Azure API Management (APIM) Policies – Explained Clearly | SupportDeskWorld

Azure API Management (APIM) Policies – Explained Clearly

Introduction

Azure API Management (APIM) policies are a set of configurable statements that control API behavior at the gateway level. They allow you to enforce security, manage traffic, transform requests and responses, and handle errors without changing your backend code.

1. Inbound – JWT Validation

This policy validates incoming JSON Web Tokens (JWTs) issued by Azure AD or another identity provider. Only requests with a valid token are allowed to reach the backend.

<validate-jwt header-name="Authorization">
    <openid-config url="https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration" />
    <required-claims>
        <claim name="aud" match="any">
            <value>api://1234-5678</value>
        </claim>
    </required-claims>
</validate-jwt>

2. Inbound – Rate Limiting

Protects your backend from overload by limiting the number of requests per subscription or key. Example: Allow 10 requests per minute.

<rate-limit-by-key calls="10" renewal-period="60" counter-key="@(context.Subscription.Key)" />

3. Inbound – CORS

Cross-Origin Resource Sharing (CORS) controls which websites can call your API from a browser. It is enforced by browsers and does not affect backend-to-backend calls.

<cors>
    <allowed-origins>
        <origin>https://myfrontend.com</origin>
    </allowed-origins>
    <allowed-methods>
        <method>GET</method>
        <method>POST</method>
    </allowed-methods>
</cors>

4. Backend – Retry

Automatically retries requests if the backend fails temporarily, helping improve reliability for transient errors like network issues or server overload.

<retry condition="@(context.Response == null || context.Response.StatusCode >= 500)" count="3" interval="2" />

5. Backend – Forward Request

Sends the request to the backend API and optionally sets a timeout. Prevents APIM from waiting indefinitely for a slow backend.

<forward-request timeout="30" />

6. Outbound – Modify Response

Changes or adds headers and transforms the response before sending it to the client. Useful for standardizing responses or adding metadata.

<set-header name="X-Processed-By" exists-action="override">
    APIM
</set-header>

7. On-Error – Exception Handling

Handles errors gracefully when the backend or any policy fails. You can customize the status code, headers, and response body to provide meaningful messages to clients.

<on-error>
    <set-status code="500" reason="Internal Server Error" />
    <set-body>Service temporarily unavailable</set-body>
</on-error>

Azure API Management (APIM) Interview FAQs – Most Important Questions

1. What is Azure API Management (APIM)?

Azure API Management is a fully managed service that acts as a gateway between clients and backend services. It provides security, throttling, transformation, monitoring, and versioning without changing backend code.

2. What are APIM policies?

APIM policies are XML-based rules executed at the API gateway that control request and response behavior such as authentication, rate limiting, transformation, retry, and error handling.

3. Where are APIM policies executed?

APIM policies are executed at the gateway layer, before the request reaches the backend service and before the response is returned to the client.

4. What are the main policy sections in APIM?

APIM has four main policy sections: Inbound, Backend, Outbound, and On-Error. Each section controls a specific stage of request processing.

5. What is an Inbound policy used for?

Inbound policies run when a request enters APIM. They are commonly used for JWT validation, rate limiting, IP filtering, CORS configuration, and request transformation.

6. How does JWT validation work in APIM?

APIM validates JWT tokens by checking the token signature, issuer, audience, expiration, and required claims before forwarding the request to the backend.

7. What is rate limiting in APIM?

Rate limiting restricts the number of API calls a client can make within a specific time window to prevent abuse and protect backend services.

8. Difference between rate-limit and quota policies?

Rate-limit controls short-term traffic (per second or minute), while quota policies limit the total number of requests over longer periods such as daily or monthly usage.

9. What is CORS policy in APIM?

CORS policy allows browser-based applications from approved domains to securely access APIs hosted behind APIM. It prevents unauthorized cross-origin access.

10. What is a Backend policy?

Backend policies control how APIM communicates with backend services, including retry logic, timeout settings, backend switching, and forwarding rules.

11. What is the retry policy in APIM?

The retry policy automatically retries backend calls when transient errors like HTTP 500 or 503 occur, improving reliability and fault tolerance.

12. What does the forward-request policy do?

The forward-request policy sends the processed request from APIM to the configured backend service after inbound and backend policies are applied.

13. What is an Outbound policy?

Outbound policies run after the backend responds. They are used to modify response headers, transform response bodies, hide internal details, or add custom metadata.

14. What is the On-Error policy in APIM?

On-Error policies handle exceptions and failures during request processing and allow APIM to return clean, user-friendly error messages instead of exposing backend errors.

15. Why are APIM policies important in real-world projects?

APIM policies improve security, scalability, reliability, and maintainability by handling cross-cutting concerns like authentication, throttling, and error handling at the gateway level.