DEV Community: Martín Belda The latest articles on DEV Community by Martín Belda (@martn_belda_4995b3150f89). https://dev.to/martn_belda_4995b3150f89 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2997815%2F542e316a-10c6-4942-8470-b655122c241c.jpg DEV Community: Martín Belda https://dev.to/martn_belda_4995b3150f89 en Mastering Azure API Management Policies with 3 Practical Cases Martín Belda Tue, 15 Apr 2025 15:40:20 +0000 https://dev.to/martn_belda_4995b3150f89/mastering-azure-api-management-policies-with-3-practical-cases-4g1n https://dev.to/martn_belda_4995b3150f89/mastering-azure-api-management-policies-with-3-practical-cases-4g1n <p>Azure API Management service (APIM) comes with a rich policy library that enables you to manage, secure, and manipulate requests/responses in a centralized and scalable way. With over 70+ types of policies, however, it's easy to be lost. In this post, I'll walk you through 3 real-world, use-case scenarios that illustrate how to successfully compose these policies together.</p> <p>Each case contains a full policy block and a short description of every policy used. Let's begin.</p> <h2> ✨ Case 1: Securing and Optimizing an AI-Powered API </h2> <p><strong>Scenario</strong>:<br> You're building an API that connects to Azure OpenAI. The API must be secure, enforce token limits, cache responses intelligently, and log usage for cost control.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="nt">&lt;policies&gt;</span> <span class="nt">&lt;inbound&gt;</span> <span class="nt">&lt;validate-jwt</span> <span class="na">header-name=</span><span class="s">"Authorization"</span> <span class="na">failed-validation-httpcode=</span><span class="s">"401"</span> <span class="na">failed-validation-error-message=</span><span class="s">"Unauthorized"</span><span class="nt">&gt;</span> <span class="nt">&lt;openid-config</span> <span class="na">url=</span><span class="s">"https://login.microsoftonline.com/YOUR-TENANT/v2.0/.well-known/openid-configuration"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;/validate-jwt&gt;</span> <span class="nt">&lt;rate-limit</span> <span class="na">calls=</span><span class="s">"100"</span> <span class="na">renewal-period=</span><span class="s">"60"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;azure-openai-token-limit</span> <span class="na">max-tokens=</span><span class="s">"2048"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;azure-openai-emit-token-metric</span> <span class="na">name=</span><span class="s">"total_tokens"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;azure-openai-semantic-cache-lookup</span> <span class="nt">/&gt;</span> <span class="nt">&lt;cache-lookup</span> <span class="na">vary-by-developer=</span><span class="s">"true"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;check-header</span> <span class="na">name=</span><span class="s">"x-api-version"</span> <span class="na">failed-check-httpcode=</span><span class="s">"400"</span> <span class="na">failed-check-error-message=</span><span class="s">"Missing API version header"</span><span class="nt">&gt;</span> <span class="nt">&lt;value&gt;</span>v1<span class="nt">&lt;/value&gt;</span> <span class="nt">&lt;/check-header&gt;</span> <span class="nt">&lt;set-header</span> <span class="na">name=</span><span class="s">"x-powered-by"</span> <span class="na">exists-action=</span><span class="s">"override"</span><span class="nt">&gt;</span> <span class="nt">&lt;value&gt;</span>AzureAPIM<span class="nt">&lt;/value&gt;</span> <span class="nt">&lt;/set-header&gt;</span> <span class="nt">&lt;/inbound&gt;</span> <span class="nt">&lt;backend&gt;</span> <span class="nt">&lt;forward-request</span> <span class="nt">/&gt;</span> <span class="nt">&lt;/backend&gt;</span> <span class="nt">&lt;outbound&gt;</span> <span class="nt">&lt;cache-store</span> <span class="na">duration=</span><span class="s">"300"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;azure-openai-semantic-cache-store</span> <span class="nt">/&gt;</span> <span class="nt">&lt;log-to-eventhub</span> <span class="na">logger-id=</span><span class="s">"openai-logger"</span><span class="nt">&gt;</span> @{ return "Tokens used: " + context.Variables["total_tokens"]; } <span class="nt">&lt;/log-to-eventhub&gt;</span> <span class="nt">&lt;/outbound&gt;</span> <span class="nt">&lt;/policies&gt;</span> </code></pre> </div> <p><strong>Explanation</strong>:</p> <ul> <li> <code>validate-jwt</code>: Ensures only authorized users access the API.</li> <li> <code>rate-limit</code>: Prevents abuse by throttling calls.</li> <li> <code>azure-openai-token-limit</code> &amp; <code>emit-token-metric</code>: Enforces OpenAI token constraints and usage logging.</li> <li> <code>semantic-cache-lookup/store</code> &amp; <code>cache-lookup/store</code>: Layered caching improves performance.</li> <li> <code>check-header</code>: Validates required custom headers.</li> <li> <code>set-header</code>: Adds branding info.</li> <li> <code>log-to-eventhub</code>: Sends logs to Event Hub for auditing.</li> </ul> <h2> ⚡ Case 2: Internal Microservices Gateway with Data Transformations </h2> <p><strong>Scenario</strong>:<br> You’re building a gateway API for internal microservices that include Dapr bindings, Cosmos DB access, and advanced XML/JSON transformations.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="nt">&lt;policies&gt;</span> <span class="nt">&lt;inbound&gt;</span> <span class="nt">&lt;authentication-managed-identity</span> <span class="na">resource=</span><span class="s">"https://cosmos.azure.com/"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;set-backend-service</span> <span class="na">base-url=</span><span class="s">"https://microservice.internal"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;validate-content</span> <span class="na">max-size=</span><span class="s">"102400"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;json-to-xml</span> <span class="na">apply=</span><span class="s">"always"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;invoke-dapr-binding</span> <span class="na">binding-name=</span><span class="s">"sendEmail"</span> <span class="na">operation=</span><span class="s">"create"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;cosmosdb-data-source&gt;</span> <span class="nt">&lt;query&gt;</span>SELECT * FROM c WHERE c.type = 'event'<span class="nt">&lt;/query&gt;</span> <span class="nt">&lt;/cosmosdb-data-source&gt;</span> <span class="nt">&lt;limit-concurrency</span> <span class="na">count=</span><span class="s">"10"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;set-variable</span> <span class="na">name=</span><span class="s">"env"</span> <span class="na">value=</span><span class="s">"internal"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;/inbound&gt;</span> <span class="nt">&lt;backend&gt;</span> <span class="nt">&lt;send-request</span> <span class="na">mode=</span><span class="s">"new"</span><span class="nt">&gt;</span> <span class="nt">&lt;set-url&gt;</span>https://other-microservice/api<span class="nt">&lt;/set-url&gt;</span> <span class="nt">&lt;/send-request&gt;</span> <span class="nt">&lt;/backend&gt;</span> <span class="nt">&lt;outbound&gt;</span> <span class="nt">&lt;xml-to-json</span> <span class="na">apply=</span><span class="s">"always"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;find-and-replace</span> <span class="na">from=</span><span class="s">"error"</span> <span class="na">to=</span><span class="s">"issue"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;emit-metric</span> <span class="na">name=</span><span class="s">"microservice_usage"</span> <span class="na">value=</span><span class="s">"1"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;/outbound&gt;</span> <span class="nt">&lt;/policies&gt;</span> </code></pre> </div> <p><strong>Explanation</strong>:</p> <ul> <li> <code>authentication-managed-identity</code>: Secure Cosmos DB access.</li> <li> <code>json-to-xml / xml-to-json</code>: Flexible data formatting.</li> <li> <code>invoke-dapr-binding</code>: Triggers Dapr components.</li> <li> <code>cosmosdb-data-source</code>: Pulls data into pipeline.</li> <li> <code>limit-concurrency</code>: Prevents overload.</li> <li> <code>send-request</code>: Connects to another internal API.</li> <li> <code>find-and-replace</code>: Cleans outbound data.</li> <li> <code>emit-metric</code>: Custom usage metric.</li> </ul> <h2> 🌎 Case 3: Public API with Quotas, CORS, GraphQL, and CDNs </h2> <p><strong>Scenario</strong>:<br> You expose a public API that integrates GraphQL, uses JWT auth, handles global requests, and relies on caching/CDN.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="nt">&lt;policies&gt;</span> <span class="nt">&lt;inbound&gt;</span> <span class="nt">&lt;cors</span> <span class="na">allow-credentials=</span><span class="s">"true"</span><span class="nt">&gt;</span> <span class="nt">&lt;allowed-origins&gt;</span> <span class="nt">&lt;origin&gt;</span>https://client.app<span class="nt">&lt;/origin&gt;</span> <span class="nt">&lt;/allowed-origins&gt;</span> <span class="nt">&lt;allowed-methods&gt;</span> <span class="nt">&lt;method&gt;</span>GET<span class="nt">&lt;/method&gt;</span> <span class="nt">&lt;method&gt;</span>POST<span class="nt">&lt;/method&gt;</span> <span class="nt">&lt;/allowed-methods&gt;</span> <span class="nt">&lt;/cors&gt;</span> <span class="nt">&lt;validate-jwt</span> <span class="na">header-name=</span><span class="s">"Authorization"</span><span class="nt">&gt;</span> <span class="nt">&lt;openid-config</span> <span class="na">url=</span><span class="s">"https://login.microsoftonline.com/YOUR-TENANT/v2.0/.well-known/openid-configuration"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;/validate-jwt&gt;</span> <span class="nt">&lt;quota-by-key</span> <span class="na">calls=</span><span class="s">"1000"</span> <span class="na">renewal-period=</span><span class="s">"3600"</span> <span class="na">counter-key=</span><span class="s">"@(context.Request.Headers.GetValueOrDefault("</span><span class="err">x-user-id",</span> <span class="err">"anon"))"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;rate-limit-by-key</span> <span class="na">calls=</span><span class="s">"10"</span> <span class="na">renewal-period=</span><span class="s">"60"</span> <span class="na">counter-key=</span><span class="s">"@(context.Request.IpAddress)"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;validate-graphql-request</span> <span class="nt">/&gt;</span> <span class="nt">&lt;check-header</span> <span class="na">name=</span><span class="s">"x-client-version"</span><span class="nt">&gt;</span> <span class="nt">&lt;value&gt;</span>1.0<span class="nt">&lt;/value&gt;</span> <span class="nt">&lt;/check-header&gt;</span> <span class="nt">&lt;/inbound&gt;</span> <span class="nt">&lt;backend&gt;</span> <span class="nt">&lt;set-backend-service</span> <span class="na">base-url=</span><span class="s">"https://your-api-backend"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;/backend&gt;</span> <span class="nt">&lt;outbound&gt;</span> <span class="nt">&lt;set-header</span> <span class="na">name=</span><span class="s">"Cache-Control"</span> <span class="na">exists-action=</span><span class="s">"override"</span><span class="nt">&gt;</span> <span class="nt">&lt;value&gt;</span>max-age=600<span class="nt">&lt;/value&gt;</span> <span class="nt">&lt;/set-header&gt;</span> <span class="nt">&lt;trace</span> <span class="na">source=</span><span class="s">"app-insights"</span> <span class="na">severity=</span><span class="s">"informational"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;return-response&gt;</span> <span class="nt">&lt;set-status</span> <span class="na">code=</span><span class="s">"200"</span> <span class="na">reason=</span><span class="s">"OK"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;/return-response&gt;</span> <span class="nt">&lt;/outbound&gt;</span> <span class="nt">&lt;/policies&gt;</span> </code></pre> </div> <p><strong>Explanation</strong>:</p> <ul> <li> <code>cors</code>: Enables cross-origin requests from trusted clients.</li> <li> <code>validate-jwt</code>: Authenticates public users.</li> <li> <code>quota-by-key</code> / <code>rate-limit-by-key</code>: Enforces fair usage.</li> <li> <code>validate-graphql-request</code>: Ensures valid GraphQL queries.</li> <li> <code>trace</code>: Adds observability.</li> <li> <code>return-response</code>: Ends the pipeline cleanly.</li> </ul> <h2> 🚀 Final Thoughts </h2> <p>Azure API Management policies give you surgical control over your API’s lifecycle—from security and caching to observability and LLM safety. Use them thoughtfully in layered designs.</p> <p>If you'd like to go deeper on any policy—or want a complete blueprint for your architecture—just reach out. Let’s build better APIs, one policy at a time.</p> <p>Follow me for more Azure, API, and cloud-native insights. 🚀</p>