Policies in Azure API Management

In Azure API Management (APIM), policies are a powerful capability of the system that allow the publisher to change the behavior of the API through configuration. Policies are a collection of Statements that are executed sequentially on the request or response of an API. Popular Statements include format conversion from XML to JSON and call rate limiting to restrict the amount of incoming calls from a developer. Many more policies are available out of the box.

Policies are applied inside the gateway which sits between the API consumer and the managed API. The gateway receives all requests and usually forwards them unaltered to the underlying API. However a policy can apply changes to both the inbound request and outbound response.

Policy expressions can be used as attribute values or text values in any of the API Management policies, unless the policy specifies otherwise. Some policies such as the Control flow and Set variable policies are based on policy expressions. For more information, see Advanced policies and Policy expressions.

The policy definition is a simple XML document that describes a sequence of inbound and outbound statements. The XML can be edited directly in the definition window. A list of statements is provided to the right and statements applicable to the current scope are enabled and highlighted.

<policies>
  <inbound>
    <!-- statements to be applied to the request go here -->
  </inbound>
  <backend>
    <!-- statements to be applied before the request is forwarded to 
         the backend service go here -->
  </backend>
  <outbound>
    <!-- statements to be applied to the response go here -->
  </outbound>
  <on-error>
    <!-- statements to be applied if there is an error condition go here -->
  </on-error>
</policies> 

If there is an error during the processing of a request, any remaining steps in the inbound, backend, or outbound sections are skipped and execution jumps to the statements in the on-error section. By placing policy statements in the on-error section you can review the error by using the context.LastError property, inspect and customize the error response using the set-body policy, and configure what happens if an error occurs. There are error codes for built-in steps and for errors that may occur during the processing of policy statements. For more information, see Error handling in API Management policies.

Policies

• Access restriction policies
  • Check HTTP header - Enforces existence and/or value of a HTTP Header.
  • Limit call rate by subscription - Prevents API usage spikes by limiting call rate, on a per subscription basis.
  • Limit call rate by key - Prevents API usage spikes by limiting call rate, on a per key basis.
  • Restrict caller IPs - Filters (allows/denies) calls from specific IP addresses and/or address ranges.
  • Set usage quota by subscription - Allows you to enforce a renewable or lifetime call volume and/or bandwidth quota, on a per subscription basis.
  • Set usage quota by key - Allows you to enforce a renewable or lifetime call volume and/or bandwidth quota, on a per key basis.
  • Validate JWT - Enforces existence and validity of a JWT extracted from either a specified HTTP Header or a specified query parameter.
• Advanced policies
  • Control flow - Conditionally applies policy statements based on the evaluation of Boolean expressions.
  • Forward request - Forwards the request to the backend service.
  • Limit concurrency - Prevents enclosed policies from executing by more than the specified number of requests at a time.
  • Log to Event Hub - Sends messages in the specified format to a message target defined by a Logger entity.
  • Mock response - Aborts pipeline execution and returns a mocked response directly to the caller.
  • Retry - Retries execution of the enclosed policy statements, if and until the condition is met. Execution will repeat at the specified time intervals and up to the specified retry count.
  • Return response - Aborts pipeline execution and returns the specified response directly to the caller.
  • Send one way request - Sends a request to the specified URL without waiting for a response.
  • Send request - Sends a request to the specified URL.
  • Set HTTP proxy - Allows you to route forwarded requests via an HTTP proxy.
  • Set variable - Persist a value in a named context variable for later access.
  • Set request method - Allows you to change the HTTP method for a request.
  • Set status code - Changes the HTTP status code to the specified value.
  • Trace - Adds a string into the API Inspector output.
  • Wait - Waits for enclosed Send request, Get value from cache, or Control flow policies to complete before proceeding.
• Authentication policies
  • Authenticate with Basic - Authenticate with a backend service using Basic authentication.
  • Authenticate with client certificate - Authenticate with a backend service using client certificates.
  • Authenticate with managed identity - Authenticate with a backend service using a managed identity.
• Caching policies
  • Get from cache - Perform cache look up and return a valid cached response when available.
  • Store to cache - Caches response according to the specified cache control configuration.
  • Get value from cache - Retrieve a cached item by key.
  • Store value in cache - Store an item in the cache by key.
  • Remove value from cache - Remove an item in the cache by key.
• Cross domain policies
  • Allow cross-domain calls - Makes the API accessible from Adobe Flash and Microsoft Silverlight browser-based clients.
  • CORS - Adds cross-origin resource sharing (CORS) support to an operation or an API to allow cross-domain calls from browser-based clients.
  • JSONP - Adds JSON with padding (JSONP) support to an operation or an API to allow cross-domain calls from JavaScript browser-based clients.
• Transformation policies
• Convert JSON to XML - Converts request or response body from JSON to XML.
• Convert XML to JSON - Converts request or response body from XML to JSON.
• Find and replace string in body - Finds a request or response substring and replaces it with a different substring.
• Mask URLs in content - Re-writes (masks) links in the response body so that they point to the equivalent link via the gateway.
• Set backend service - Changes the backend service for an incoming request.
• Set body - Sets the message body for incoming and outgoing requests.
• Set HTTP header - Assigns a value to an existing response and/or request header or adds a new response and/or request header.
• Set query string parameter - Adds, replaces value of, or deletes request query string parameter.
• Rewrite URL - Converts a request URL from its public form to the form expected by the web service.
• Transform XML using an XSLT - Applies an XSL transformation to XML in the request or response body.

Source : https://docs.microsoft.com/en-us/azure/api-management/api-management-policies