Overview

A policy can be enforced on an API to perform specific tasks, such as transport, security, logging, routing of requests to target services, and transformation of data from one format to another. You can also define a policy to evaluate and process the various API invocations at run-time. For example, a policy could instruct API Gateway to perform any of the following tasks and prevent malicious attacks:

Verify that the requests submitted to an API come from applications that are authenticated and authorized using the specified set of identifiers in the HTTP header to access and use the particular API.

Monitor a user-specified set of run-time performance conditions and limit the number of invocations during a specified time interval for a particular API and for applications, and send alerts to a specified destination when these performance conditions are violated.

Policies are grouped into stages as per their usage. For example, the policies in a Threat Protection stage can be enforced for all APIs to protect against malicious attacks that could cause problems such as, large and recursive payloads, viruses, scanning with external systems, and SQL injections. The policies in the Identify and Access stage can be enforced on an API to specify the kind of identifiers that are used to identify the application and authorize it against all applications registered in API Gateway.

Policy enforcement mode

You can enforce policies in an API in the following ways:

Global Policies: You can apply a global policy to all APIs or the selected set of APIs. You do this by configuring the filters for the API and the policy configuration in the Global Policy details page. The global policies apply globally to the selected APIs.

Policy Templates: You can apply one or more policy templates to an API. You do this by applying the policy templates in the API details page. These policy templates apply at the API-level, and can be customized to suit the needs of a particular API.

API-specific Policies: You can apply one or more individual policies to an API. You do this by applying the policies in the API details page. These policies apply at the API-level, and can be customized to suit the needs of a particular API.

API Scope-specific Policies: You can apply one or more policies at the scope-level of an API. You do this by defining the API scopes with a collective set of resources, methods, or operations in the API details page. These policies apply at the corresponding resource-level, method-level, or operation-level, and can be customized to suit the needs of an individual API scope.

After you apply the policies both globally (through global policies) and directly (through API-level policies and scope-level policies) to an API, API Gateway determines the effective set of policies for that API by taking into account the precedence of policy enforcement at the API-level, the policy stages, the priority of policies, run-time constraints, and the status (activated or deactivated) of any applied global policy.

When you apply the Transport policy at the global level, the Transport policy applied at the API level is in the disabled state. When you try deleting the API-level Transport policy that is in the disabled state an error displays and you are not allowed to delete this policy as the API-level Transport policy is required and gets enforced when you deactivate the global policy.

You can enforce policies on an API at the following levels:

Resource-level (Scope-specific) Policy Enforcement: Applicable only for REST APIs. This enforcement applies to one or more resources and its nested methods in the REST API.

Method-level (Scope-specific) Policy Enforcement: Applicable only for REST APIs. This enforcement applies to one or more methods nested within a resource in the REST API.

For example, if an API was given the Identify and Authorize Application policy at the following policy enforcement levels:

The precedence of the policy enforcement which are effective for the API at run-time is as follows:

If the API has the Identify and Authorize Application policy applied through both a global policy and at the API-level, API Gateway does not show conflict. The Identify and Authorize Application policy applied through the global policy takes precedence and is processed at run-time.

Similarly for a REST API, Identify and Authorize Application policy is applied through a scope-level policy (at the resource-level) and also at the API-level, the Identify and Authorize Application policy applied through the scope-level policy takes precedence and is processed at run-time.

Transaction logging policy

API Gateway provides a system global policy, Transaction logging, which is shipped with the product. By default, the policy is in the Inactive state. The transaction logging policy has standard filters and log invocation policy that log request or response payloads to a specified destination. You can edit this policy to include additional filters or modify the policy properties but you cannot delete this policy. You can activate this policy in the Polices > Global policies page or through the Global Policy details page. Activating the policy enforces it on all APIs in API Gateway based on the configured filters and logs transactions across all the APIs. If you have multiple log invocation policies assigned to an API, the policies are compiled into a single policy and the one transaction log is created per destination.