as InBound policies) or after the actual action has been executed (termed as Outbound Policies). Some policies can change the Http Pipeline of an API execution altogether.
To understand policy infrastructure of an API let us dig deep into how the Http Pipeline of an API looks like
In the above image, it is eminent that when a request is received to the API gateway, it goes through the pipeline
first to authentication through user registry, then execute
Inbound policies, next it executes the backend action
to generate the response in XML format, executes the
Outbound policies and finally returns the response
back to the caller.
Note: Policies execute in sequential order, you can change the sequence anytime just to ensure the policies are configured correctly
The policies are of two types:
If the policies are applied before executing the actual action in the backend, the policy is termed as
If a policy is applied after the execution of backend action and the response result set is already generated,
the policy is termed as
|Name||Description||Applied for||Is Mandatory||Scope|
|Throttling Policy||Throttling applies to certain user such that after a fixed number of calls, the API will automatically throttle. Read More||
|IP Restrict Policy||Allows the user to provide IP range which will automatically restrict callsRead More||
|ValidateHttpHeader Policy||Validates a fixed header on a request ReadMore||
|Compression Policy||Allows compressed response when browser accepts compression Read More||
|ResponseFormatConversion Policy||Replies data in format requested Read More||
Policy scope is the area where the policies can be applied. The scope can be of different types :
|Operation||Applies to leaf level of an API, for example, when
|API||Applies to a particular API and automatically override all
|Organization||Applies to all APIs of an organization||Yes|
|Base||Applies to all organization irrespective of any API||No|
Inboundspecifies the scope of the policy to be applied before execution of main data source and
Outboundspecifies it after the execution of main data source.
NOTE: Do not validate a request in
Outbound scope, as it will always consume your resources and response time will be increased.