Azure API Management service (APIM) comes with a rich policy library that enables you to manage, secure, and manipulate requests/responses in a centralized and scalable way. With over 70+ types of policies, however, it's easy to be lost. In this post, I'll walk you through 3 real-world, use-case scenarios that illustrate how to successfully compose these policies together.
Each case contains a full policy block and a short description of every policy used. Let's begin.
✨ Case 1: Securing and Optimizing an AI-Powered API
Scenario:
You're building an API that connects to Azure OpenAI. The API must be secure, enforce token limits, cache responses intelligently, and log usage for cost control.
header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized">
url="https://login.microsoftonline.com/YOUR-TENANT/v2.0/.well-known/openid-configuration" />
calls="100" renewal-period="60" />
max-tokens="2048" />
name="total_tokens" />
/>
vary-by-developer="true" />
name="x-api-version" failed-check-httpcode="400" failed-check-error-message="Missing API version header">
v1
name="x-powered-by" exists-action="override">
AzureAPIM
/>
duration="300" />
/>
logger-id="openai-logger">
@{ return "Tokens used: " + context.Variables["total_tokens"]; }Explanation:
-
validate-jwt: Ensures only authorized users access the API. -
rate-limit: Prevents abuse by throttling calls. -
azure-openai-token-limit&emit-token-metric: Enforces OpenAI token constraints and usage logging. -
semantic-cache-lookup/store&cache-lookup/store: Layered caching improves performance. -
check-header: Validates required custom headers. -
set-header: Adds branding info. -
log-to-eventhub: Sends logs to Event Hub for auditing.
⚡ Case 2: Internal Microservices Gateway with Data Transformations
Scenario:
You’re building a gateway API for internal microservices that include Dapr bindings, Cosmos DB access, and advanced XML/JSON transformations.
resource="https://cosmos.azure.com/" />
base-url="https://microservice.internal" />
max-size="102400" />
apply="always" />
binding-name="sendEmail" operation="create" />
SELECT * FROM c WHERE c.type = 'event'
count="10" />
name="env" value="internal" />
mode="new">
https://other-microservice/api
apply="always" />
from="error" to="issue" />
name="microservice_usage" value="1" />Explanation:
-
authentication-managed-identity: Secure Cosmos DB access. -
json-to-xml / xml-to-json: Flexible data formatting. -
invoke-dapr-binding: Triggers Dapr components. -
cosmosdb-data-source: Pulls data into pipeline. -
limit-concurrency: Prevents overload. -
send-request: Connects to another internal API. -
find-and-replace: Cleans outbound data. -
emit-metric: Custom usage metric.
🌎 Case 3: Public API with Quotas, CORS, GraphQL, and CDNs
Scenario:
You expose a public API that integrates GraphQL, uses JWT auth, handles global requests, and relies on caching/CDN.
allow-credentials="true">
https://client.app
GET
POST
header-name="Authorization">
url="https://login.microsoftonline.com/YOUR-TENANT/v2.0/.well-known/openid-configuration" />
calls="1000" renewal-period="3600" counter-key="@(context.Request.Headers.GetValueOrDefault("x-user-id", "anon"))" />
calls="10" renewal-period="60" counter-key="@(context.Request.IpAddress)" />
/>
name="x-client-version">
1.0
base-url="https://your-api-backend" />
name="Cache-Control" exists-action="override">
max-age=600
source="app-insights" severity="informational" />
code="200" reason="OK" />Explanation:
-
cors: Enables cross-origin requests from trusted clients. -
validate-jwt: Authenticates public users. -
quota-by-key/rate-limit-by-key: Enforces fair usage. -
validate-graphql-request: Ensures valid GraphQL queries. -
trace: Adds observability. -
return-response: Ends the pipeline cleanly.
🚀 Final Thoughts
Azure API Management policies give you surgical control over your API’s lifecycle—from security and caching to observability and LLM safety. Use them thoughtfully in layered designs.
If you'd like to go deeper on any policy—or want a complete blueprint for your architecture—just reach out. Let’s build better APIs, one policy at a time.
Follow me for more Azure, API, and cloud-native insights. 🚀