Events
Mar 17, 11 PM - Mar 21, 11 PM
Join the meetup series to build scalable AI solutions based on real-world use cases with fellow developers and experts.
Register nowThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
APPLIES TO: All API Management tiers
This section provides brief descriptions and links to reference articles for all API Management policies. The API Management gateways that support each policy are indicated. For detailed policy settings and examples, see the linked reference articles.
More information about policies:
Important
Limit call rate by subscription and Set usage quota by subscription have a dependency on the subscription key. A subscription key isn't required when other policies are applied.
Policy | Description | Classic | V2 | Consumption | Self-hosted | Workspace |
---|---|---|---|---|---|---|
Limit call rate by subscription | Prevents API usage spikes by limiting call rate, on a per subscription basis. | Yes | Yes | Yes | Yes | Yes |
Limit call rate by key | Prevents API usage spikes by limiting call rate, on a per key basis. | Yes | Yes | No | Yes | Yes |
Set usage quota by subscription | Allows you to enforce a renewable or lifetime call volume and/or bandwidth quota, on a per subscription basis. | Yes | Yes | Yes | Yes | Yes |
Set usage quota by key | Allows you to enforce a renewable or lifetime call volume and/or bandwidth quota, on a per key basis. | Yes | No | No | Yes | Yes |
Limit concurrency | Prevents enclosed policies from executing by more than the specified number of requests at a time. | Yes | Yes | Yes | Yes | Yes |
Limit Azure OpenAI Service token usage | Prevents Azure OpenAI API usage spikes by limiting large language model tokens per calculated key. | Yes | Yes | No | Yes | Yes |
Limit large language model API token usage | Prevents large language model (LLM) API usage spikes by limiting LLM tokens per calculated key. | Yes | Yes | No | Yes | Yes |
Policy | Description | Classic | V2 | Consumption | Self-hosted | Workspace |
---|---|---|---|---|---|---|
Check HTTP header | Enforces existence and/or value of an HTTP header. | Yes | Yes | Yes | Yes | Yes |
Get authorization context | Gets the authorization context of a specified connection to a credential provider configured in the API Management instance. | Yes | Yes | Yes | No | No |
Restrict caller IPs | Filters (allows/denies) calls from specific IP addresses and/or address ranges. | Yes | Yes | Yes | Yes | Yes |
Validate Microsoft Entra token | Enforces existence and validity of a Microsoft Entra (formerly called Azure Active Directory) JWT extracted from either a specified HTTP header, query parameter, or token value. | Yes | Yes | Yes | Yes | Yes |
Validate JWT | Enforces existence and validity of a JWT extracted from either a specified HTTP header, query parameter, or token value. | Yes | Yes | Yes | Yes | Yes |
Validate client certificate | Enforces that a certificate presented by a client to an API Management instance matches specified validation rules and claims. | Yes | Yes | Yes | Yes | Yes |
Authenticate with Basic | Authenticates with a backend service using Basic authentication. | Yes | Yes | Yes | Yes | Yes |
Authenticate with client certificate | Authenticates with a backend service using client certificates. | Yes | Yes | Yes | Yes | Yes |
Authenticate with managed identity | Authenticates with a backend service using a managed identity. | Yes | Yes | Yes | Yes | No |
Policy | Description | Classic | V2 | Consumption | Self-hosted | Workspace |
---|---|---|---|---|---|---|
Validate content | Validates the size or content of a request or response body against one or more API schemas. The supported schema formats are JSON and XML. | Yes | Yes | Yes | Yes | Yes |
Validate GraphQL request | Validates and authorizes a request to a GraphQL API. | Yes | Yes | Yes | Yes | No |
Validate OData request | Validates a request to an OData API to ensure conformance with the OData specification. | Yes | Yes | Yes | Yes | Yes |
Validate parameters | Validates the request header, query, or path parameters against the API schema. | Yes | Yes | Yes | Yes | Yes |
Validate headers | Validates the response headers against the API schema. | Yes | Yes | Yes | Yes | Yes |
Validate status code | Validates the HTTP status codes in responses against the API schema. | Yes | Yes | Yes | Yes | Yes |
Policy | Description | Classic | V2 | Consumption | Self-hosted | Workspace |
---|---|---|---|---|---|---|
Forward request | Forwards the request to the backend service. | Yes | Yes | Yes | Yes | Yes |
Set backend service | Changes the backend service base URL of an incoming request to a URL or a backend. Referencing a backend resource allows you to manage the backend service base URL and other settings in a single place. Also implement load balancing of traffic across a pool of backend services and circuit breaker rules to protect the backend from too many requests. | Yes | Yes | Yes | Yes | Yes |
Set HTTP proxy | Allows you to route forwarded requests via an HTTP proxy. | Yes | Yes | Yes | Yes | Yes |
Policy | Description | Classic | V2 | Consumption | Self-hosted | Workspace |
---|---|---|---|---|---|---|
Get from cache | Performs cache lookup and return a valid cached response when available. | Yes | Yes | Yes | Yes | Yes |
Store to cache | Caches response according to the specified cache control configuration. | Yes | Yes | Yes | Yes | Yes |
Get value from cache | Retrieves a cached item by key. | Yes | Yes | Yes | Yes | Yes |
Store value in cache | Stores an item in the cache by key. | Yes | Yes | Yes | Yes | Yes |
Remove value from cache | Removes an item in the cache by key. | Yes | Yes | Yes | Yes | Yes |
Get cached responses of Azure OpenAI API requests | Performs lookup in Azure OpenAI API cache using semantic search and returns a valid cached response when available. | Yes | Yes | Yes | Yes | No |
Store responses of Azure OpenAI API requests to cache | Caches response according to the Azure OpenAI API cache configuration. | Yes | Yes | Yes | Yes | No |
Get cached responses of large language model API requests | Performs lookup in large language model API cache using semantic search and returns a valid cached response when available. | Yes | Yes | Yes | Yes | No |
Store responses of large language model API requests to cache | Caches response according to the large language model API cache configuration. | Yes | Yes | Yes | Yes | No |
Policy | Description | Classic | V2 | Consumption | Self-hosted | Workspace |
---|---|---|---|---|---|---|
Set request method | Allows you to change the HTTP method for a request. | Yes | Yes | Yes | Yes | Yes |
Set status code | Changes the HTTP status code to the specified value. | Yes | Yes | Yes | Yes | Yes |
Set variable | Persists a value in a named context variable for later access. | Yes | Yes | Yes | Yes | Yes |
Set body | Sets the message body for a request or response. | Yes | Yes | Yes | Yes | Yes |
Set HTTP header | Assigns a value to an existing response and/or request header or adds a new response and/or request header. | Yes | Yes | Yes | Yes | Yes |
Set query string parameter | Adds, replaces value of, or deletes request query string parameter. | Yes | Yes | Yes | Yes | Yes |
Rewrite URL | Converts a request URL from its public form to the form expected by the web service. | Yes | Yes | Yes | Yes | Yes |
Convert JSON to XML | Converts request or response body from JSON to XML. | Yes | Yes | Yes | Yes | Yes |
Convert XML to JSON | Converts request or response body from XML to JSON. | Yes | Yes | Yes | Yes | Yes |
Find and replace string in body | Finds a request or response substring and replaces it with a different substring. | Yes | Yes | Yes | Yes | Yes |
Mask URLs in content | Rewrites (masks) links in the response body so that they point to the equivalent link via the gateway. | Yes | Yes | Yes | Yes | Yes |
Transform XML using an XSLT | Applies an XSL transformation to XML in the request or response body. | Yes | Yes | Yes | Yes | Yes |
Return response | Aborts pipeline execution and returns the specified response directly to the caller. | Yes | Yes | Yes | Yes | Yes |
Mock response | Aborts pipeline execution and returns a mocked response directly to the caller. | Yes | Yes | Yes | Yes | Yes |
Policy | Description | Classic | V2 | Consumption | Self-hosted | Workspace |
---|---|---|---|---|---|---|
Allow cross-domain calls | Makes the API accessible from Adobe Flash and Microsoft Silverlight browser-based clients. | Yes | Yes | Yes | Yes | Yes |
CORS | Adds cross-origin resource sharing (CORS) support to an operation or an API to allow cross-domain calls from browser-based clients. | Yes | Yes | Yes | Yes | Yes |
JSONP | Adds JSON with padding (JSONP) support to an operation or an API to allow cross-domain calls from JavaScript browser-based clients. | Yes | Yes | Yes | Yes | Yes |
Policy | Description | Classic | V2 | Consumption | Self-hosted | Workspace |
---|---|---|---|---|---|---|
Send request | Sends a request to the specified URL. | Yes | Yes | Yes | Yes | Yes |
Send one way request | Sends a request to the specified URL without waiting for a response. | Yes | Yes | Yes | Yes | Yes |
Log to event hub | Sends messages in the specified format to an event hub defined by a Logger entity. | Yes | Yes | Yes | Yes | Yes |
Send request to a service (Dapr) | Uses Dapr runtime to locate and reliably communicate with a Dapr microservice. To learn more about service invocation in Dapr, see the description in this README file. | No | No | No | Yes | No |
Send message to Pub/Sub topic (Dapr) | Uses Dapr runtime to publish a message to a Publish/Subscribe topic. To learn more about Publish/Subscribe messaging in Dapr, see the description in this README file. | No | No | No | Yes | No |
Trigger output binding (Dapr) | Uses Dapr runtime to invoke an external system via output binding. To learn more about bindings in Dapr, see the description in this README file. | No | No | No | Yes | No |
Policy | Description | Classic | V2 | Consumption | Self-hosted | Workspace |
---|---|---|---|---|---|---|
Trace | Adds custom traces into the request tracing output in the test console, Application Insights telemetries, and resource logs. | Yes | Yes1 | Yes | Yes | Yes |
Emit metrics | Sends custom metrics to Application Insights at execution. | Yes | Yes | Yes | Yes | Yes |
Emit Azure OpenAI token metrics | Sends metrics to Application Insights for consumption of large language model tokens through Azure OpenAI service APIs. | Yes | Yes | No | Yes | Yes |
Emit large language model API token metrics | Sends metrics to Application Insights for consumption of large language model (LLM) tokens through LLM APIs. | Yes | Yes | No | Yes | Yes |
1 In the V2 gateway, the trace
policy currently does not add tracing output in the test console.
Policy | Description | Classic | V2 | Consumption | Self-hosted | Workspace |
---|---|---|---|---|---|---|
Azure SQL data source for resolver | Configures the Azure SQL request and optional response to resolve data for an object type and field in a GraphQL schema. | Yes | Yes | No | No | No |
Cosmos DB data source for resolver | Configures the Cosmos DB request and optional response to resolve data for an object type and field in a GraphQL schema. | Yes | Yes | No | No | No |
HTTP data source for resolver | Configures the HTTP request and optionally the HTTP response to resolve data for an object type and field in a GraphQL schema. | Yes | Yes | Yes | No | No |
Publish event to GraphQL subscription | Publishes an event to one or more subscriptions specified in a GraphQL API schema. Configure the policy in a GraphQL resolver for a related field in the schema for another operation type such as a mutation. | Yes | Yes | Yes | No | No |
Policy | Description | Classic | V2 | Consumption | Self-hosted | Workspace |
---|---|---|---|---|---|---|
Control flow | Conditionally applies policy statements based on the results of the evaluation of Boolean expressions. | Yes | Yes | Yes | Yes | Yes |
Include fragment | Inserts a policy fragment in the policy definition. | Yes | Yes | Yes | Yes | Yes |
Retry | Retries execution of the enclosed policy statements, if and until the condition is met. Execution will repeat at the specified time intervals and up to the specified retry count. | Yes | Yes | Yes | Yes | Yes |
Wait | Waits for enclosed Send request, Get value from cache, or Control flow policies to complete before proceeding. | Yes | Yes | Yes | Yes | Yes |
For more information about working with policies, see:
Events
Mar 17, 11 PM - Mar 21, 11 PM
Join the meetup series to build scalable AI solutions based on real-world use cases with fellow developers and experts.
Register nowTraining
Module
Protect your APIs on Azure API Management - Training
Protect your backend APIs from information exposure and implement throttling (rate limiting) to prevent resource exhaustion with policies in Azure API Management.
Certification
Microsoft Certified: Azure Cosmos DB Developer Specialty - Certifications
Write efficient queries, create indexing policies, manage, and provision resources in the SQL API and SDK with Microsoft Azure Cosmos DB.